dcrat | f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8

Analysis

max time kernel
65s
max time network
303s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
01/09/2023, 04:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8.exe
Size

1.7MB
MD5

0d0cbd8b11e2bbe939037e4182a7b951
SHA1

c7293dbb015713168ad96ad809328fb6190f005d
SHA256

f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8
SHA512

340accc4c064d06230d3b8f1aaa1eec3c96f1c06892f75e79a7e81d9757c709ae301ba5e1b07f99b79bee4bec1f1ea7b27037b3f3fa9dba3dd86d24c3736f8ea
SSDEEP

24576:P2G/nvxW3WV0wot5dYjknv/MynA1A1ozB0T83/YtH5Kzjd+ipdxQ49GI:PbA3fXaovYOSOY3/+Lsr

Score

10^/10

dcrat warzonerat evasion infostealer persistence rat spyware stealer upx

Malware Config

Extracted

Family

warzonerat

89.23.96.35:5200

89.23.101.93:5200

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2652	schtasks.exe	32

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0030000000015ea6-12.dat	dcrat
behavioral1/files/0x0030000000015ea6-11.dat	dcrat
behavioral1/files/0x0030000000015ea6-10.dat	dcrat
behavioral1/files/0x0030000000015ea6-9.dat	dcrat
behavioral1/memory/2640-13-0x00000000009D0000-0x0000000000B30000-memory.dmp	dcrat
behavioral1/files/0x0008000000016c91-25.dat	dcrat
behavioral1/files/0x0006000000016cd5-144.dat	dcrat
behavioral1/files/0x0006000000016cd5-146.dat	dcrat
behavioral1/memory/1816-157-0x0000000000A50000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/files/0x000600000001755b-502.dat	dcrat
behavioral1/files/0x0008000000016adf-503.dat	dcrat
behavioral1/files/0x000600000001755b-504.dat	dcrat
behavioral1/files/0x0008000000016adf-505.dat	dcrat

Warzone RAT payload 14 IoCs

rat

resource	yara_rule
behavioral1/files/0x0004000000012274-315.dat	warzonerat
behavioral1/files/0x0004000000012274-317.dat	warzonerat
behavioral1/files/0x0004000000012274-322.dat	warzonerat
behavioral1/files/0x00050000000195c8-341.dat	warzonerat
behavioral1/files/0x00050000000195c8-339.dat	warzonerat
behavioral1/files/0x00050000000195c8-345.dat	warzonerat
behavioral1/files/0x00050000000195c4-351.dat	warzonerat
behavioral1/files/0x00050000000195c4-347.dat	warzonerat
behavioral1/files/0x00050000000195c8-352.dat	warzonerat
behavioral1/files/0x00050000000195c4-361.dat	warzonerat
behavioral1/files/0x000800000001225c-393.dat	warzonerat
behavioral1/files/0x000800000001225c-391.dat	warzonerat
behavioral1/files/0x000800000001225c-397.dat	warzonerat
behavioral1/files/0x000800000001225c-404.dat	warzonerat

Downloads MZ/PE file

Modifies Windows Firewall 1 TTPs 1 IoCs

evasion

Windows Service

T1543.003

pid	Process
2808	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat	svhost1.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\programs.bat:start	svhost1.exe

Executes dropped EXE 6 IoCs

pid	Process
2640	ComReview.exe
1816	System.exe
1576	DCRat-HRDUserModeLauncher.exe
1912	svhost1.exe
1188	svhost1.exe
1644	images.exe

Loads dropped DLL 4 IoCs

pid	Process
2772	cmd.exe
2772	cmd.exe
1912	svhost1.exe
1912	svhost1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000500000001964a-411.dat	upx
behavioral1/files/0x000500000001964a-409.dat	upx
behavioral1/files/0x000500000001964a-412.dat	upx
behavioral1/memory/916-436-0x0000000000890000-0x00000000008BD000-memory.dmp	upx

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhost1 = "C:\\Users\\Admin\\Documents\\svhost1.exe"	svhost1.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	ComReview.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6ccacd8608530f	ComReview.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\ebf1f9fa8afd6d	ComReview.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe	ComReview.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe	ComReview.exe
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe	ComReview.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe	ComReview.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\13dd906c9640aa	ComReview.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe	ComReview.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\42af1c969fbb7b	ComReview.exe
File opened for modification	C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe	ComReview.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe	ComReview.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\PolicyDefinitions\en-US\lsm.exe	ComReview.exe
File created	C:\Windows\PolicyDefinitions\en-US\101b941d020240	ComReview.exe
File created	C:\Windows\DCRat-HRDUserModeLauncher.exe	System.exe
File created	C:\Windows\svhost1.exe	System.exe
File opened for modification	C:\Windows\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File created	C:\Windows\images.exe	System.exe
File created	C:\Windows\PolicyDefinitions\en-US\lsm.exe	ComReview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1580	schtasks.exe
1800	schtasks.exe
2436	schtasks.exe
2948	schtasks.exe
2148	schtasks.exe
2072	schtasks.exe
2560	schtasks.exe
664	schtasks.exe
1624	schtasks.exe
1244	schtasks.exe
2796	schtasks.exe
1792	schtasks.exe
3000	schtasks.exe
1868	schtasks.exe
1724	schtasks.exe
2000	schtasks.exe
2004	schtasks.exe
1016	schtasks.exe
2112	schtasks.exe
2064	schtasks.exe
2404	schtasks.exe
2500	schtasks.exe
2708	schtasks.exe
1692	schtasks.exe
2208	schtasks.exe
2840	schtasks.exe
1996	schtasks.exe
1136	schtasks.exe
1596	schtasks.exe
1520	schtasks.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

NTFS ADS 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\Documents\Documents:ApplicationData	svhost1.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
2640	ComReview.exe
2024	powershell.exe
928	powershell.exe
2276	powershell.exe
1120	powershell.exe
2324	powershell.exe
612	powershell.exe
1748	powershell.exe
1948	powershell.exe
2168	powershell.exe
2336	powershell.exe
2040	powershell.exe
2312	powershell.exe
1768	powershell.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1816	System.exe
1152	chrome.exe
1152	chrome.exe
2400	powershell.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	ComReview.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	2324	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1816	System.exe
Token: SeDebugPrivilege	1576	DCRat-HRDUserModeLauncher.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe
Token: SeShutdownPrivilege	1152	chrome.exe

Suspicious use of FindShellTrayWindow 34 IoCs

pid	Process
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe
1152	chrome.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1816	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 2676	1612	f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8.exe	28
PID 1612 wrote to memory of 2676	1612	f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8.exe	28
PID 1612 wrote to memory of 2676	1612	f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8.exe	28
PID 1612 wrote to memory of 2676	1612	f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8.exe	28
PID 2676 wrote to memory of 2772	2676	WScript.exe	29
PID 2676 wrote to memory of 2772	2676	WScript.exe	29
PID 2676 wrote to memory of 2772	2676	WScript.exe	29
PID 2676 wrote to memory of 2772	2676	WScript.exe	29
PID 2772 wrote to memory of 2640	2772	cmd.exe	31
PID 2772 wrote to memory of 2640	2772	cmd.exe	31
PID 2772 wrote to memory of 2640	2772	cmd.exe	31
PID 2772 wrote to memory of 2640	2772	cmd.exe	31
PID 2640 wrote to memory of 1120	2640	ComReview.exe	85
PID 2640 wrote to memory of 1120	2640	ComReview.exe	85
PID 2640 wrote to memory of 1120	2640	ComReview.exe	85
PID 2640 wrote to memory of 2040	2640	ComReview.exe	84
PID 2640 wrote to memory of 2040	2640	ComReview.exe	84
PID 2640 wrote to memory of 2040	2640	ComReview.exe	84
PID 2640 wrote to memory of 612	2640	ComReview.exe	83
PID 2640 wrote to memory of 612	2640	ComReview.exe	83
PID 2640 wrote to memory of 612	2640	ComReview.exe	83
PID 2640 wrote to memory of 2312	2640	ComReview.exe	82
PID 2640 wrote to memory of 2312	2640	ComReview.exe	82
PID 2640 wrote to memory of 2312	2640	ComReview.exe	82
PID 2640 wrote to memory of 928	2640	ComReview.exe	81
PID 2640 wrote to memory of 928	2640	ComReview.exe	81
PID 2640 wrote to memory of 928	2640	ComReview.exe	81
PID 2640 wrote to memory of 2324	2640	ComReview.exe	80
PID 2640 wrote to memory of 2324	2640	ComReview.exe	80
PID 2640 wrote to memory of 2324	2640	ComReview.exe	80
PID 2640 wrote to memory of 2276	2640	ComReview.exe	77
PID 2640 wrote to memory of 2276	2640	ComReview.exe	77
PID 2640 wrote to memory of 2276	2640	ComReview.exe	77
PID 2640 wrote to memory of 2336	2640	ComReview.exe	76
PID 2640 wrote to memory of 2336	2640	ComReview.exe	76
PID 2640 wrote to memory of 2336	2640	ComReview.exe	76
PID 2640 wrote to memory of 2024	2640	ComReview.exe	75
PID 2640 wrote to memory of 2024	2640	ComReview.exe	75
PID 2640 wrote to memory of 2024	2640	ComReview.exe	75
PID 2640 wrote to memory of 1948	2640	ComReview.exe	74
PID 2640 wrote to memory of 1948	2640	ComReview.exe	74
PID 2640 wrote to memory of 1948	2640	ComReview.exe	74
PID 2640 wrote to memory of 2168	2640	ComReview.exe	72
PID 2640 wrote to memory of 2168	2640	ComReview.exe	72
PID 2640 wrote to memory of 2168	2640	ComReview.exe	72
PID 2640 wrote to memory of 1748	2640	ComReview.exe	71
PID 2640 wrote to memory of 1748	2640	ComReview.exe	71
PID 2640 wrote to memory of 1748	2640	ComReview.exe	71
PID 2640 wrote to memory of 1768	2640	ComReview.exe	70
PID 2640 wrote to memory of 1768	2640	ComReview.exe	70
PID 2640 wrote to memory of 1768	2640	ComReview.exe	70
PID 2640 wrote to memory of 1944	2640	ComReview.exe	90
PID 2640 wrote to memory of 1944	2640	ComReview.exe	90
PID 2640 wrote to memory of 1944	2640	ComReview.exe	90
PID 1944 wrote to memory of 2512	1944	cmd.exe	91
PID 1944 wrote to memory of 2512	1944	cmd.exe	91
PID 1944 wrote to memory of 2512	1944	cmd.exe	91
PID 1944 wrote to memory of 1816	1944	cmd.exe	92
PID 1944 wrote to memory of 1816	1944	cmd.exe	92
PID 1944 wrote to memory of 1816	1944	cmd.exe	92
PID 1816 wrote to memory of 1576	1816	System.exe	95
PID 1816 wrote to memory of 1576	1816	System.exe	95
PID 1816 wrote to memory of 1576	1816	System.exe	95
PID 1576 wrote to memory of 1152	1576	DCRat-HRDUserModeLauncher.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8.exe
"C:\Users\Admin\AppData\Local\Temp\f7c3d2971549106f2c2aa449210164d7c5e80d3beeb867e5092b7087d3a160a8.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Msprovidernet\2Yxdw1MawZ014bavclpLQBkjfQrL.vbe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2676
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Msprovidernet\cMkFIYJMzWWv4A.bat" "
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\Msprovidernet\ComReview.exe
      "C:\Msprovidernet\ComReview.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Msprovidernet/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/MSOCache/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aGjaybPuf4.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2512
      - C:\MSOCache\All Users\System.exe
        
        "C:\MSOCache\All Users\System.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\DCRat-HRDUserModeLauncher.exe
        
        "C:\Windows\DCRat-HRDUserModeLauncher.exe" chrome.exe
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" -safe-mode --disable-3d-apis --disable-gpu
        8⤵
        Enumerates system info in registry
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        
        PID:1152
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xc0,0xc4,0xc8,0x94,0xcc,0x7fef62f9758,0x7fef62f9768,0x7fef62f9778
        9⤵
        
        PID:1784
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --use-gl=angle --use-angle=swiftshader-webgl --mojo-platform-channel-handle=1148 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:2
        9⤵
        
        PID:3004
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1504 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:8
        9⤵
        
        PID:2976
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1404 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:8
        9⤵
        
        PID:2892
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-3d-apis --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=2228 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:1
        9⤵
        
        PID:1924
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-3d-apis --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=2236 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:1
        9⤵
        
        PID:2768
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --disable-3d-apis --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --mojo-platform-channel-handle=3276 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:1
        9⤵
        
        PID:2012
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3420 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:8
        9⤵
        
        PID:1184
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3552 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:8
        9⤵
        
        PID:2256
        
        C:\Program Files\Google\Chrome\Application\chrome.exe
        
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3208 --field-trial-handle=1256,i,3845494665208818700,15315888392764852439,131072 /prefetch:8
        9⤵
        
        PID:1600
        
        C:\Windows\svhost1.exe
        
        "C:\Windows\svhost1.exe"
        7⤵
        Drops startup file
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        NTFS ADS
        
        PID:1912
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Users\Admin\Documents\svhost1.exe
        
        "C:\Users\Admin\Documents\svhost1.exe"
        8⤵
        Executes dropped EXE
        
        PID:1188
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        9⤵
        
        PID:2948
        
        C:\Users\Admin\AppData\Local\Temp\561.exe
        
        "C:\Users\Admin\AppData\Local\Temp\561.exe"
        9⤵
        
        PID:916
        
        C:\Windows\SysWOW64\netsh.exe
        
        netsh advfirewall firewall add rule name="3389" dir=in action=allow protocol=TCP localport=3389
        10⤵
        Modifies Windows Firewall
        
        PID:2808
        
        C:\Windows\images.exe
        
        "C:\Windows\images.exe"
        7⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        8⤵
        
        PID:2840
        
        C:\Users\Admin\Documents\images.exe
        
        "C:\Users\Admin\Documents\images.exe"
        8⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        
        powershell Add-MpPreference -ExclusionPath C:\
        9⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        9⤵
        
        PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\en-US\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\PolicyDefinitions\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComReviewC" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComReview" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ComReviewC" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Msprovidernet\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Msprovidernet\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Msprovidernet\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\5332d042-48a9-11ee-846d-85769f0858e8\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\5332d042-48a9-11ee-846d-85769f0858e8\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\5332d042-48a9-11ee-846d-85769f0858e8\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2404

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:1692

C:\Windows\system32\taskeng.exe
taskeng.exe {0E4434AC-4562-46F7-9373-1450B5C1054E} S-1-5-21-86725733-3001458681-3405935542-1000:ZWKQHIWB\Admin:Interactive:[1]
1⤵
PID:2200
- C:\Users\All Users\System.exe
  "C:\Users\All Users\System.exe"
  2⤵
  PID:1772
- C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe
  "C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe"
  2⤵
  PID:3000

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\System.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\MSOCache\All Users\System.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\Msprovidernet\2Yxdw1MawZ014bavclpLQBkjfQrL.vbe

Filesize
204B

MD5
b0208057fb3549c6c5cae6655c112fed

SHA1
6a3619f5254c9e899c26c019aacbb0073ad1619b

SHA256
8c4a7f90e8c07214f3f72b1dc2c872ec4f6b9a21e2641f7e3cf11b4f69a26fdb

SHA512
dccb8586842d32ae33ccbef614d37f6339e7d0b897fc6b665580d73190abe534914b6da73ab451c6ce79d33328dfe864c654d8b259b86f7b21f92c6db6ac654f

Download Submit
C:\Msprovidernet\ComReview.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\Msprovidernet\ComReview.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\Msprovidernet\cMkFIYJMzWWv4A.bat

Filesize
32B

MD5
2bb81b07d82e576f8b1a1b3cd8c227e4

SHA1
8ccae3ef96824eb846fecd5ca6956d47730b703e

SHA256
965bb37e810993c339a1bf37622a468a96940f51e86c32947b6dbc17c7e5ade8

SHA512
18609de967568ca48abfffaf29d51d1f944cfe8376b637063f4afc077a8c95498a3ae75e6d007c5f70452016caaae9596b37e79d92d4a66dbd6d235aaec6217f

Download Submit
C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\Idle.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\Program Files\Windows Sidebar\fr-FR\ComReview.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\ProgramData\System.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
cad2e9f90238fe289ed1548d6d020148

SHA1
1a4da2f22466ff225663a469d411f2166244a3be

SHA256
37f754a2907b969850fb9a0dfd84018f79818009cf35e1ea03da54743762989e

SHA512
888eca3cd551574531f69039ea235bb648b9b52d3aaf87a3299563bdcdf106e91a56adaa19e2b04ecca97e7892b69c83a568385732d2d1949a44ce811201c05d

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\Network Persistent State

Filesize
1KB

MD5
dd321b848b34169b03037ed8a3ce9a3c

SHA1
89f2609e19012b534599a7311124303ef0813909

SHA256
e1c212cbed5fc810dbfa843edf79a925153dc7d8b7934ffb27af78353f063371

SHA512
d72b30c04a80990af232118c47478d2cedf5b0f617b3f96e7d6d2f0d9b6be96656a32416d03d94c67d4730cc633aa32b05ed296164999151bc938d25c92219ed

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
83ae9a92c40b8fb2a0d12f0853020baa

SHA1
e08d97abc2bc3dd0dedcbb8da701b27ac620863d

SHA256
69e0e2f2300804cc12570c5967bd11456188935aed2b9c93f6c417141c0471c5

SHA512
b519d3b4f9257d1092ac05f5a119061ef2d0a2fb4df2e57ba6d77b7b661f5ff93a3965ed56d3b9fbcd94ce862fa175754913dbae9e2ab1dba426b995aa58ac90

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
487153fd394607619e9af883d209597c

SHA1
1c19640eddd59231eee4d61db08926c2eb1c9d58

SHA256
6f043f047136ed8c8e2a8add5190eb0b57e4a6e96c0c643564eda2c8c623b95d

SHA512
c1b6df2af75888ddba1e8bcbaa83157a16c9aa0c5c27ebf03dfabf724930614f48b9407014f3bb3d3da6de5ff66e81f3b287465bbab11749ba350e9722165349

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Site Characteristics Database\000007.dbtmp

Filesize
16B

MD5
18e723571b00fb1694a3bad6c78e4054

SHA1
afcc0ef32d46fe59e0483f9a3c891d3034d12f32

SHA256
8af72f43857550b01eab1019335772b367a17a9884a7a759fdf4fe6f272b90aa

SHA512
43bb0af7d3984012d2d67ca6b71f0201e5b948e6fe26a899641c4c6f066c59906d468ddf7f1df5ea5fa33c2bc5ea8219c0f2c82e0a5c365ad7581b898a8859e2

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
190KB

MD5
bef64bcb52b2bee091487cb42c9609ba

SHA1
7ec7a3ca53c5826b2864e0da6624c4cf43a9380b

SHA256
68ff1a43ba72090910973537bacfacac4a172a30282234438641bcf1eb3e4788

SHA512
3d2b1a602ba665bf29e7863191092c7dce3538f8b27d3aec5295fd70f34e0183fd445658c6cd35061b2426d62f69e6c111d59ff41d1c0a412fde9806f627c46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\561.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\561.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\FGwriWMEnB

Filesize
92KB

MD5
2775eb5221542da4b22f66e61d41781f

SHA1
a3c2b16a8e7fcfbaf4ee52f1e95ad058c02bf87d

SHA256
6115fffb123c6eda656f175c34bcdef65314e0bafc5697a18dc32aa02c7dd555

SHA512
fe8286a755949957ed52abf3a04ab2f19bdfddda70f0819e89e5cc5f586382a8bfbfad86196aa0f8572872cdf08a00c64a7321bbb0644db2bed705d3a0316b6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KCH4Ele9gM

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\aGjaybPuf4.bat

Filesize
197B

MD5
ea57c7733a4b669fb117d1649c2818dd

SHA1
577a88102aae59be3660413f0f10db79ff16c068

SHA256
6c03285a6e5630ee06bad537bc884faa808f24b137ea37bb8f997069e8cd5bc9

SHA512
d857e5b898b3f93f664a2a88fe1855445f5358f261fc1f8efd32a514032cbf2bae7c4b73afc104add951f4400629210c91b671b3db79d5caa12e856571185a2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9VZCmJhlW

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\CIUJ79Z6SCEINAQ1QRPL.temp

Filesize
7KB

MD5
8d68746293de6a7d17ec695119824975

SHA1
044b92c16646e0c5f6b95228928dbd3e2f8e66b0

SHA256
b3e25bcf06692fa77d252ac7e109bbf2d9bd9151173f99bb0288db9be03a95bf

SHA512
7164130dfc837ef19178adbd1cb2f2f60dcebeeea1ae4def3fe8c265a8cef2be789bba6f1fa90d7542f965e678d2c76045a213e1cf5d0d889da32db980b56bf2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
ee74ff6c0c9cfc54a633c74996477a37

SHA1
7ea2509638d1fabfb712920d03c3a12f8da414da

SHA256
98b1f3eff7b664159695e6695f4e0a1c8106f7785ad3934fbb4081c31b561f49

SHA512
75c3a16b06957ba085644195c47f9ce15b997915470159b9c2d8ba12086ac0a018387a9e9815474b589e131ec4d81da3811d432d66c9a82f68d217dd973948bb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9ed25895548bb13856540d9098098f2c

SHA1
6869614f7125a185ab60cc74a1ccce5ad91ae69a

SHA256
0da9a7f50596c9232cfba0fe31c3575298eaae3918e108812a8bfdfb39cc39d3

SHA512
3499d5bbce508810dfa787069b2e98bdf637cdd0d00dca3b28c2a19a2e6e9cc35a6e6cab4ea30c861788d9909ba21f3fbe1fc4a8c1432c970d26b8500efd79d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
9ed25895548bb13856540d9098098f2c

SHA1
6869614f7125a185ab60cc74a1ccce5ad91ae69a

SHA256
0da9a7f50596c9232cfba0fe31c3575298eaae3918e108812a8bfdfb39cc39d3

SHA512
3499d5bbce508810dfa787069b2e98bdf637cdd0d00dca3b28c2a19a2e6e9cc35a6e6cab4ea30c861788d9909ba21f3fbe1fc4a8c1432c970d26b8500efd79d6

Download Submit
C:\Users\Admin\AppData\Roaming\cAGbxhn.tmp

Filesize
190KB

MD5
bef64bcb52b2bee091487cb42c9609ba

SHA1
7ec7a3ca53c5826b2864e0da6624c4cf43a9380b

SHA256
68ff1a43ba72090910973537bacfacac4a172a30282234438641bcf1eb3e4788

SHA512
3d2b1a602ba665bf29e7863191092c7dce3538f8b27d3aec5295fd70f34e0183fd445658c6cd35061b2426d62f69e6c111d59ff41d1c0a412fde9806f627c46d

Download Submit
C:\Users\Admin\Documents\images.exe

Filesize
141KB

MD5
6562dc6fbe3fa39f7f33029b373ee688

SHA1
eac086d59a4e11d91ed215d9e127874a2f5e0db6

SHA256
d208fee476c1e037c6eef06c51ff43f1c5a08e0cece556de83da0442f7ed7105

SHA512
85894b756ba4704e04b4af5fe62f0cfd896dc361fd65a4abb1606899f7439929a286ae748589a300f48713ba111fc0c1933e7d086c3db83ba9c69d858c977426

Download Submit
C:\Users\Admin\Documents\images.exe

Filesize
141KB

MD5
6562dc6fbe3fa39f7f33029b373ee688

SHA1
eac086d59a4e11d91ed215d9e127874a2f5e0db6

SHA256
d208fee476c1e037c6eef06c51ff43f1c5a08e0cece556de83da0442f7ed7105

SHA512
85894b756ba4704e04b4af5fe62f0cfd896dc361fd65a4abb1606899f7439929a286ae748589a300f48713ba111fc0c1933e7d086c3db83ba9c69d858c977426

Download Submit
C:\Users\Admin\Documents\svhost1.exe

Filesize
132KB

MD5
86bab71e875585f7ff11775dbb414923

SHA1
c69051dde7a35719731334c2bc2dfd4fea246487

SHA256
8039adef7ead0f7fe0edef62ac1b777a07c290cad349112331429c3cbae12610

SHA512
ab2ed3bb171c9a025c2f2c36a593209b3a41b2468f95fb53c642dc5bcb3a1b76693ab193edecc032b62a10d7eae498320568cee429baaae16f0a924ae7b94807

Download Submit
C:\Users\Admin\Documents\svhost1.exe

Filesize
132KB

MD5
86bab71e875585f7ff11775dbb414923

SHA1
c69051dde7a35719731334c2bc2dfd4fea246487

SHA256
8039adef7ead0f7fe0edef62ac1b777a07c290cad349112331429c3cbae12610

SHA512
ab2ed3bb171c9a025c2f2c36a593209b3a41b2468f95fb53c642dc5bcb3a1b76693ab193edecc032b62a10d7eae498320568cee429baaae16f0a924ae7b94807

Download Submit
C:\Users\All Users\System.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
C:\Windows\DCRat-HRDUserModeLauncher.exe

Filesize
4KB

MD5
a77b7b68860a3e518d45cfff455a3e6c

SHA1
f57c71d7c1fdb0f2c60d537d8448635a43605260

SHA256
982ab383f53d54f5b7b8e8c4bb9975e6413df0dd71a204598112e7660c23f168

SHA512
6c3932680ab1130886276e975dee94665aad66d92c0b1bf2d4294d55d1e5caaa3126d9c016305f73a49642f3ab5dc22047d0abad619bda772757e1d731e7bc04

Download Submit
C:\Windows\DCRat-HRDUserModeLauncher.exe

Filesize
4KB

MD5
a77b7b68860a3e518d45cfff455a3e6c

SHA1
f57c71d7c1fdb0f2c60d537d8448635a43605260

SHA256
982ab383f53d54f5b7b8e8c4bb9975e6413df0dd71a204598112e7660c23f168

SHA512
6c3932680ab1130886276e975dee94665aad66d92c0b1bf2d4294d55d1e5caaa3126d9c016305f73a49642f3ab5dc22047d0abad619bda772757e1d731e7bc04

Download Submit
C:\Windows\images.exe

Filesize
141KB

MD5
6562dc6fbe3fa39f7f33029b373ee688

SHA1
eac086d59a4e11d91ed215d9e127874a2f5e0db6

SHA256
d208fee476c1e037c6eef06c51ff43f1c5a08e0cece556de83da0442f7ed7105

SHA512
85894b756ba4704e04b4af5fe62f0cfd896dc361fd65a4abb1606899f7439929a286ae748589a300f48713ba111fc0c1933e7d086c3db83ba9c69d858c977426

Download Submit
C:\Windows\images.exe

Filesize
141KB

MD5
6562dc6fbe3fa39f7f33029b373ee688

SHA1
eac086d59a4e11d91ed215d9e127874a2f5e0db6

SHA256
d208fee476c1e037c6eef06c51ff43f1c5a08e0cece556de83da0442f7ed7105

SHA512
85894b756ba4704e04b4af5fe62f0cfd896dc361fd65a4abb1606899f7439929a286ae748589a300f48713ba111fc0c1933e7d086c3db83ba9c69d858c977426

Download Submit
C:\Windows\images.exe

Filesize
141KB

MD5
6562dc6fbe3fa39f7f33029b373ee688

SHA1
eac086d59a4e11d91ed215d9e127874a2f5e0db6

SHA256
d208fee476c1e037c6eef06c51ff43f1c5a08e0cece556de83da0442f7ed7105

SHA512
85894b756ba4704e04b4af5fe62f0cfd896dc361fd65a4abb1606899f7439929a286ae748589a300f48713ba111fc0c1933e7d086c3db83ba9c69d858c977426

Download Submit
C:\Windows\svhost1.exe

Filesize
132KB

MD5
86bab71e875585f7ff11775dbb414923

SHA1
c69051dde7a35719731334c2bc2dfd4fea246487

SHA256
8039adef7ead0f7fe0edef62ac1b777a07c290cad349112331429c3cbae12610

SHA512
ab2ed3bb171c9a025c2f2c36a593209b3a41b2468f95fb53c642dc5bcb3a1b76693ab193edecc032b62a10d7eae498320568cee429baaae16f0a924ae7b94807

Download Submit
C:\Windows\svhost1.exe

Filesize
132KB

MD5
86bab71e875585f7ff11775dbb414923

SHA1
c69051dde7a35719731334c2bc2dfd4fea246487

SHA256
8039adef7ead0f7fe0edef62ac1b777a07c290cad349112331429c3cbae12610

SHA512
ab2ed3bb171c9a025c2f2c36a593209b3a41b2468f95fb53c642dc5bcb3a1b76693ab193edecc032b62a10d7eae498320568cee429baaae16f0a924ae7b94807

Download Submit
C:\Windows\svhost1.exe

Filesize
132KB

MD5
86bab71e875585f7ff11775dbb414923

SHA1
c69051dde7a35719731334c2bc2dfd4fea246487

SHA256
8039adef7ead0f7fe0edef62ac1b777a07c290cad349112331429c3cbae12610

SHA512
ab2ed3bb171c9a025c2f2c36a593209b3a41b2468f95fb53c642dc5bcb3a1b76693ab193edecc032b62a10d7eae498320568cee429baaae16f0a924ae7b94807

Download Submit
\Msprovidernet\ComReview.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
\Msprovidernet\ComReview.exe

Filesize
1.3MB

MD5
b7987417fcc2e908825c63b491bb2fc6

SHA1
c2cc9bd8305625a9c2541653f5f7fffa9c38b3d9

SHA256
8e8f51ee361ded35fd4f00093ce535118eb6ef8cbca187dd4d7f7b03b6c38351

SHA512
0790886dba5925b005c7d78a5210938059876d355f8e27001d1b862cb48b5d68b789ca62a9e6af8139951860ba65867693401c34f40076014e0e7c40c4f44253

Download Submit
\Program Files\Microsoft DN1\sqlmap.dll

Filesize
114KB

MD5
461ade40b800ae80a40985594e1ac236

SHA1
b3892eef846c044a2b0785d54a432b3e93a968c8

SHA256
798af20db39280f90a1d35f2ac2c1d62124d1f5218a2a0fa29d87a13340bd3e4

SHA512
421f9060c4b61fa6f4074508602a2639209032fd5df5bfc702a159e3bad5479684ccb3f6e02f3e38fb8db53839cf3f41fe58a3acad6ec1199a48dc333b2d8a26

Download Submit
\Users\Admin\AppData\Local\Temp\561.exe

Filesize
70KB

MD5
ca96229390a0e6a53e8f2125f2c01114

SHA1
a54b1081cf58724f8cb292b4d165dfee2fb1c9f6

SHA256
0df3d05900e7b530f6c2a281d43c47839f2cf2a5d386553c8dc46e463a635a2c

SHA512
e93445bce6c8b6f51890309577a0ea9369860d2e6bf8cc0ca708879a77bb176d27c5f559bbdb7deb4b719aee0fc48d9068c293559f7629baf4ec3515898102ef

Download Submit
\Users\Admin\AppData\Local\Temp\freebl3.dll

Filesize
326KB

MD5
ef12ab9d0b231b8f898067b2114b1bc0

SHA1
6d90f27b2105945f9bb77039e8b892070a5f9442

SHA256
2b00fc4f541ac10c94e3556ff28e30a801811c36422546a546a445aca3f410f7

SHA512
2aa62bfba556ad8f042942dd25aa071ff6677c257904377c1ec956fd9e862abcbf379e0cfd8c630c303a32ece75618c24e3eef58bddb705c427985b944689193

Download Submit
\Users\Admin\AppData\Local\Temp\mozglue.dll

Filesize
133KB

MD5
75f8cc548cabf0cc800c25047e4d3124

SHA1
602676768f9faecd35b48c38a0632781dfbde10c

SHA256
fb419a60305f17359e2ac0510233ee80e845885eee60607715c67dd88e501ef0

SHA512
ed831c9c769aef3be253c52542cf032afa0a8fa5fe25ca704db65ee6883c608220df7102ac2b99ee9c2e599a0f5db99fd86894a4b169e68440eb1b0d0012672f

Download Submit
\Users\Admin\AppData\Local\Temp\msvcp140.dll

Filesize
429KB

MD5
109f0f02fd37c84bfc7508d4227d7ed5

SHA1
ef7420141bb15ac334d3964082361a460bfdb975

SHA256
334e69ac9367f708ce601a6f490ff227d6c20636da5222f148b25831d22e13d4

SHA512
46eb62b65817365c249b48863d894b4669e20fcb3992e747cd5c9fdd57968e1b2cf7418d1c9340a89865eadda362b8db51947eb4427412eb83b35994f932fd39

Download Submit
\Users\Admin\AppData\Local\Temp\nss3.dll

Filesize
1.2MB

MD5
d7858e8449004e21b01d468e9fd04b82

SHA1
9524352071ede21c167e7e4f106e9526dc23ef4e

SHA256
78758bf7f3b3b5e3477e38354acd32d787bc1286c8bd9b873471b9c195e638db

SHA512
1e2c981e6c0ca36c60c6e9cae9548b866d5c524df837095b30d618d9c322def7134c20de820105400dd1b58076b66d90274f67773ac6ba914f611b419babb440

Download Submit
\Users\Admin\AppData\Local\Temp\softokn3.dll

Filesize
141KB

MD5
471c983513694ac3002590345f2be0da

SHA1
6612b9af4ff6830fa9b7d4193078434ef72f775b

SHA256
bb3ff746471116c6ad0339fa0522aa2a44a787e33a29c7b27649a054ecd4d00f

SHA512
a9b0fb923bc3b567e933de10b141a3e9213640e3d790b4c4d753cf220d55593ae8026102909969ba6bfc22da3b2fcd01e30a9f5a74bd14a0fdec9beaf0fb1410

Download Submit
\Users\Admin\AppData\Local\Temp\vcruntime140.dll

Filesize
81KB

MD5
7587bf9cb4147022cd5681b015183046

SHA1
f2106306a8f6f0da5afb7fc765cfa0757ad5a628

SHA256
c40bb03199a2054dabfc7a8e01d6098e91de7193619effbd0f142a7bf031c14d

SHA512
0b63e4979846ceba1b1ed8470432ea6aa18cca66b5f5322d17b14bc0dfa4b2ee09ca300a016e16a01db5123e4e022820698f46d9bad1078bd24675b4b181e91f

Download Submit
\Users\Admin\Documents\images.exe

Filesize
141KB

MD5
6562dc6fbe3fa39f7f33029b373ee688

SHA1
eac086d59a4e11d91ed215d9e127874a2f5e0db6

SHA256
d208fee476c1e037c6eef06c51ff43f1c5a08e0cece556de83da0442f7ed7105

SHA512
85894b756ba4704e04b4af5fe62f0cfd896dc361fd65a4abb1606899f7439929a286ae748589a300f48713ba111fc0c1933e7d086c3db83ba9c69d858c977426

Download Submit
\Users\Admin\Documents\images.exe

Filesize
141KB

MD5
6562dc6fbe3fa39f7f33029b373ee688

SHA1
eac086d59a4e11d91ed215d9e127874a2f5e0db6

SHA256
d208fee476c1e037c6eef06c51ff43f1c5a08e0cece556de83da0442f7ed7105

SHA512
85894b756ba4704e04b4af5fe62f0cfd896dc361fd65a4abb1606899f7439929a286ae748589a300f48713ba111fc0c1933e7d086c3db83ba9c69d858c977426

Download Submit
\Users\Admin\Documents\svhost1.exe

Filesize
132KB

MD5
86bab71e875585f7ff11775dbb414923

SHA1
c69051dde7a35719731334c2bc2dfd4fea246487

SHA256
8039adef7ead0f7fe0edef62ac1b777a07c290cad349112331429c3cbae12610

SHA512
ab2ed3bb171c9a025c2f2c36a593209b3a41b2468f95fb53c642dc5bcb3a1b76693ab193edecc032b62a10d7eae498320568cee429baaae16f0a924ae7b94807

Download Submit
\Users\Admin\Documents\svhost1.exe

Filesize
132KB

MD5
86bab71e875585f7ff11775dbb414923

SHA1
c69051dde7a35719731334c2bc2dfd4fea246487

SHA256
8039adef7ead0f7fe0edef62ac1b777a07c290cad349112331429c3cbae12610

SHA512
ab2ed3bb171c9a025c2f2c36a593209b3a41b2468f95fb53c642dc5bcb3a1b76693ab193edecc032b62a10d7eae498320568cee429baaae16f0a924ae7b94807

Download Submit
memory/612-145-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/612-160-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/612-162-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/612-149-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/612-147-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/612-151-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/612-150-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/916-436-0x0000000000890000-0x00000000008BD000-memory.dmp

Filesize
180KB

Download
memory/928-126-0x0000000002980000-0x0000000002A00000-memory.dmp

Filesize
512KB

Download
memory/928-124-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/928-130-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/928-135-0x000000000298B000-0x00000000029F2000-memory.dmp

Filesize
412KB

Download
memory/928-134-0x0000000002984000-0x0000000002987000-memory.dmp

Filesize
12KB

Download
memory/1120-137-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/1120-136-0x00000000029D4000-0x00000000029D7000-memory.dmp

Filesize
12KB

Download
memory/1120-138-0x00000000029DB000-0x0000000002A42000-memory.dmp

Filesize
412KB

Download
memory/1748-161-0x000000000287B000-0x00000000028E2000-memory.dmp

Filesize
412KB

Download
memory/1748-148-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/1748-152-0x0000000002870000-0x00000000028F0000-memory.dmp

Filesize
512KB

Download
memory/1748-163-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/1748-155-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/1748-156-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/1816-157-0x0000000000A50000-0x0000000000BB0000-memory.dmp

Filesize
1.4MB

Download
memory/1948-170-0x00000000026CB000-0x0000000002732000-memory.dmp

Filesize
412KB

Download
memory/1948-168-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-153-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1948-164-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/1948-154-0x00000000026C0000-0x0000000002740000-memory.dmp

Filesize
512KB

Download
memory/1948-158-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-128-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2024-72-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2024-125-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-127-0x0000000002940000-0x00000000029C0000-memory.dmp

Filesize
512KB

Download
memory/2024-131-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2040-177-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2040-171-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2040-172-0x0000000002640000-0x00000000026C0000-memory.dmp

Filesize
512KB

Download
memory/2168-165-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2168-166-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2168-167-0x0000000002910000-0x0000000002990000-memory.dmp

Filesize
512KB

Download
memory/2168-176-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-71-0x000000001B320000-0x000000001B602000-memory.dmp

Filesize
2.9MB

Download
memory/2276-133-0x0000000002944000-0x0000000002947000-memory.dmp

Filesize
12KB

Download
memory/2276-132-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2276-129-0x000000000294B000-0x00000000029B2000-memory.dmp

Filesize
412KB

Download
memory/2324-142-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2324-139-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-159-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-140-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2324-141-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2324-143-0x0000000002AA0000-0x0000000002B20000-memory.dmp

Filesize
512KB

Download
memory/2336-169-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2336-173-0x000007FEEC700000-0x000007FEED09D000-memory.dmp

Filesize
9.6MB

Download
memory/2336-174-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2336-175-0x0000000002A10000-0x0000000002A90000-memory.dmp

Filesize
512KB

Download
memory/2640-20-0x0000000000970000-0x000000000097C000-memory.dmp

Filesize
48KB

Download
memory/2640-123-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-50-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-19-0x0000000000940000-0x0000000000952000-memory.dmp

Filesize
72KB

Download
memory/2640-18-0x00000000004F0000-0x0000000000506000-memory.dmp

Filesize
88KB

Download
memory/2640-17-0x00000000004E0000-0x00000000004F0000-memory.dmp

Filesize
64KB

Download
memory/2640-16-0x00000000004C0000-0x00000000004DC000-memory.dmp

Filesize
112KB

Download
memory/2640-15-0x000000001B230000-0x000000001B2B0000-memory.dmp

Filesize
512KB

Download
memory/2640-14-0x000007FEF60C0000-0x000007FEF6AAC000-memory.dmp

Filesize
9.9MB

Download
memory/2640-13-0x00000000009D0000-0x0000000000B30000-memory.dmp

Filesize
1.4MB

Download
memory/2948-398-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2948-400-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/2984-431-0x0000000000200000-0x0000000000201000-memory.dmp

Filesize
4KB

Download