dcrat | 15ba1de7e069b6615cc13a43cc2b50426065e92e018066b0e3a3af43bba522ee

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
03-11-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bot.exe
Size

3.2MB
MD5

d9f7208d0116dcde22ece5048ac6c37d
SHA1

f9b23d695bb875f032292983fe537c48bc02a657
SHA256

15ba1de7e069b6615cc13a43cc2b50426065e92e018066b0e3a3af43bba522ee
SHA512

152289834cfcf4fc78bd0799a78752587b06dd1c839ee46e050a03c99e1d527de995bd9430fbaee6da3d999293f00dbaa1d07736137e08c7740d5edb7263b114
SSDEEP

49152:ubA3j4Ovfe+uuyV5rPOf82wtPXbGuTVHXZiyF3U5zKY7SeVZ9:ubSvfmV5kjwVbLXq5zKY9VZ9

Score

10^/10

dcrat discovery evasion infostealer rat spyware stealer trojan

Malware Config

Signatures

DcRat 57 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

description	ioc	pid	Process
		2912	schtasks.exe
		1680	schtasks.exe
		2624	schtasks.exe
		320	schtasks.exe
		2272	schtasks.exe
		2840	schtasks.exe
		1652	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language		bot.exe
		1256	schtasks.exe
		888	schtasks.exe
		2924	schtasks.exe
		2244	schtasks.exe
		2364	schtasks.exe
		2096	schtasks.exe
		1552	schtasks.exe
		1512	schtasks.exe
		484	schtasks.exe
		980	schtasks.exe
		2216	schtasks.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\6203df4a6bafc7		Containerreview.exe
		1520	schtasks.exe
		848	schtasks.exe
		2996	schtasks.exe
		2772	schtasks.exe
		2844	schtasks.exe
		2684	schtasks.exe
		332	schtasks.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\75a57c1bdf437c		Containerreview.exe
		1240	schtasks.exe
		2412	schtasks.exe
		1488	schtasks.exe
		1572	schtasks.exe
		1300	schtasks.exe
		2648	schtasks.exe
		496	schtasks.exe
		1452	schtasks.exe
		1628	schtasks.exe
		2812	schtasks.exe
		1200	schtasks.exe
		2336	schtasks.exe
		1108	schtasks.exe
		1780	schtasks.exe
		2028	schtasks.exe
		2880	schtasks.exe
		2928	schtasks.exe
		2424	schtasks.exe
		1848	schtasks.exe
		1476	schtasks.exe
		944	schtasks.exe
		1616	schtasks.exe
		2720	schtasks.exe
		2612	schtasks.exe
		1852	schtasks.exe
		1296	schtasks.exe
		768	schtasks.exe
		1644	schtasks.exe
		1700	schtasks.exe

Dcrat family
dcrat

Process spawned unexpected child process 54 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	1192	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	1192	schtasks.exe	35

UAC bypass 3 TTPs 9 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Containerreview.exe

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000160d5-9.dat	dcrat
behavioral1/memory/2760-13-0x0000000000960000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/files/0x00050000000194b4-60.dat	dcrat
behavioral1/memory/604-151-0x0000000001390000-0x0000000001670000-memory.dmp	dcrat

Disables Task Manager via registry modification
evasion

Executes dropped EXE 3 IoCs

pid	Process
2760	Containerreview.exe
1844	Containerreview.exe
604	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
1912	cmd.exe
1912	cmd.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Checks whether UAC is enabled 1 TTPs 6 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe

Drops file in Program Files directory 28 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\75a57c1bdf437c	Containerreview.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\6203df4a6bafc7	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe	Containerreview.exe
File created	C:\Program Files (x86)\Windows NT\75a57c1bdf437c	Containerreview.exe
File created	C:\Program Files\Windows Media Player\Visualizations\101b941d020240	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD416.tmp	Containerreview.exe
File opened for modification	C:\Program Files\7-Zip\WmiPrvSE.exe	Containerreview.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe	Containerreview.exe
File created	C:\Program Files\Windows Media Player\Visualizations\lsm.exe	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCXD6A7.tmp	Containerreview.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Windows NT\WMIADAP.exe	Containerreview.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe	Containerreview.exe
File created	C:\Program Files\7-Zip\Lang\Containerreview.exe	Containerreview.exe
File created	C:\Program Files (x86)\Windows NT\WMIADAP.exe	Containerreview.exe
File created	C:\Program Files\7-Zip\WmiPrvSE.exe	Containerreview.exe
File created	C:\Program Files\7-Zip\24dbde2999530e	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\logs\RCXD415.tmp	Containerreview.exe
File created	C:\Program Files\7-Zip\Lang\6e248630e82c92	Containerreview.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\6ccacd8608530f	Containerreview.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\75a57c1bdf437c	Containerreview.exe
File opened for modification	C:\Program Files\7-Zip\Lang\Containerreview.exe	Containerreview.exe
File opened for modification	C:\Program Files\Windows Media Player\Visualizations\lsm.exe	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\RCXD6A6.tmp	Containerreview.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe	Containerreview.exe
File created	C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe	Containerreview.exe
File opened for modification	C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe	Containerreview.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Panther\setup.exe\24dbde2999530e	Containerreview.exe
File opened for modification	C:\Windows\es-ES\Idle.exe	Containerreview.exe
File opened for modification	C:\Windows\Panther\setup.exe\WmiPrvSE.exe	Containerreview.exe
File created	C:\Windows\es-ES\Idle.exe	Containerreview.exe
File created	C:\Windows\es-ES\6ccacd8608530f	Containerreview.exe
File created	C:\Windows\Panther\setup.exe\WmiPrvSE.exe	Containerreview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	bot.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "436830688"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 20f7aa47362edb01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea22000000000200000000001066000000010000200000006a81d9d7954c94f3780b1f8e770a4745ccbfa20e5e7c769bf0ece39128e305b7000000000e800000000200002000000061e564ec9234485a3e8c2d0680ed55a81501b015a26e7517b93a0a9e30f93e4c2000000031fe7058987f5b9553a58130fd51200a2717598c499c22bcc0bbe2a66188319640000000a68cf35b027d317b22288b6e0f5f23898418c79def51f5bddb47b9df055695fa098be9d4301349593d7034915330f16836032da690dea521c88fc0d4baa3c76b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{6DF03C61-9A29-11EF-BA23-C60424AAF5E1} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000045c0dde48c11474f81d9a2c02be4ea220000000002000000000010660000000100002000000095d8c61699abd239a636cac7123e1ffe683aa6c6cf043b7707ae83bc6c713e91000000000e800000000200002000000083831b834714db1d41edd296d13710e2a8cdef5317730e7d8943d01b8dd1d66290000000887d90ffa674bce44b41f4c617be37e18dc92f15a193a6cba7a7dc6afb293956f147b6fea3dc326062ed3032cedc70f79f200e51dd8ee929a1e8e1d46cb73332efd8fcdba72d2e6ae887274214d584033219f31d888e3fb9b97b6fb8b09b12d0cd3c28b317068d35995f7a5464b8fdd8f37bd7f510cc043b6f5c9cd99531e28df6afeea57eeec3068a98dcbe78fcd75c4000000093dbdf63ac2f75fb5c757c40be88dc9e3962a2c2d079f12968d6abe08a27c5476d0e2b284615a55ec4354794e953779b413d714f1771b147da4692ea0a602e65	iexplore.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1856	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 54 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1300	schtasks.exe
1780	schtasks.exe
2272	schtasks.exe
1552	schtasks.exe
1240	schtasks.exe
2928	schtasks.exe
2844	schtasks.exe
2720	schtasks.exe
2912	schtasks.exe
2096	schtasks.exe
848	schtasks.exe
2028	schtasks.exe
2924	schtasks.exe
1848	schtasks.exe
2996	schtasks.exe
1652	schtasks.exe
2336	schtasks.exe
1488	schtasks.exe
1628	schtasks.exe
1512	schtasks.exe
1644	schtasks.exe
944	schtasks.exe
2812	schtasks.exe
2840	schtasks.exe
1452	schtasks.exe
496	schtasks.exe
1520	schtasks.exe
888	schtasks.exe
2244	schtasks.exe
1256	schtasks.exe
2412	schtasks.exe
1108	schtasks.exe
2624	schtasks.exe
320	schtasks.exe
2880	schtasks.exe
1616	schtasks.exe
2216	schtasks.exe
2684	schtasks.exe
2364	schtasks.exe
2612	schtasks.exe
2772	schtasks.exe
2648	schtasks.exe
332	schtasks.exe
1572	schtasks.exe
1200	schtasks.exe
1852	schtasks.exe
1296	schtasks.exe
2424	schtasks.exe
1476	schtasks.exe
1680	schtasks.exe
484	schtasks.exe
1700	schtasks.exe
980	schtasks.exe
768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
2760	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
1844	Containerreview.exe
604	WmiPrvSE.exe
604	WmiPrvSE.exe
604	WmiPrvSE.exe
604	WmiPrvSE.exe
604	WmiPrvSE.exe
604	WmiPrvSE.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
604	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	Containerreview.exe
Token: SeDebugPrivilege	1844	Containerreview.exe
Token: SeDebugPrivilege	604	WmiPrvSE.exe
Token: SeBackupPrivilege	1612	vssvc.exe
Token: SeRestorePrivilege	1612	vssvc.exe
Token: SeAuditPrivilege	1612	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1904	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
604	WmiPrvSE.exe
1904	iexplore.exe
1904	iexplore.exe
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 2528 wrote to memory of 1592	2528	bot.exe	30
PID 2528 wrote to memory of 1592	2528	bot.exe	30
PID 2528 wrote to memory of 1592	2528	bot.exe	30
PID 2528 wrote to memory of 1592	2528	bot.exe	30
PID 1592 wrote to memory of 1912	1592	WScript.exe	31
PID 1592 wrote to memory of 1912	1592	WScript.exe	31
PID 1592 wrote to memory of 1912	1592	WScript.exe	31
PID 1592 wrote to memory of 1912	1592	WScript.exe	31
PID 1912 wrote to memory of 2760	1912	cmd.exe	33
PID 1912 wrote to memory of 2760	1912	cmd.exe	33
PID 1912 wrote to memory of 2760	1912	cmd.exe	33
PID 1912 wrote to memory of 2760	1912	cmd.exe	33
PID 2760 wrote to memory of 1844	2760	Containerreview.exe	45
PID 2760 wrote to memory of 1844	2760	Containerreview.exe	45
PID 2760 wrote to memory of 1844	2760	Containerreview.exe	45
PID 1912 wrote to memory of 1856	1912	cmd.exe	46
PID 1912 wrote to memory of 1856	1912	cmd.exe	46
PID 1912 wrote to memory of 1856	1912	cmd.exe	46
PID 1912 wrote to memory of 1856	1912	cmd.exe	46
PID 1844 wrote to memory of 2732	1844	Containerreview.exe	92
PID 1844 wrote to memory of 2732	1844	Containerreview.exe	92
PID 1844 wrote to memory of 2732	1844	Containerreview.exe	92
PID 2732 wrote to memory of 2052	2732	cmd.exe	94
PID 2732 wrote to memory of 2052	2732	cmd.exe	94
PID 2732 wrote to memory of 2052	2732	cmd.exe	94
PID 2732 wrote to memory of 604	2732	cmd.exe	95
PID 2732 wrote to memory of 604	2732	cmd.exe	95
PID 2732 wrote to memory of 604	2732	cmd.exe	95
PID 604 wrote to memory of 2580	604	WmiPrvSE.exe	96
PID 604 wrote to memory of 2580	604	WmiPrvSE.exe	96
PID 604 wrote to memory of 2580	604	WmiPrvSE.exe	96
PID 604 wrote to memory of 776	604	WmiPrvSE.exe	97
PID 604 wrote to memory of 776	604	WmiPrvSE.exe	97
PID 604 wrote to memory of 776	604	WmiPrvSE.exe	97
PID 604 wrote to memory of 1904	604	WmiPrvSE.exe	102
PID 604 wrote to memory of 1904	604	WmiPrvSE.exe	102
PID 604 wrote to memory of 1904	604	WmiPrvSE.exe	102
PID 1904 wrote to memory of 1452	1904	iexplore.exe	103
PID 1904 wrote to memory of 1452	1904	iexplore.exe	103
PID 1904 wrote to memory of 1452	1904	iexplore.exe	103
PID 1904 wrote to memory of 1452	1904	iexplore.exe	103

System policy modification 1 TTPs 9 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	Containerreview.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	WmiPrvSE.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	WmiPrvSE.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\bot.exe
"C:\Users\Admin\AppData\Local\Temp\bot.exe"
1⤵
- DcRat
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe
      "C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe"
      4⤵
      DcRat
      UAC bypass
      Executes dropped EXE
      Checks whether UAC is enabled
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      System policy modification
      PID:2760
    - - C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe
        
        "C:\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe"
        5⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:1844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vEzorDbYXk.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2052
        
        C:\Program Files\7-Zip\WmiPrvSE.exe
        
        "C:\Program Files\7-Zip\WmiPrvSE.exe"
        7⤵
        UAC bypass
        Executes dropped EXE
        Checks whether UAC is enabled
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        System policy modification
        
        PID:604
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\080b786f-4c62-419b-b86c-8f4f237ed143.vbs"
        8⤵
        
        PID:2580
        
        C:\Windows\System32\WScript.exe
        
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\dc074f35-f6e5-4b37-8b8d-897444f8d99c.vbs"
        8⤵
        
        PID:776
        
        C:\Program Files\Internet Explorer\iexplore.exe
        
        "C:\Program Files\Internet Explorer\iexplore.exe" http://localhost:12659/
        8⤵
        Modifies Internet Explorer settings
        Suspicious use of FindShellTrayWindow
        Suspicious use of SetWindowsHookEx
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1904 CREDAT:275457 /prefetch:2
        9⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1452
  - - C:\Windows\SysWOW64\reg.exe
      reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
      4⤵
      System Location Discovery: System Language Discovery
      Modifies registry key
      PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Containerreview.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Containerreview" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Containerreview.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\Containerreview.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 14 /tr "'C:\Program Files\7-Zip\Lang\Containerreview.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Containerreview" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\Containerreview.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ContainerreviewC" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\Lang\Containerreview.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Sidebar\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\Idle.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Windows\Panther\setup.exe\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\7-Zip\WmiPrvSE.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\7-Zip\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Users\Default\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\lsass.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\Visualizations\lsm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Visualizations\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Media Player\Visualizations\lsm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1612

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
PID:1184

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\OSPPSVC.exe

Filesize
2.8MB

MD5
4fbc1aa1b27521d565072c6deeb57095

SHA1
91818e19accdd2c79c11f139eaa3db9c3158f3ae

SHA256
3b8f08b74dce788d8c3cab300ce544d9682b8fc12fabd19f9d010e2b70ba815a

SHA512
b2950287141c7f3521c496dad2a0e3e56b0227e4711dbc4c7c7edbb9ee7672411e6a590ae099e398c846987ed8c9f0c682a699fbddc5ff9fb1b75695d68a52e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50059dfb02b4d98a8e4a701fc0e35bf6

SHA1
fc445e75376beccc84969181d8eac54604acca91

SHA256
6490cb9f3de5631e85dd9a004a4c5b35bba9f71237820bd9279843819a8790f2

SHA512
f943fb383081386c78e3cd97748c7d9b8b5c097064819fb774c8b50f33b068e9db278325ac99af9e9ebee7b3a73389b593ba5d2e9c4655d91854086a077170c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdf23a7faa2cb9ff6346d113cffacf13

SHA1
a933b359679358bc758cf7f732c1121006fc7234

SHA256
fda354c84df2940a2480e07409f7cb0878db48c3323b38334598842c3051dfc6

SHA512
9c5376edd5d821bd11815ed9c3d3e44b61f00f0c9e89be95d8dc5fac026081ce9bb12b16e8d6facc27dbbb2f5c9381bc3e7f2f50e2659bcc23dc3c97b884390e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abaeb277714f4ed9c51eb1f2143e0271

SHA1
7c24589dc635481747d4287bd968ca6758a60af8

SHA256
5d9979d9cbcff31ee51c176e0efd16d93575e670296c635ef8a16072e0dd780a

SHA512
0af48ebafa98b68ba9542441398062a0f8bb395a8fd1340401197a27e1d9fbf07be1d67a834585d6f247c90556393c30c06c4cf70adc5298c3727fbafd25a1b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec0eba810555d3da1095c5f72201c7b1

SHA1
35bb73f5988d6827cbb461ba3deb98409f2c0954

SHA256
edd83aad93fc367a5ded6d449efbc6b7dda59575652e891d2d863a823305c8cb

SHA512
e1d690acc9c6836ec2e413defe644b8b5d1acfe67e5fc8e082895092e6ec22c44670af5f90029e285ee673206e01c51cb3b7e50649542aa9b1aba322b9369c46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
994a2be6728b0b271200a85f6269ad5a

SHA1
1169c3d606ed7619cc57b870da9b842fdf1f2a0d

SHA256
662ad8777a8e9ae0505d138080180f771b086c8c72ccff24d39b60dc0616076d

SHA512
1053ab6569a7e5fddd6e61c84c5ed0b37369e947dc3611fc750ffab04b321bacd9da6c92e8caf6aa982e27c1350623361f66662c2d2a98d62ed1849df5bee113

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
99b6bda89bdcd5cb9b7ed8b28198c542

SHA1
6a56411165de196a201a8fa5fbe25efcb07676a0

SHA256
e33157b4bda35aee2f69cf3c08795cd29a832320efc39bd4945d7ffdea46342f

SHA512
692d5cbedffb914c6591736b40e41d3ef511cce572a3f726866dd751220658053851f10e01cb96add17b6a2537402e1c439796e1e28c55e3a632fea760c99187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0429865117288ab3b55717cbdca9cf50

SHA1
c9a4aba70fc8d5be57e54dc90d1ca1eb869da317

SHA256
6577e2359f58c95a2b65edd98f589b05d7b21fe1ff098e672e9fdf62f5c5e295

SHA512
0c2303faf385b928046fbe1c54c77920e32f7c94b6e9438083bdd896fd8154da394f055d9f3541289077a6e8b109ab814ea55e3dfd54ffbf372a748d602ae07a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed78dfc3fc2bf0c6d4268e07fa3b0009

SHA1
4badfc8438bee96b4267a0d3fbd8c7344ab01614

SHA256
7fea2e27fdae8644f53a3a5b91843f4ce3c173ffb608054ac55b1b7a2c49ee96

SHA512
d057d65fd487af5209ccba96bda57486a280ad2c9a25c1c223b39b20bbfeb5813dc38e9f45749192422173c28f702813c434dc35069e6dc71495b53bde9a9ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f1a4d2289685f2263129a979ffd5a59

SHA1
897407160963d00cf57a137b2d30d67d429ff5dd

SHA256
99424e65c8469999a573157b05cfdd0499eee16085dd0e63f679b363d88e616c

SHA512
c7d8e6a7e956e0cee5124de13eeeb2727b95638e749b4274e0733480aedcaf26848a9348c2a02ab89537353f23f024bd94881587384956cae720dee2d98a3daf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14a7a2f5bcb4211eb6e2f4108226ae61

SHA1
31f75591c956309d3ccbdbf933fe0836da747017

SHA256
8bc6b4538aa677ab9d9862c22b3dccc487c92834297c244b5a3378a8541787bd

SHA512
46230ad6afa19271591bbfd08f91426c2c908c42d7f44853a943a6b6f48b5380144574be771a9f569ea071032da607de5e8b42b3e7baa1123aa3e037ac05ab59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
038c875dadef35bb1d06238d59ae16ae

SHA1
4859e43e5248e9d4a9d08a44fc8de671122eebef

SHA256
ba08c36a5ecc4540039d06f6720c79f9c665e7d3b613e1bd4f8db026943f230a

SHA512
97cd5c558a0be8dee8caeeaa26414f32d1bf7c9ad408f40fcce80a551df4e8fdf906e339428f548812a55f3945795f025eb433f595c8bf950f76d0d568f58beb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7539306d7a9527e9b1bd60d098aa04eb

SHA1
3db23d15c3f22a2fb3f48c5d05e5b0a20b4a2f85

SHA256
ce7713e9dc15f7af5239738ddea216f8c2cfbe2ccf1c5c0f8943363831e3db32

SHA512
c50500b0c2c6d60e49a8a3b67b49e58a179712fc753c9e8076ada3ec51dfdaf8d1988ee31e442ebf5a6b95c655f23bb1047b06618a2c057c8b2deb1a3c111bb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
244be3d677c973784bef6bdb667f3dc3

SHA1
15f604fd4d3190af3d2c1e3f49355d8aa4509c52

SHA256
e85b21203b66833f98e2c972e069668f88903b45bbc4458be912cb24412cef7d

SHA512
f0324a7bcb2fd42afc29f5fc601e9956a14c389f378131a3178a00835aa30a4190a0b4380108cca18d9cb7ad7715f878bfcf458c615872bf2b82fbdbc7e04bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
18dcc4b7e638c590d98c0fb7ae6a7f4b

SHA1
017c2c4298578cfe00353c0eedc4f8e5033a06f5

SHA256
b28b67f619936fe4ca521c449c2c99c288413beb3dad0dd5e92b4f17f44afe6d

SHA512
9fa93abee5b9e62bc354928e5bb461fbb58903378ee45156e95c4925643980b7cef7ff2dfa16fcc2d270e69c76855967c7f7b4a3ffb018fcb5c32af8b2855148

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
84ad357dc99a0770990aa72614c9c9e7

SHA1
583bc195357d41ab504fdacfe826e881de2f8925

SHA256
c91cf30eafcfa7081e4ebd8880de9826634f969a5979ccf718478221045cadce

SHA512
e8be1e10d251d7c7759ecccfffe6062be007bf3e9fc8101c5ec45d6054ec4f50b617efe6a136aaa95a30ca4a3bc485a0a22b16dd650729e85011f09ca491e89d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2b7cd5ce6d6cc1ed6fadfe5c8e2a3f8

SHA1
1c8eda87aa5432447b8188d7b7bb0524cf24b8f8

SHA256
73084bfadacba56198ed0a589b25bd40465dee19e5b7e00769620fa21236f662

SHA512
aaf36d980c5c3bd88616fae2ccff4500ac43527a23081c93884167adbe8dab99904ffc103423b697591c7da8e1172197809118ac2f9a8613a49419e896b31551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
054654548bfc2f7a484fa9644e1ab090

SHA1
3ac69a461958aba5a89e13bfdaf775708e50fa3e

SHA256
1ba0d741c865fa53394d623527b13735652b0c4dd461fe5737d42cd182b70ee3

SHA512
6b98572fc802c93a596861af9d67a3fe9eae48af8b80e6f3bf9310a1a63877d3b8ffc69edd1e0056f668532f3d4aad1e89a74ac133643319e6c434d4a2440112

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b836e3013bb679a39df15e03869b37b8

SHA1
783c23075aeb8d70fe490a3a84569b306d72084e

SHA256
67f582a057c57fc0873c0a46ba1dfc4c9faba004eb23229c5f0f1323911a1a62

SHA512
43df973d08967470335eef0c6e82c35a5a9e19936d1bb7f65f406a4c3cd5edfd09c0b21eba2cb115ccc4cfcc7459d6f9948a1c217a9ef386ce1de084f1797648

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdb7664550afcee9700630967ed32db6

SHA1
630370e995e247c6af2a4f98bcee333442634304

SHA256
f981638b39efc81c7e098c88e851caf8fb8504cd7c68b67fe3db07046e57206a

SHA512
06833c15f93b83ca76ffe5d7d4f3fc8b9229fd8202629d652a15745cab25d9ebd9b116f568adbf13788e3eeafa7bb28f2d865e4dc867e94ff170d1226987bd93

Download Submit
C:\Users\Admin\AppData\Local\Temp\080b786f-4c62-419b-b86c-8f4f237ed143.vbs

Filesize
710B

MD5
2357d65585102301b865b26729a9e9fc

SHA1
159098fe4456a2683c44889cb76e60540335597a

SHA256
c7e307fb6b5700037d31aefa04bdcd1dc9286595443477b42dfdc8178debb0f4

SHA512
0043eb6c069db1a9d7d1619c3eb6bb20ca58c61b9379f67190b7e8558060adca4355576d6a33c2542f1dc72cc0ae1c033602abced6b735af071a26829d729536

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E9E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6F5C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dc074f35-f6e5-4b37-8b8d-897444f8d99c.vbs

Filesize
487B

MD5
cfa88af4759c90ddc68d1354d58f6664

SHA1
69179c5df96271f685879d4cd7ef36a59f3acaca

SHA256
742640780a6e98eda5967632722f679147e8c6fed75232243045788a59045568

SHA512
946d407a3710cf20f1bbd3a478dbe6fa76c5fc33b370e494d9efc0777c6f6d840ca7c231bcd56e0dbb76330ffca7e5f690d1d2b35ae1235a3bcab3a231832ed7

Download Submit
C:\Users\Admin\AppData\Local\Temp\vEzorDbYXk.bat

Filesize
200B

MD5
ff702b5c9850db8039775853c17f21fb

SHA1
bb0e4843a2cb4581ade3c9eea4e3ed5e7d1cd81a

SHA256
1348692b593f5a53adddf29139b6e435d6dd7ccf847b79926f6311530e14df6b

SHA512
444e166daa617a099b96a666fddd6ede04443d13b85f1a1fec05cbfdefbc740b938b1405270c2aaa7660c940cf385968bc7b6e4d88aedc0174c713c16c03efb2

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeagentFont\E1OrDChd6wfhvlLu9Zc8rvL1kfwV.vbe

Filesize
224B

MD5
980b8c4323c6a30adefa83e5889189eb

SHA1
da4a52e22d8f64ac9e7b86a48100af08aed9ba6b

SHA256
20b473780053528b67968274f63a4fd23cbf74e019b7532e0acb5d5b9fdaa2d4

SHA512
2c82f4449d8aad3b41eea51771149b6b7f2eb64f995b7589f8f195274d3c1faa05fcb179c5bb1fc3f0589d4f4725d78cd63f33b55fe173c10137ee5b3dcc837d

Download Submit
C:\Users\Admin\AppData\Roaming\BridgeagentFont\LMbhEUlzAGhXQ88TEAwD9DBna.bat

Filesize
159B

MD5
3765c22496f7fd5eabd91a49ef3156dd

SHA1
d4f01e65b1f02fa044042350660cf7786fb708b8

SHA256
21bced2882fcd08eddd626fcfd74964fb4387ce489d6a42d382c016f05b36564

SHA512
7d74455d1b9ce74efb82be9c1b8ca1b0c4d887a0a7c3afe1b2a39652c2fe1331ac16d564c0e4bf2ce6c5b0fb3650b9a5506c9fb322cbb069f30b1a09d0889a00

Download Submit
\Users\Admin\AppData\Roaming\BridgeagentFont\Containerreview.exe

Filesize
2.8MB

MD5
e5cc3d0de29f576e27666e7c6738a584

SHA1
29bb5d5edfa88565a2ef1b30ca3921167e5fb637

SHA256
eec25bbb0c3ea26e79b4162e8b1a1aa42b9f6b83d2fc710865001cf8750fe24b

SHA512
dfd555f50e1dbf31dfce1f95167911697409b4586a25cf4fb88cda430ffc5ac2d2273e12678a7f9cdf26b4909f1d6022497d8c351ea0ba94b34f1085c53bc8fa

Download Submit
memory/604-151-0x0000000001390000-0x0000000001670000-memory.dmp

Filesize
2.9MB

Download
memory/2760-23-0x00000000023A0000-0x00000000023A8000-memory.dmp

Filesize
32KB

Download
memory/2760-37-0x0000000002630000-0x000000000263C000-memory.dmp

Filesize
48KB

Download
memory/2760-36-0x0000000002620000-0x0000000002628000-memory.dmp

Filesize
32KB

Download
memory/2760-35-0x0000000002610000-0x000000000261C000-memory.dmp

Filesize
48KB

Download
memory/2760-34-0x0000000002600000-0x0000000002608000-memory.dmp

Filesize
32KB

Download
memory/2760-33-0x00000000025F0000-0x00000000025FE000-memory.dmp

Filesize
56KB

Download
memory/2760-32-0x00000000025E0000-0x00000000025EA000-memory.dmp

Filesize
40KB

Download
memory/2760-31-0x00000000025D0000-0x00000000025D8000-memory.dmp

Filesize
32KB

Download
memory/2760-30-0x00000000025C0000-0x00000000025CC000-memory.dmp

Filesize
48KB

Download
memory/2760-29-0x00000000025B0000-0x00000000025BC000-memory.dmp

Filesize
48KB

Download
memory/2760-28-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2760-27-0x0000000002400000-0x000000000240C000-memory.dmp

Filesize
48KB

Download
memory/2760-26-0x00000000023D0000-0x00000000023E2000-memory.dmp

Filesize
72KB

Download
memory/2760-25-0x00000000023C0000-0x00000000023C8000-memory.dmp

Filesize
32KB

Download
memory/2760-24-0x00000000023B0000-0x00000000023BC000-memory.dmp

Filesize
48KB

Download
memory/2760-22-0x00000000021D0000-0x00000000021DC000-memory.dmp

Filesize
48KB

Download
memory/2760-21-0x0000000002350000-0x00000000023A6000-memory.dmp

Filesize
344KB

Download
memory/2760-20-0x0000000000950000-0x000000000095A000-memory.dmp

Filesize
40KB

Download
memory/2760-19-0x0000000000940000-0x0000000000948000-memory.dmp

Filesize
32KB

Download
memory/2760-17-0x0000000000910000-0x0000000000926000-memory.dmp

Filesize
88KB

Download
memory/2760-18-0x0000000000930000-0x0000000000938000-memory.dmp

Filesize
32KB

Download
memory/2760-16-0x0000000000900000-0x0000000000910000-memory.dmp

Filesize
64KB

Download
memory/2760-15-0x00000000004E0000-0x00000000004E8000-memory.dmp

Filesize
32KB

Download
memory/2760-14-0x00000000002D0000-0x00000000002EC000-memory.dmp

Filesize
112KB

Download
memory/2760-13-0x0000000000960000-0x0000000000C40000-memory.dmp

Filesize
2.9MB

Download