dcrat | edbbbed7a606c3631d750b64229ca669d182088324d2cab3f1a0d3ae924bd433

Analysis

max time kernel
0s
max time network
5s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
02-06-2024 18:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ReallyBadOneLineOfCode.exe
Size

8KB
MD5

a4832f40c2364e3eb555fc2fc3b9a511
SHA1

0344b64f658399be1cf771b74559fe6f34b90a58
SHA256

edbbbed7a606c3631d750b64229ca669d182088324d2cab3f1a0d3ae924bd433
SHA512

ef36b31bbb4f13286d3a390ca73678883807af2d00b437f212885348be51ea3eb173eb16beb958c44d6ca7852bcd686be95cbacea5d0b0be9e00db47f2d25f2e
SSDEEP

96:UBe3qj40XieH7qdudJVkauNJI3WNtW1jYcFKNVcz1W4oKYMsLYUa:RaniebqgdJVkBI8stYcFwVc03KY

Score

10^/10

dcrat orcus infostealer pyinstaller rat spyware stealer upx

Malware Config

Extracted

Family

orcus

medicine-pushing.gl.at.ply.gg:50488

Mutex

da4f27f56f6c4be9b71a93002d0bd352

Attributes

autostart_method
TaskScheduler
enable_keylogger
false
install_path
%programfiles%\Edge\Application\msruntime.exe
reconnect_delay
10000
registry_keyname
Microsoft Edge
taskscheduler_taskname
Microsoft Edge Startup
watchdog_path
AppData\tasklist.exe

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcus main payload 3 IoCs

resource	yara_rule
behavioral1/files/0x000500000001a412-236.dat	family_orcus
behavioral1/files/0x000500000001a4e4-301.dat	family_orcus
behavioral1/files/0x000500000001a4e4-304.dat	family_orcus

Process spawned unexpected child process 45 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1772	schtasks.exe	43
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1772	schtasks.exe	43

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018bba-194.dat	dcrat
behavioral1/files/0x0006000000018bba-241.dat	dcrat
behavioral1/files/0x000500000001a4d0-299.dat	dcrat
behavioral1/memory/2560-300-0x0000000000CA0000-0x0000000000E24000-memory.dmp	dcrat
behavioral1/files/0x000500000001a4d0-298.dat	dcrat
behavioral1/files/0x000500000001a4d0-297.dat	dcrat
behavioral1/files/0x000500000001cb86-379.dat	dcrat
behavioral1/files/0x000500000001c758-337.dat	dcrat
behavioral1/files/0x000500000001a4d0-296.dat	dcrat
behavioral1/files/0x000c00000001416a-577.dat	dcrat
behavioral1/files/0x0006000000018bba-189.dat	dcrat

Orcurs Rat Executable 5 IoCs

resource	yara_rule
behavioral1/memory/788-242-0x0000000000E20000-0x0000000000F0A000-memory.dmp	orcus
behavioral1/files/0x000500000001a412-236.dat	orcus
behavioral1/files/0x000500000001a4e4-301.dat	orcus
behavioral1/memory/2380-310-0x0000000000E50000-0x0000000000F3A000-memory.dmp	orcus
behavioral1/files/0x000500000001a4e4-304.dat	orcus

UPX packed file 2 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/912-270-0x000007FEF6220000-0x000007FEF6685000-memory.dmp	upx
behavioral1/files/0x000500000001a4bd-269.dat	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
4	pastebin.com
5	pastebin.com

Detects Pyinstaller 6 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0008000000013a30-52.dat	pyinstaller
behavioral1/files/0x0008000000013a30-53.dat	pyinstaller
behavioral1/files/0x0008000000013a30-50.dat	pyinstaller
behavioral1/files/0x0008000000013a30-278.dat	pyinstaller
behavioral1/files/0x0008000000013a30-208.dat	pyinstaller
behavioral1/files/0x0008000000013a30-205.dat	pyinstaller

Creates scheduled task(s) 1 TTPs 45 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2196	schtasks.exe
1648	schtasks.exe
2160	schtasks.exe
2904	schtasks.exe
2104	schtasks.exe
1640	schtasks.exe
696	schtasks.exe
1472	schtasks.exe
856	schtasks.exe
2320	schtasks.exe
1196	schtasks.exe
2280	schtasks.exe
2192	schtasks.exe
2844	schtasks.exe
1688	schtasks.exe
324	schtasks.exe
2628	schtasks.exe
1248	schtasks.exe
2480	schtasks.exe
1432	schtasks.exe
1384	schtasks.exe
1456	schtasks.exe
480	schtasks.exe
1588	schtasks.exe
2896	schtasks.exe
648	schtasks.exe
1216	schtasks.exe
3048	schtasks.exe
2476	schtasks.exe
760	schtasks.exe
2352	schtasks.exe
2948	schtasks.exe
2020	schtasks.exe
764	schtasks.exe
1560	schtasks.exe
2356	schtasks.exe
1984	schtasks.exe
2672	schtasks.exe
2136	schtasks.exe
2568	schtasks.exe
684	schtasks.exe
108	schtasks.exe
1876	schtasks.exe
1700	schtasks.exe
2848	schtasks.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
868	tasklist.exe
544	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	ReallyBadOneLineOfCode.exe

C:\Users\Admin\AppData\Local\Temp\ReallyBadOneLineOfCode.exe
"C:\Users\Admin\AppData\Local\Temp\ReallyBadOneLineOfCode.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
- C:\Users\Admin\AppData\Local\VisualStudioLiveShare.exe
  "C:\Users\Admin\AppData\Local\VisualStudioLiveShare.exe"
  2⤵
  PID:2440
- - C:\ProgramData\Windows12.exe
    "C:\ProgramData\Windows12.exe"
    3⤵
    PID:1564
  - - C:\ProgramData\Windows12.exe
      "C:\ProgramData\Windows12.exe"
      4⤵
      PID:828
- - C:\Users\Admin\AppData\Roaming\Windows13.exe
    "C:\Users\Admin\AppData\Roaming\Windows13.exe"
    3⤵
    PID:1516
  - - C:\Users\Admin\AppData\Roaming\Windows13.exe
      "C:\Users\Admin\AppData\Roaming\Windows13.exe"
      4⤵
      PID:912
- - C:\Program Files (x86)\dasd.exe
    "C:\Program Files (x86)\dasd.exe"
    3⤵
    PID:648
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\IYPAApCAW2lR0jLQtsVUGHD6.vbe"
      4⤵
      PID:2240
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\9ibrAoKfJrikCQ3e95Z96VB6yE.bat" "
        5⤵
        
        PID:2640
      - C:\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\Blocksaves.exe
        
        "C:\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\Blocksaves.exe"
        6⤵
        
        PID:2560
- - C:\Users\Admin\Downloads\msedge (1).exe
    "C:\Users\Admin\Downloads\msedge (1).exe"
    3⤵
    PID:788
  - - C:\Windows\SysWOW64\WindowsInput.exe
      "C:\Windows\SysWOW64\WindowsInput.exe" --install
      4⤵
      PID:1876
  - - C:\Program Files (x86)\Edge\Application\msruntime.exe
      "C:\Program Files (x86)\Edge\Application\msruntime.exe"
      4⤵
      PID:2380
    - - C:\Users\Admin\AppData\Roaming\tasklist.exe
        
        "C:\Users\Admin\AppData\Roaming\tasklist.exe" /launchSelfAndExit "C:\Program Files (x86)\Edge\Application\msruntime.exe" 2380 /protectFile
        5⤵
        Enumerates processes with tasklist
        
        PID:544
      - C:\Users\Admin\AppData\Roaming\tasklist.exe
        
        "C:\Users\Admin\AppData\Roaming\tasklist.exe" /watchProcess "C:\Program Files (x86)\Edge\Application\msruntime.exe" 2380 "/protectFile"
        6⤵
        Enumerates processes with tasklist
        
        PID:868

C:\Windows\SysWOW64\WindowsInput.exe
"C:\Windows\SysWOW64\WindowsInput.exe"
1⤵
PID:2596

C:\Windows\system32\taskeng.exe
taskeng.exe {8AFDFE25-0717-4A4D-881F-23ABFEFA98A3} S-1-5-21-2248906074-2862704502-246302768-1000:GHPZRGFC\Admin:Interactive:[1]
1⤵
PID:1032
- C:\Program Files (x86)\Edge\Application\msruntime.exe
  "C:\Program Files (x86)\Edge\Application\msruntime.exe"
  2⤵
  PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlocksavesB" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Downloads\Blocksaves.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Blocksaves" /sc ONLOGON /tr "'C:\Users\Public\Downloads\Blocksaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlocksavesB" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Downloads\Blocksaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlocksavesB" /sc MINUTE /mo 8 /tr "'C:\Windows\en-US\Blocksaves.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Blocksaves" /sc ONLOGON /tr "'C:\Windows\en-US\Blocksaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlocksavesB" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\Blocksaves.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Uninstall Information\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13W" /sc MINUTE /mo 10 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\Windows13.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13" /sc ONLOGON /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\Windows13.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13W" /sc MINUTE /mo 9 /tr "'C:\Recovery\3e6c2342-cc12-11ee-878b-7662d560f583\Windows13.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13W" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\Windows13.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13" /sc ONLOGON /tr "'C:\Users\Admin\Links\Windows13.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13W" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\Windows13.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Defender\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Desktop\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13W" /sc MINUTE /mo 11 /tr "'C:\Windows\it-IT\Windows13.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13" /sc ONLOGON /tr "'C:\Windows\it-IT\Windows13.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Windows13W" /sc MINUTE /mo 10 /tr "'C:\Windows\it-IT\Windows13.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Music\Sample Music\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\microsoft shared\VSTA\AppInfoDocument\Microsoft.VisualStudio.Tools.Office.AppInfoDocument\explorer.exe

Filesize
567KB

MD5
67b8e4d9da14d9f0f171773cd4a4b154

SHA1
3ba1cbde02528c1ac65505e6ba9274481f1ba15e

SHA256
89c0c2a957bceaec47b5e49f6c108aa2474235be0e88f88b67819e1c91922e8b

SHA512
4a2e34c2a31020605d4f2d89e9dd1a2334d0ef067673246813314f91fa67756cd3a65e0a14914a6b252e473405b0c3bf3b15a8f82b7eab0ca314baa620e1f235

Download Submit
C:\Program Files (x86)\Edge\Application\msruntime.exe

Filesize
785KB

MD5
e8f947ce5f3cfc99c71f4db69e008575

SHA1
4dfcc7aa8a3e3e673200a90420c9022e679a4af3

SHA256
c0449475f6660a13758c9ff725ab63958e74858ec29281466f3f113e808fb356

SHA512
492d54eac7794cc306d519f7131e770cee2de489befd7955ae09d05bab1a95c2db81cbcd1c19642329dc38cff4f3c595085947b36886451f7c741c44cdd0a786

Download Submit
C:\Program Files (x86)\dasd.exe

Filesize
1.0MB

MD5
ecb73f9aa5a53ca5f00fdc8852a63f08

SHA1
d79fa4e442cd64be116dc82cb10cf622e33712e2

SHA256
f28e868229afbd8628b865f8c7e3a6de6460cd3bab2e65321afaa290d0ed0150

SHA512
4ebcf11e01483ad3f5d32058197b686937bf326615ef729f55342b5931f9cb41a7522e1c24b17103463228ed7f01636a8f015def990d5e4033c97d41439379cf

Download Submit
C:\Program Files (x86)\dasd.exe

Filesize
1.8MB

MD5
e1d3377a8e445723cc783073387b9965

SHA1
b7745e85d96fd8ca687b283ab71e924df331f226

SHA256
e1235723aa9d4f07ef4696deb3caf1d53e05e412e4d2298abf320de613fbdae9

SHA512
f20553fd827f71be0599dcea110cd5c615b12cc82ac3da46679beeeed9a871a5cf9f84ec01d871b6f936d8b4cfb6025bd585fc1f87ba8460e03d1d9e9337b6fa

Download Submit
C:\Program Files\Uninstall Information\explorer.exe

Filesize
210KB

MD5
56d1c4a9ecb7f3ab8687f238abc65d49

SHA1
51f6b44170248b21ab44a0cc324220d04daaa9de

SHA256
2401a3fe99e40e16782b3c0ed0c2b30ea11105fb7b70bc79c65d09375f74d5c5

SHA512
c6b42ecba8ab6fdefa4d6e1c97cd5cebd93343bce85bd1112f750bbc68b5fcac4e2c78f5fce3e647d66a38f605dfcdf1ef516b25602f466d46cd55247e0e843c

Download Submit
C:\ProgramData\Windows12.exe

Filesize
1004KB

MD5
359a19cf3268e10c29614157eded6b2b

SHA1
5b1abd388bf47820949be8bfe59d2ff3b977c2c3

SHA256
b2b0f510e9af4e945d41f6fa1aa352d79f0371ad1d1a6113fd1846ae49cee924

SHA512
43fdf06fca6161fdf376f959b35b49497a75e5d03782b49ff06ab3b02b3b8ff726839d2a0bda2460966fdfdec15216e72d2159587429f982789cd2472d9d2bbf

Download Submit
C:\ProgramData\Windows12.exe

Filesize
1.0MB

MD5
5b223c844ef4efa7a7fa1623257c7bbe

SHA1
123eb8ed912c58108b61a01569b978106512372e

SHA256
9030d8516ae606a95446e5b63191c2cdf8da78c80615fd67fdad97454c0600ce

SHA512
4e84ed1026c615a983f25427b78da907f1c96399c56b0f3ba54d0a35c09074af5d31e22b8d67af7af56977eafff688afb2ae478d999c8426c5bee1bf0a923567

Download Submit
C:\ProgramData\Windows12.exe

Filesize
1.6MB

MD5
906277284c4af1c27af657f524db6d70

SHA1
39fcfaf1269e3ddd2e5a4dc3d0d7541a7b9bc6b4

SHA256
5e5db9b974420526a03733f221a64a957530b81e3c53de506ccce7384b5e9d9a

SHA512
623da89d57c34ef984f1d093e86a4cd8654644b2519a63dfd420b1dc90ea198191a7eee858518a4ae4e64d5afe32ea7b8a92d1925f04f72e78dedca4c6e775b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AD8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15162\api-ms-win-core-timezone-l1-1-0.dll

Filesize
21KB

MD5
d12403ee11359259ba2b0706e5e5111c

SHA1
03cc7827a30fd1dee38665c0cc993b4b533ac138

SHA256
f60e1751a6ac41f08e46480bf8e6521b41e2e427803996b32bdc5e78e9560781

SHA512
9004f4e59835af57f02e8d9625814db56f0e4a98467041da6f1367ef32366ad96e0338d48fff7cc65839a24148e2d9989883bcddc329d9f4d27cae3f843117d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI15642\ucrtbase.dll

Filesize
775KB

MD5
952a89674338106c1b33a51d007ab0b3

SHA1
7b288d7cc81b37d6e72233674f083c88ec9b8890

SHA256
e2dd10e2030250fc17cec9e92232dbba9690844e4d1ea7a557643866f460cbda

SHA512
94d1ec8dbe82ba5964e41f6f0b2cec8c01ce47287401a72208ead198b1ed24ef60af819edd4235828da0d39eee810821d34a5ec781eace2a87268f2cfcbf3474

Download Submit
C:\Users\Admin\AppData\Local\VisualStudioLiveShare.exe

Filesize
1.1MB

MD5
cafd3f5dbcabc72df92e74b6261c6813

SHA1
8fcac16c33c7c6e9172c9fa8146840720dd46865

SHA256
d139121aeda63fd350cdb9d1a3f0d04c881bfa4006336766c18b68f4fb6085ae

SHA512
5c4ef870e3214fac8b93713dcdb7c91396fd836156c9593d861bdcc64653090dacd4b720f30de934763f7f2ad16ba27e2f865fb57fea0e0fd49ea878c5373ebc

Download Submit
C:\Users\Admin\AppData\Roaming\Windows13.exe

Filesize
894KB

MD5
07fb27c3af02c7180190258361ce7736

SHA1
c8919cbaa7bb9c6475ef09a5559e8371aaf1a604

SHA256
39749b2814617a255ab1e9b601c2b03974731342666d426fcb4fdf7f5793098f

SHA512
e0a1c0a41a0af7121a6bebdfb4986bc0b0a2a3e4ac016f8cb1c493a8fc8408f0694ae71128d22725b93407430fd76c5217241273990cb9739ea34d9d05797b40

Download Submit
C:\Users\Admin\AppData\Roaming\Windows13.exe

Filesize
1.1MB

MD5
3a24709722443ffb828aacec261bb9c2

SHA1
ce2b3164c21cd862bb4fa1b53f7d5118d4f785b5

SHA256
179c4f51376801c60b5b5a24aafe6fc282ca9b654e0bdaf221d42a9ddd2ac6cc

SHA512
b5b0bad1eff5176427f9f71fdbdd1fd26501fde2364c165ecde2de55e3bfc809cc2cfc351ff343a35164f76f71e7aceb2d652883364ed3734b17fcae6441a8f1

Download Submit
C:\Users\Admin\AppData\Roaming\Windows13.exe

Filesize
6.6MB

MD5
be0cc7700a51353a8f650209e8ead3a1

SHA1
a1d60bf8a341a4e7274de9bd5a2cdb6ca944e00c

SHA256
198c13b538d5d17e12083220b2ee022813f1dbe5bfff8f53eef00dfc9f4522cd

SHA512
3eb3addfe12ca6a4e09657d3cf628be58821966a284ec7206952f3542e5614ec31a13e384b1b60c08a8086972d1b0cb2a026a3ce605e1d496cd7ec57282a42fe

Download Submit
C:\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\9ibrAoKfJrikCQ3e95Z96VB6yE.bat

Filesize
55B

MD5
a91e6c3b8b10b9a7810fe5b4dbacbcb7

SHA1
87b66427636bb34306bc8e1ca80033fab36bcb41

SHA256
9a678c084590f651df7ffca81f80e65d476a5f0a86077864f6cccf7c09dc4801

SHA512
d12b8a56c6c0592ebb5c07956b8825886d23a0ded7c61277936eed7446d112ae4f627af1a970016f671c2c21e7e435ececd4f7ca81a41e72bcd0971dc9150c63

Download Submit
C:\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\Blocksaves.exe

Filesize
725KB

MD5
c47d2dcd311c994a09b9e17fb56cce3e

SHA1
d48c4758c0261de812525b187108cd22bc5f40e6

SHA256
a412d5defe9468a1f0ca2eec27a67dab1be8fb1f7eb9e72537beeb2aee7051f4

SHA512
d827a827aa82fccadd43c5742038d582c5ec7d692bc518c10b9f54d9367692c752cbc00205cf2e5c171513d3dbbe8fa477cb7e1f6e048e07343315bd784ae27d

Download Submit
C:\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\Blocksaves.exe

Filesize
721KB

MD5
f20fda04cb965df22c6dc1f871a1439e

SHA1
60f46b2023c083f1c750fb2c0593d55075edfbc4

SHA256
7ebc6455c553b73c407d9412301f2a39252c8e91e65a3e43adbc0b91195d5a91

SHA512
e9633e6d48cd93e0ce952249659183a69f1595640fb728560a1dc1afcb583603b846ae521ac096e3068091be98472db4a64a9e65d8f5b4fd95b99a6966f666eb

Download Submit
C:\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\IYPAApCAW2lR0jLQtsVUGHD6.vbe

Filesize
238B

MD5
9dfa5fb99257d2e036230964dde23b31

SHA1
8c6ff63edada976a3e3853b5d9f31ff2baa7cc12

SHA256
cb0b09dc4401af3803d107bf4d3d8284606f8f011dc85658c3295bf34f7c6e1b

SHA512
e13c18f7bb65dd636c714325ec1ac7e83737d72c46952ec00177f42dd509d5ce3695b7514b3bdc87b447f7312b684197991734b940f2c37038c5d31bb1b316ea

Download Submit
C:\Users\Admin\AppData\Roaming\tasklist.exe

Filesize
9KB

MD5
913967b216326e36a08010fb70f9dba3

SHA1
7b6f8c2eb5b443e03c212b85c2f0edb9c76ad2bf

SHA256
8d880758549220154d2ff4ee578f2b49527c5fb76a07d55237b61e30bcc09e3a

SHA512
c6fcb98d9fd509e9834fc3fba143bd36d41869cc104fbce5354951f0a6756156e34a30796baaa130dd45de3ed96e039ec14716716f6da4569915c7ef2d2b6c33

Download Submit
C:\Users\Admin\Downloads\msedge (1).exe

Filesize
917KB

MD5
668520daa3022bddaa770b23dc408d55

SHA1
a80280d6cf9b887bb1badc482f29e71f2ee7c45b

SHA256
0227339e66ffc8536e29c5d941b6d97368ca067b4aa62ab334aada6f075694d7

SHA512
2b5f132055ade2629e0e8eedcb8183b53662d9602f51d90da4dfed0b4a9635ef04897f3912d59ff886168ab04813c4e3967de2aeb067a5c0a1bcd622c4adfb95

Download Submit
C:\Users\Admin\Links\RCX7733.tmp

Filesize
92KB

MD5
a28c4cfae9c8e13ceff309ba37bc35e0

SHA1
4272ae81b6c7200d9f5c820cdc300e0c4162680d

SHA256
735bfccc50946069c3e4d6cb9aa05e856e09a27ff3d97b032f7e6ce8f3045017

SHA512
a0f6dbed5113624eb9a329752bce6cffd8d59362b9439618e9a770dbbe9946214a191837874732172ab206054172504e3c6ed8314bf7eb5bc9e2e01c9206bc83

Download Submit
C:\Users\Public\Downloads\Blocksaves.exe

Filesize
291KB

MD5
b7bb3e3a9a818210aeb259d2e0942edb

SHA1
ab3b531b04978ab6eafa2b30da5af9d4db18e039

SHA256
dcfda8779c0728240e88eed71b2c83daaeb5d5fbf1cd132fba69d01cace4f829

SHA512
1c0ba05ba3f285abc65ab097aeb7c9ef526a2a3c1eaf0546942dfcdd28d957d90fb020445bba4f64e424159d5b15e01e9c77fa5573d77200a77a4b441fa60abd

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe

Filesize
21KB

MD5
e6fcf516d8ed8d0d4427f86e08d0d435

SHA1
c7691731583ab7890086635cb7f3e4c22ca5e409

SHA256
8dbe814359391ed6b0b5b182039008cf1d00964da9fbc4747f46242a95c24337

SHA512
c496cf8e2e222fe1e19051b291e6860f31aae39f54369c1c5e8c9758c4b56e8af904e3e536e743a0a6fdbbf8478afba4baee92e13fc1b3073376ac6bf4a7948e

Download Submit
C:\Windows\SysWOW64\WindowsInput.exe.config

Filesize
357B

MD5
a2b76cea3a59fa9af5ea21ff68139c98

SHA1
35d76475e6a54c168f536e30206578babff58274

SHA256
f99ef5bf79a7c43701877f0bb0b890591885bb0a3d605762647cc8ffbf10c839

SHA512
b52608b45153c489419228864ecbcb92be24c644d470818dfe15f8c7e661a7bcd034ea13ef401f2b84ad5c29a41c9b4c7d161cc33ae3ef71659bc2bca1a8c4ad

Download Submit
\Program Files (x86)\Edge\Application\msruntime.exe

Filesize
645KB

MD5
25842b803c81a39d2f4d66905941f37b

SHA1
cc2362af551da6bcc83e117bb57aa8ff3d1676c2

SHA256
63fe5ae70a5af8374e07c6bd9034242b2e6c63bf28d266bfa36e4ad3b9d44c84

SHA512
689039d9ca2b2834bd9a15adc9179cb4bf946740a306a8b55fa37ddeb82e539097607693947889842e19befb7db7c5fa0ec025612c01530c1c07adf7d03dcc19

Download Submit
\Program Files (x86)\dasd.exe

Filesize
1021KB

MD5
192f69e82b7962aa49e1e89caf24132e

SHA1
09e31f13f6f5e945c5817581a2e2081abc2adac5

SHA256
f080a5138e1879e27f729fdb6fc22dc68cab01e551c0e16501fbfadfa0a1d308

SHA512
59ec9f419de5c1efe3b231d96f0aad671affa291bbb3c55acb5a77cea1ab4d2656d55b23041024f0ec2945c9337aa735077ffa4351bd142773d3b9889133520e

Download Submit
\ProgramData\Windows12.exe

Filesize
1.2MB

MD5
7d4c871bdfb3ebda558fb9cfd58b4008

SHA1
104c47be04593341999c746b8ca0c57c9053b6fb

SHA256
8f817635bcdc2d50787f4a75e052c184f82e372bb71046beadf6e58ff0fb3292

SHA512
c7be30e16504a8c9a31b60cd1349262b73b2bc9378926003af679a6567bc790702fe87ef7c6c198cad8808fb7f70a987e0eeffe1b151056ca13b95d134bedf79

Download Submit
\ProgramData\Windows12.exe

Filesize
858KB

MD5
35ec2887d2ad6a5c6af9e44e17872054

SHA1
3ffdce907a06ccccb7b1dba82ee58851eedda191

SHA256
eda66d3b923e7d0062bfeff47d6afceab7c693c3152a3d876658da884af4eeaa

SHA512
d80bd50838eec0aca18697b1a89cd6b68f1608a513a8a64f96d7882c79a3b883e85eecf641e3f2cb16bc293ba279181ab021cf982343ee1089f46e05438ab1cd

Download Submit
\ProgramData\Windows12.exe

Filesize
917KB

MD5
16409259892b603ffcdf470619f124c7

SHA1
f106afd553f496f5cb6263fb2fed1e095747e70f

SHA256
ef03e2459b5969e8ba12c46094273f8d058646685908e2a94d18baea2ee673b8

SHA512
a1e1a73250b8c204020d1cae6e72b5b41e30a28b8bfb77a09115a5d30ef9f90befb5dc8e36340f549b91b9d556f93116d0db107c1a48527043c8fd560ab1c362

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15162\api-ms-win-core-file-l1-2-0.dll

Filesize
21KB

MD5
1c58526d681efe507deb8f1935c75487

SHA1
0e6d328faf3563f2aae029bc5f2272fb7a742672

SHA256
ef13dce8f71173315dfc64ab839b033ab19a968ee15230e9d4d2c9d558efeee2

SHA512
8edb9a0022f417648e2ece9e22c96e2727976332025c3e7d8f15bcf6d7d97e680d1bf008eb28e2e0bd57787dcbb71d38b2deb995b8edc35fa6852ab1d593f3d1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15162\api-ms-win-core-file-l2-1-0.dll

Filesize
18KB

MD5
bfffa7117fd9b1622c66d949bac3f1d7

SHA1
402b7b8f8dcfd321b1d12fc85a1ee5137a5569b2

SHA256
1ea267a2e6284f17dd548c6f2285e19f7edb15d6e737a55391140ce5cb95225e

SHA512
b319cc7b436b1be165cdf6ffcab8a87fe29de78f7e0b14c8f562be160481fb5483289bd5956fdc1d8660da7a3f86d8eede35c6cc2b7c3d4c852decf4b2dcdb7f

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15162\api-ms-win-core-localization-l1-2-0.dll

Filesize
21KB

MD5
724223109e49cb01d61d63a8be926b8f

SHA1
072a4d01e01dbbab7281d9bd3add76f9a3c8b23b

SHA256
4e975f618df01a492ae433dff0dd713774d47568e44c377ceef9e5b34aad1210

SHA512
19b0065b894dc66c30a602c9464f118e7f84d83010e74457d48e93aaca4422812b093b15247b24d5c398b42ef0319108700543d13f156067b169ccfb4d7b6b7c

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15162\api-ms-win-core-processthreads-l1-1-1.dll

Filesize
21KB

MD5
517eb9e2cb671ae49f99173d7f7ce43f

SHA1
4ccf38fed56166ddbf0b7efb4f5314c1f7d3b7ab

SHA256
57cc66bf0909c430364d35d92b64eb8b6a15dc201765403725fe323f39e8ac54

SHA512
492be2445b10f6bfe6c561c1fc6f5d1af6d1365b7449bc57a8f073b44ae49c88e66841f5c258b041547fcd33cbdcb4eb9dd3e24f0924db32720e51651e9286be

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15162\python310.dll

Filesize
1.4MB

MD5
36d50e9ea29f95f08f466ab9d9124976

SHA1
a6ea950f370b7523e43e7ad4e2d8d249661eb82c

SHA256
3a1fde1065ee7c6a09c3caaaa93d93bc1d79b52e8bf6e9f0f9a4e13651975c01

SHA512
ffb2968db1be5703dcb7902de94cbefa911319dc0b50f2420b2d981e91172b9eb4f3faf00019302959891178dea3f271a6e7e67c944b4151a4f16b345e8c34ff

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15162\ucrtbase.dll

Filesize
923KB

MD5
965b70576f219832d60e7da55187b46b

SHA1
da6a4d2e683b78cb7074285d61edfba02c83178c

SHA256
f78be5950bf2b9fe5c75de68dd256ff34cbdea996fdbb299c7721e48d860afc5

SHA512
89ed5ed0b1a8757159951209647d9d773ee8d19bd81d976d17a7cd35bc88b49114c22523bbc1d2f7aed371dbf441758866d5e2072abd985796232a7f9bafdd7e

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15642\python39.dll

Filesize
4.3MB

MD5
11c051f93c922d6b6b4829772f27a5be

SHA1
42fbdf3403a4bc3d46d348ca37a9f835e073d440

SHA256
0eabf135bb9492e561bbbc5602a933623c9e461aceaf6eb1ceced635e363cd5c

SHA512
1cdec23486cffcb91098a8b2c3f1262d6703946acf52aa2fe701964fb228d1411d9b6683bd54527860e10affc0e3d3de92a6ecf2c6c8465e9c8b9a7304e2a4a6

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI15642\ucrtbase.dll

Filesize
992KB

MD5
0e0bac3d1dcc1833eae4e3e4cf83c4ef

SHA1
4189f4459c54e69c6d3155a82524bda7549a75a6

SHA256
8a91052ef261b5fbf3223ae9ce789af73dfe1e9b0ba5bdbc4d564870a24f2bae

SHA512
a45946e3971816f66dd7ea3788aacc384a9e95011500b458212dc104741315b85659e0d56a41570731d338bdf182141c093d3ced222c007038583ceb808e26fd

Download Submit
\Users\Admin\AppData\Local\VisualStudioLiveShare.exe

Filesize
1.1MB

MD5
e1ec0b974f29363873318450ac7d29d9

SHA1
fb90d06ba700e6a2afde2eb37be6d1b09393d21c

SHA256
3619beccbbbfa0f15f590fdd31fe377694d6981c0b30c48a234456072a1f64af

SHA512
e390225bc515e65739d045a4c00fb735197455bfc74cd912d556cf85f5603055302ac09bb7155055d9074db9cb254a3d061a81f1291853e669585116330420b8

Download Submit
\Users\Admin\AppData\Roaming\Windows13.exe

Filesize
1.3MB

MD5
86f41afb7bb656ee6899938def54a59c

SHA1
e9cebba5412bd4fab361312545af80611e6881b2

SHA256
39cc04eb273da8cebca95ce7b9dcd1c36783e64514733b14527dd56bc64b00a6

SHA512
f5d284a89eea06009619684f2c2bb7f9b6ea72e7d59e30fdfdbb63bb6c08d307aef2bf981517baa4c3ed6cc66618a02d994786cfecb43ba1544352285b00a392

Download Submit
\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\Blocksaves.exe

Filesize
917KB

MD5
25b69a4c3f11c453763c4e36e79c73cd

SHA1
7fd2996d6c03a78cf1b541d4663f31cfd5877cbc

SHA256
40d87ffb479bfdc6b1ba8afab58556862139557ac07092d79d1bf2d5948db7b5

SHA512
a7988c4921b55588b5b1cd755c18a87dfb32da414e99711ea7ea3ecbe373bde5f896825705c024228992e170db4315c08f5eaa0fee74d3d94364f41299271e6b

Download Submit
\Users\Admin\AppData\Roaming\hyperblockProviderbrowsercrt\Blocksaves.exe

Filesize
750KB

MD5
854aac5fea6ba2af1fc2e7c7f05348f4

SHA1
77aa454e7642ca2299bf2b273759a6627048eea4

SHA256
df9790c7677636349a891313d4bc844bcced7f98642a17c5d9325ba66fdf06b2

SHA512
bd3e8e3e32facc3818beb09bb07003b912c8c81bde377319a181151c5fff3a05f47191a10df705c9f8fe2fbb4d51e93b6770c853b72c92ef56999a007e6e813f

Download Submit
memory/544-334-0x0000000000950000-0x0000000000958000-memory.dmp

Filesize
32KB

Download
memory/788-281-0x0000000000960000-0x0000000000972000-memory.dmp

Filesize
72KB

Download
memory/788-242-0x0000000000E20000-0x0000000000F0A000-memory.dmp

Filesize
936KB

Download
memory/788-268-0x0000000000AA0000-0x0000000000AFC000-memory.dmp

Filesize
368KB

Download
memory/788-261-0x0000000000480000-0x000000000048E000-memory.dmp

Filesize
56KB

Download
memory/912-270-0x000007FEF6220000-0x000007FEF6685000-memory.dmp

Filesize
4.4MB

Download
memory/1876-290-0x0000000000110000-0x000000000011C000-memory.dmp

Filesize
48KB

Download
memory/2380-310-0x0000000000E50000-0x0000000000F3A000-memory.dmp

Filesize
936KB

Download
memory/2380-311-0x0000000000B40000-0x0000000000B8E000-memory.dmp

Filesize
312KB

Download
memory/2380-326-0x0000000004880000-0x0000000004890000-memory.dmp

Filesize
64KB

Download
memory/2380-323-0x0000000000E30000-0x0000000000E48000-memory.dmp

Filesize
96KB

Download
memory/2440-47-0x0000000000400000-0x0000000001633000-memory.dmp

Filesize
18.2MB

Download
memory/2560-317-0x0000000000530000-0x000000000053A000-memory.dmp

Filesize
40KB

Download
memory/2560-316-0x0000000000520000-0x0000000000530000-memory.dmp

Filesize
64KB

Download
memory/2560-319-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2560-322-0x0000000000580000-0x000000000058A000-memory.dmp

Filesize
40KB

Download
memory/2560-321-0x0000000000570000-0x000000000057A000-memory.dmp

Filesize
40KB

Download
memory/2560-320-0x0000000000560000-0x0000000000568000-memory.dmp

Filesize
32KB

Download
memory/2560-318-0x0000000000540000-0x000000000054C000-memory.dmp

Filesize
48KB

Download
memory/2560-313-0x00000000003E0000-0x00000000003E8000-memory.dmp

Filesize
32KB

Download
memory/2560-314-0x0000000000470000-0x0000000000480000-memory.dmp

Filesize
64KB

Download
memory/2560-300-0x0000000000CA0000-0x0000000000E24000-memory.dmp

Filesize
1.5MB

Download
memory/2560-315-0x0000000000500000-0x0000000000516000-memory.dmp

Filesize
88KB

Download
memory/2560-312-0x00000000003C0000-0x00000000003DC000-memory.dmp

Filesize
112KB

Download
memory/2596-294-0x0000000000290000-0x000000000029C000-memory.dmp

Filesize
48KB

Download
memory/2972-2-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-46-0x0000000074960000-0x000000007504E000-memory.dmp

Filesize
6.9MB

Download
memory/2972-0-0x000000007496E000-0x000000007496F000-memory.dmp

Filesize
4KB

Download
memory/2972-1-0x00000000010F0000-0x00000000010F8000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads