619ce969d1ec179adf72a87b08468986fa2cb537229a5e8fd03d00856f502200

Analysis

max time kernel
7s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 14:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

launcher.exe.bin.exe
Size

7.2MB
MD5

ff391ed9e21485241544944ec6f4a3f0
SHA1

bd7b5ce885c4684e05c1e937e46e9ef4ad06548c
SHA256

619ce969d1ec179adf72a87b08468986fa2cb537229a5e8fd03d00856f502200
SHA512

b9e9beffde62433911ac96fa3461f5c453dc10c6c760d2a7aa6df04573d1661d064cdcbe49507cecd59238410a671e1aeebf2858235ec9a31b91b5891203d5eb
SSDEEP

98304:MHAnOWlogrB1cyZ/KHH3+nnE6ohJMWLXfdYzOn5BNNARHjdSC8BHeqz:MHADlogrBayZ/K02hJuc4RZV8FeM

Score

10^/10

discovery evasion execution persistence

Malware Config

Signatures

Suspicious use of NtCreateUserProcessOtherParentProcess 5 IoCs

description	pid	Process	procid_target
PID 2652 created 1100	2652	hs.exe	20
PID 2652 created 1100	2652	hs.exe	20
PID 2652 created 1100	2652	hs.exe	20
PID 2652 created 1100	2652	hs.exe	20
PID 2652 created 1100	2652	hs.exe	20

Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe
2724	powershell.exe
2536	powershell.exe
2324	powershell.exe

Stops running service(s) 4 TTPs
evasion execution

Windows Service
T1543.003

Impair Defenses
T1562

Service Stop
T1489

Service Execution
T1569.002

Executes dropped EXE 3 IoCs

pid	Process
2652	hs.exe
2768	DCRatBuild.exe
2628	launcher.exe

Loads dropped DLL 4 IoCs

pid	Process
3052	launcher.exe.bin.exe
3052	launcher.exe.bin.exe
3052	launcher.exe.bin.exe
308	conhost.exe

Power Settings 1 TTPs 10 IoCs

powercfg controls all configurable power system settings on a Windows system and can be abused to prevent an infected host from locking or shutting down.

persistence

Power Settings

T1653

pid	Process
1684	powercfg.exe
2648	powercfg.exe
848	powercfg.exe
2020	powercfg.exe
1968	cmd.exe
1508	powercfg.exe
604	cmd.exe
1516	powercfg.exe
2528	powercfg.exe
2532	powercfg.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe
File opened for modification	C:\Windows\System32\%ProgramData%\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\Windows PowerShell.lnk	powershell.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2652 set thread context of 1844	2652	hs.exe	45

Launches sc.exe 10 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
480	sc.exe
268	sc.exe
2244	sc.exe
2004	sc.exe
336	sc.exe
1680	sc.exe
1880	sc.exe
1184	sc.exe
1348	sc.exe
680	sc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	launcher.exe.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCRatBuild.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 2 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2784	schtasks.exe
2372	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2652	hs.exe
2652	hs.exe
2536	powershell.exe
2652	hs.exe
2652	hs.exe
2652	hs.exe
2652	hs.exe
2652	hs.exe
2652	hs.exe
2652	hs.exe
2652	hs.exe
1844	dialer.exe
1844	dialer.exe
1844	dialer.exe
1844	dialer.exe
1844	dialer.exe
1844	dialer.exe
2592	powershell.exe
1844	dialer.exe
1844	dialer.exe
1844	dialer.exe
1844	dialer.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeDebugPrivilege	2536	powershell.exe
Token: SeDebugPrivilege	1844	dialer.exe
Token: SeShutdownPrivilege	1684	powercfg.exe
Token: SeAuditPrivilege	836	svchost.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeShutdownPrivilege	1516	powercfg.exe
Token: SeShutdownPrivilege	2528	powercfg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3052 wrote to memory of 2652	3052	launcher.exe.bin.exe	28
PID 3052 wrote to memory of 2652	3052	launcher.exe.bin.exe	28
PID 3052 wrote to memory of 2652	3052	launcher.exe.bin.exe	28
PID 3052 wrote to memory of 2652	3052	launcher.exe.bin.exe	28
PID 3052 wrote to memory of 2768	3052	launcher.exe.bin.exe	29
PID 3052 wrote to memory of 2768	3052	launcher.exe.bin.exe	29
PID 3052 wrote to memory of 2768	3052	launcher.exe.bin.exe	29
PID 3052 wrote to memory of 2768	3052	launcher.exe.bin.exe	29
PID 3052 wrote to memory of 2768	3052	launcher.exe.bin.exe	29
PID 3052 wrote to memory of 2768	3052	launcher.exe.bin.exe	29
PID 3052 wrote to memory of 2768	3052	launcher.exe.bin.exe	29
PID 3052 wrote to memory of 2628	3052	launcher.exe.bin.exe	30
PID 3052 wrote to memory of 2628	3052	launcher.exe.bin.exe	30
PID 3052 wrote to memory of 2628	3052	launcher.exe.bin.exe	30
PID 3052 wrote to memory of 2628	3052	launcher.exe.bin.exe	30
PID 2628 wrote to memory of 2728	2628	launcher.exe	32
PID 2628 wrote to memory of 2728	2628	launcher.exe	32
PID 2628 wrote to memory of 2728	2628	launcher.exe	32
PID 2768 wrote to memory of 2660	2768	DCRatBuild.exe	33
PID 2768 wrote to memory of 2660	2768	DCRatBuild.exe	33
PID 2768 wrote to memory of 2660	2768	DCRatBuild.exe	33
PID 2768 wrote to memory of 2660	2768	DCRatBuild.exe	33
PID 2768 wrote to memory of 2660	2768	DCRatBuild.exe	33
PID 2768 wrote to memory of 2660	2768	DCRatBuild.exe	33
PID 2768 wrote to memory of 2660	2768	DCRatBuild.exe	33
PID 2988 wrote to memory of 2004	2988	cmd.exe	38
PID 2988 wrote to memory of 2004	2988	cmd.exe	38
PID 2988 wrote to memory of 2004	2988	cmd.exe	38
PID 2988 wrote to memory of 680	2988	cmd.exe	39
PID 2988 wrote to memory of 680	2988	cmd.exe	39
PID 2988 wrote to memory of 680	2988	cmd.exe	39
PID 2988 wrote to memory of 480	2988	cmd.exe	40
PID 2988 wrote to memory of 480	2988	cmd.exe	40
PID 2988 wrote to memory of 480	2988	cmd.exe	40
PID 2988 wrote to memory of 336	2988	cmd.exe	41
PID 2988 wrote to memory of 336	2988	cmd.exe	41
PID 2988 wrote to memory of 336	2988	cmd.exe	41
PID 2988 wrote to memory of 268	2988	cmd.exe	42
PID 2988 wrote to memory of 268	2988	cmd.exe	42
PID 2988 wrote to memory of 268	2988	cmd.exe	42
PID 2652 wrote to memory of 1844	2652	hs.exe	45
PID 604 wrote to memory of 1684	604	cmd.exe	48
PID 604 wrote to memory of 1684	604	cmd.exe	48
PID 604 wrote to memory of 1684	604	cmd.exe	48
PID 1844 wrote to memory of 428	1844	dialer.exe	5
PID 1844 wrote to memory of 472	1844	dialer.exe	6
PID 1844 wrote to memory of 488	1844	dialer.exe	7
PID 1844 wrote to memory of 496	1844	dialer.exe	8
PID 1844 wrote to memory of 592	1844	dialer.exe	9
PID 1844 wrote to memory of 668	1844	dialer.exe	10
PID 1844 wrote to memory of 752	1844	dialer.exe	11
PID 1844 wrote to memory of 796	1844	dialer.exe	12
PID 1844 wrote to memory of 836	1844	dialer.exe	13
PID 1844 wrote to memory of 952	1844	dialer.exe	15
PID 1844 wrote to memory of 1016	1844	dialer.exe	16
PID 1844 wrote to memory of 1028	1844	dialer.exe	17
PID 1844 wrote to memory of 1044	1844	dialer.exe	18
PID 1844 wrote to memory of 1064	1844	dialer.exe	19
PID 1844 wrote to memory of 1100	1844	dialer.exe	20
PID 1844 wrote to memory of 1144	1844	dialer.exe	21
PID 1844 wrote to memory of 1324	1844	dialer.exe	23
PID 1844 wrote to memory of 3064	1844	dialer.exe	24
PID 1844 wrote to memory of 2140	1844	dialer.exe	25
PID 1844 wrote to memory of 2652	1844	dialer.exe	28

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:592
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1324
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:668
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:752
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:796
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1028
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:836
- - C:\Windows\system32\taskeng.exe
    taskeng.exe {6089EDC2-28B6-4D8C-BE0D-93D5D4695250} S-1-5-18:NT AUTHORITY\System:Service:
    3⤵
    PID:1624
  - - C:\Program Files\Google\Chrome\updater.exe
      "C:\Program Files\Google\Chrome\updater.exe"
      4⤵
      PID:2124
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:952
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:1016
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1044
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:1064
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1144
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:3064
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2140

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1100
- C:\Users\Admin\AppData\Local\Temp\launcher.exe.bin.exe
  "C:\Users\Admin\AppData\Local\Temp\launcher.exe.bin.exe"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Users\Admin\AppData\Local\Temp\hs.exe
    "C:\Users\Admin\AppData\Local\Temp\hs.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2652
- - C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe
    "C:\Users\Admin\AppData\Local\Temp\DCRatBuild.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2768
  - - C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2660
- - C:\Users\Admin\AppData\Local\Temp\launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\launcher.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2628
  - - C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c pause
      4⤵
      PID:2728
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2536
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:2004
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:680
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:480
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:336
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:268
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  - Suspicious use of WriteProcessMemory
  PID:604
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1684
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:1516
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    - Suspicious use of AdjustPrivilegeToken
    PID:2528
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2532
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2784
- C:\Windows\System32\schtasks.exe
  C:\Windows\System32\schtasks.exe /run /tn "GoogleUpdateTaskMachineQC"
  2⤵
  PID:316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2324
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c sc stop UsoSvc & sc stop WaaSMedicSvc & sc stop wuauserv & sc stop bits & sc stop dosvc
  2⤵
  PID:2000
- - C:\Windows\System32\sc.exe
    sc stop UsoSvc
    3⤵
    - Launches sc.exe
    PID:1680
- - C:\Windows\System32\sc.exe
    sc stop WaaSMedicSvc
    3⤵
    - Launches sc.exe
    PID:1880
- - C:\Windows\System32\sc.exe
    sc stop wuauserv
    3⤵
    - Launches sc.exe
    PID:1184
- - C:\Windows\System32\sc.exe
    sc stop bits
    3⤵
    - Launches sc.exe
    PID:1348
- - C:\Windows\System32\sc.exe
    sc stop dosvc
    3⤵
    - Launches sc.exe
    PID:2244
- C:\Windows\System32\cmd.exe
  C:\Windows\System32\cmd.exe /c powercfg /x -hibernate-timeout-ac 0 & powercfg /x -hibernate-timeout-dc 0 & powercfg /x -standby-timeout-ac 0 & powercfg /x -standby-timeout-dc 0
  2⤵
  - Power Settings
  PID:1968
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-ac 0
    3⤵
    - Power Settings
    PID:1508
- - C:\Windows\System32\powercfg.exe
    powercfg /x -hibernate-timeout-dc 0
    3⤵
    - Power Settings
    PID:2648
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-ac 0
    3⤵
    - Power Settings
    PID:848
- - C:\Windows\System32\powercfg.exe
    powercfg /x -standby-timeout-dc 0
    3⤵
    - Power Settings
    PID:2020
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe <#nbpkbwke#> IF([System.Environment]::OSVersion.Version -lt [System.Version]"6.2") { schtasks /create /f /sc onlogon /rl highest /ru 'System' /tn 'GoogleUpdateTaskMachineQC' /tr '''C:\Program Files\Google\Chrome\updater.exe''' } Else { Register-ScheduledTask -Action (New-ScheduledTaskAction -Execute 'C:\Program Files\Google\Chrome\updater.exe') -Trigger (New-ScheduledTaskTrigger -AtStartup) -Settings (New-ScheduledTaskSettingsSet -AllowStartIfOnBatteries -DisallowHardTerminate -DontStopIfGoingOnBatteries -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Days 1000)) -TaskName 'GoogleUpdateTaskMachineQC' -User 'System' -RunLevel 'Highest' -Force; }
  2⤵
  - Command and Scripting Interpreter: PowerShell
  PID:2724
- - C:\Windows\system32\schtasks.exe
    "C:\Windows\system32\schtasks.exe" /create /f /sc onlogon /rl highest /ru System /tn GoogleUpdateTaskMachineQC /tr "'C:\Program Files\Google\Chrome\updater.exe'"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2372
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:1488
- C:\Windows\System32\dialer.exe
  C:\Windows\System32\dialer.exe
  2⤵
  PID:2972

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7463574265894997453914308282031401-690325855999765073-362985661158981961"
1⤵
- Loads dropped DLL
PID:308

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "987628567-263390173-1816978197-1058176395-19734858461785747351040504362087544758"
1⤵
PID:1380

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1901724158318967245-1285922068360687779-48654698104932356015445184651492633415"
1⤵
PID:2780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

System Services

T1569

Service Execution

T1569.002

Persistence

Create or Modify System Process

T1543

Windows Service

T1543.003

Power Settings

T1653

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

T1489

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
088233121aa004d7b7ceef7bfff91f66

SHA1
a02af5f7b2a789182fba5da19182bced7f130177

SHA256
994fd2bb4b162975e708327bd4205d176d6d675d70604de50f8354a06060f5b5

SHA512
385c9919f7299c5e51c54e0c5c18dc269506176b43a41a680cb33a2af08d730f6011ab34388f0af05438f99c86bc20d5ab6d760e5b5a7bc4b477477432deb8b7

Download Submit
C:\Windows\System32\Tasks\GoogleUpdateTaskMachineQC

Filesize
3KB

MD5
f5c3811a3df02075b53fddacaae25715

SHA1
addf818bfad0e4be70954f3c59ed4ccf7886a67f

SHA256
c912e7a8b24249adc1bc778622f309b90de0b8b61552d9050896eef182f9f905

SHA512
526873141794fae8f7618a6ee6bab55567532e25250606c4dae2f9598b741c1c80bc25fb66c2688674b9f4f62695102ba0c81109145505258ed8a494989321c8

Download Submit
C:\fontdriversavescrt\mxUJuDSBL8uYxNL3S2me9mvpl9XOE7C7oXpLzzbyKUU0.vbe

Filesize
251B

MD5
33ef80f1d0bf92148b2b4030624e6101

SHA1
03d151e3db14476ef74167bc972cf3d034f8fec4

SHA256
898a085b6aa1bb6b8f8c15e3ef98225fbcdb5c0b4330924cffa11f97f8870c06

SHA512
b38dccf884d0c5bde46441cbf12a9e32da156149133cfc8427972751bd06a953ab25681886e4698b9e285322cda7c1115a7c485baa2588213574c4b3d8c03ea4

Download Submit
\Users\Admin\AppData\Local\Temp\DCRatBuild.exe

Filesize
1.8MB

MD5
95ab7f1022401e488c0c50e6e5e8937f

SHA1
ff312060768d93bc83e157c63f3a583ccacd4967

SHA256
699d1fa49cc0a591ebe89fd50e0a1f1b6131f018b072fb242eaabcce787d84f3

SHA512
4a0e8ea87d0ddbedbcd341b061b9bb7240c4dfe823ba7da5627b53eb017b6ff2a7894b0874c2b0ed8b806c21827cfc686b12c07266d6498208fb5f20ed7ee847

Download Submit
\Users\Admin\AppData\Local\Temp\hs.exe

Filesize
5.7MB

MD5
8e222e8f9a186f8d21bf2895e1946853

SHA1
07b2087b8b9d2a2f3c23bf59286c21c6aefbf19f

SHA256
9942c7cc38d9dbcb8bfb81d83a31671fa389409e0f8c4a02db2dbe90e1669ee3

SHA512
6dffaa9204d67b3a5a38441bf8c653b787a3aa3133a298ccbdecb97a4a7887f178a61030ac6d0ba66031a30bce3dd209478c778acba3870d00fcab6ebb3a4d79

Download Submit
\Users\Admin\AppData\Local\Temp\launcher.exe

Filesize
256KB

MD5
158fafa10d2218aa47999131194736f2

SHA1
27d12d326a145b771dac80ae1ad87cf7a5b7785a

SHA256
8ba915193e092d44bad17e01c4e5be8fa5278ca2ac3d9769168c666321fc0406

SHA512
b620773d7700d518a5bfb1f71d1d40b5eb9ee6fc1d41ca6a224b3e4395b8510e0d55d6004ad0dee6d99e61c57fedd85bc2f3529f8c9fc08e1b37b853ae4f203b

Download Submit
memory/428-38-0x0000000000B90000-0x0000000000BB1000-memory.dmp

Filesize
132KB

Download
memory/428-41-0x0000000000BC0000-0x0000000000BE7000-memory.dmp

Filesize
156KB

Download
memory/428-40-0x0000000000B90000-0x0000000000BB1000-memory.dmp

Filesize
132KB

Download
memory/428-46-0x000007FEBDCE0000-0x000007FEBDCF0000-memory.dmp

Filesize
64KB

Download
memory/428-47-0x0000000037010000-0x0000000037020000-memory.dmp

Filesize
64KB

Download
memory/472-50-0x0000000037010000-0x0000000037020000-memory.dmp

Filesize
64KB

Download
memory/472-45-0x0000000000230000-0x0000000000257000-memory.dmp

Filesize
156KB

Download
memory/472-49-0x000007FEBDCE0000-0x000007FEBDCF0000-memory.dmp

Filesize
64KB

Download
memory/488-79-0x00000000001E0000-0x0000000000207000-memory.dmp

Filesize
156KB

Download
memory/488-80-0x000007FEBDCE0000-0x000007FEBDCF0000-memory.dmp

Filesize
64KB

Download
memory/488-81-0x0000000037010000-0x0000000037020000-memory.dmp

Filesize
64KB

Download
memory/592-85-0x000007FEBDCE0000-0x000007FEBDCF0000-memory.dmp

Filesize
64KB

Download
memory/592-86-0x0000000037010000-0x0000000037020000-memory.dmp

Filesize
64KB

Download
memory/592-83-0x0000000000310000-0x0000000000337000-memory.dmp

Filesize
156KB

Download
memory/752-84-0x0000000000CF0000-0x0000000000D17000-memory.dmp

Filesize
156KB

Download
memory/752-88-0x000007FEBDCE0000-0x000007FEBDCF0000-memory.dmp

Filesize
64KB

Download
memory/752-89-0x0000000037010000-0x0000000037020000-memory.dmp

Filesize
64KB

Download
memory/836-91-0x0000000000BF0000-0x0000000000C17000-memory.dmp

Filesize
156KB

Download
memory/836-93-0x0000000037010000-0x0000000037020000-memory.dmp

Filesize
64KB

Download
memory/836-92-0x000007FEBDCE0000-0x000007FEBDCF0000-memory.dmp

Filesize
64KB

Download
memory/1016-95-0x0000000000D50000-0x0000000000D77000-memory.dmp

Filesize
156KB

Download
memory/1844-36-0x0000000076FD0000-0x0000000077179000-memory.dmp

Filesize
1.7MB

Download
memory/1844-37-0x0000000076DB0000-0x0000000076ECF000-memory.dmp

Filesize
1.1MB

Download
memory/2536-34-0x0000000002260000-0x0000000002268000-memory.dmp

Filesize
32KB

Download
memory/2536-33-0x000000001B520000-0x000000001B802000-memory.dmp

Filesize
2.9MB

Download
memory/2592-241-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/2592-242-0x0000000001F10000-0x0000000001F18000-memory.dmp

Filesize
32KB

Download