dcrat | 7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f

max time kernel
1795s
max time network
1807s
platform
windows10-1703_x64
resource
win10-20230703-en
resource tags

arch:x64arch:x86image:win10-20230703-enlocale:en-usos:windows10-1703-x64system
submitted
26/08/2023, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

YammiBeta.exe
Size

1.1MB
MD5

6b5050c12abc27bad622f9af8ed7ebe3
SHA1

506be642a7d276c783bfd32a754a9bd1373abaea
SHA256

7de778c5153ba0ae2157f8a3ea78ef402c63d014a9fa719257cee24089e4a88f
SHA512

22ffa4c6afd0661307ca1a3a349e19f9fbb8739e382e2fea7b1ec59200c3d7ca06241b2f5154246ce2b8165da26eac31e70f2a0f4ff586e5b09cf0c993b2d319
SSDEEP

24576:348l0DlMFVPNpQiWq5KMsEINq4pXCxTRg/9QyGTlouInmUf/6ix5GWZ:35yeVPRWq5KMspBpX+wLEojnm3RE

Score

10^/10

dcrat infostealer rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3740	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5000	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	788	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3600	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	508	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3436	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3144	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4016	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	420	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3728	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4812	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5096	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2024	schtasks.exe	75
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	2024	schtasks.exe	75

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000800000001af26-11.dat	dcrat
behavioral2/files/0x000800000001af26-14.dat	dcrat
behavioral2/files/0x000700000001afcb-32.dat	dcrat
behavioral2/files/0x000700000001afcb-33.dat	dcrat
behavioral2/memory/4876-34-0x0000000000A90000-0x0000000000C10000-memory.dmp	dcrat
behavioral2/files/0x000600000001afd0-48.dat	dcrat
behavioral2/files/0x000600000001afe4-284.dat	dcrat
behavioral2/files/0x000600000001afe4-283.dat	dcrat

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
500	Loader.exe
4876	MsServerfont.exe
2804	wininit.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
8	ipinfo.io
9	ipinfo.io

Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs

pid	Process
4664	YammiBeta.exe
4664	YammiBeta.exe
4664	YammiBeta.exe
4664	YammiBeta.exe

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\WindowsPowerShell\cmd.exe	MsServerfont.exe
File created	C:\Program Files (x86)\WindowsPowerShell\ebf1f9fa8afd6d	MsServerfont.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe	MsServerfont.exe
File created	C:\Program Files\Microsoft Office 15\ClientX64\56085415360792	MsServerfont.exe
File created	C:\Program Files (x86)\Internet Explorer\images\winlogon.exe	MsServerfont.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\images\winlogon.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Internet Explorer\images\cc11b995f2a76d	MsServerfont.exe
File created	C:\Program Files (x86)\Common Files\explorer.exe	MsServerfont.exe
File created	C:\Program Files (x86)\Common Files\7a0fd90576e088	MsServerfont.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
344	schtasks.exe
1756	schtasks.exe
2524	schtasks.exe
1408	schtasks.exe
4740	schtasks.exe
3144	schtasks.exe
4412	schtasks.exe
2860	schtasks.exe
1532	schtasks.exe
2156	schtasks.exe
3384	schtasks.exe
3740	schtasks.exe
3436	schtasks.exe
4016	schtasks.exe
5096	schtasks.exe
2740	schtasks.exe
1500	schtasks.exe
1588	schtasks.exe
4320	schtasks.exe
5000	schtasks.exe
508	schtasks.exe
748	schtasks.exe
4980	schtasks.exe
2436	schtasks.exe
4812	schtasks.exe
588	schtasks.exe
788	schtasks.exe
3600	schtasks.exe
2284	schtasks.exe
4176	schtasks.exe
4348	schtasks.exe
420	schtasks.exe
2304	schtasks.exe
484	schtasks.exe
3728	schtasks.exe
796	schtasks.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings	Loader.exe
Key created	\REGISTRY\USER\S-1-5-21-488886677-2269338296-1239465872-1000_Classes\Local Settings	MsServerfont.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4876	MsServerfont.exe
4876	MsServerfont.exe
4876	MsServerfont.exe
3380	powershell.exe
3380	powershell.exe
3380	powershell.exe
4196	powershell.exe
4196	powershell.exe
3380	powershell.exe
1036	powershell.exe
1036	powershell.exe
4196	powershell.exe
3420	powershell.exe
3420	powershell.exe
5004	powershell.exe
5004	powershell.exe
196	powershell.exe
196	powershell.exe
3420	powershell.exe
4156	powershell.exe
4156	powershell.exe
4996	powershell.exe
4996	powershell.exe
2068	powershell.exe
2068	powershell.exe
2292	powershell.exe
2292	powershell.exe
3952	powershell.exe
3952	powershell.exe
4188	powershell.exe
4188	powershell.exe
4196	powershell.exe
3420	powershell.exe
1036	powershell.exe
5004	powershell.exe
196	powershell.exe
4156	powershell.exe
4996	powershell.exe
2068	powershell.exe
2292	powershell.exe
4188	powershell.exe
3952	powershell.exe
2804	wininit.exe
2804	wininit.exe
4188	powershell.exe
2292	powershell.exe
2068	powershell.exe
4156	powershell.exe
4156	powershell.exe
4996	powershell.exe
4996	powershell.exe
196	powershell.exe
196	powershell.exe
3952	powershell.exe
1036	powershell.exe
1036	powershell.exe
5004	powershell.exe
2804	wininit.exe
2804	wininit.exe
2804	wininit.exe
2804	wininit.exe
2804	wininit.exe
2804	wininit.exe
2804	wininit.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2804	wininit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4664	YammiBeta.exe
Token: SeDebugPrivilege	4876	MsServerfont.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	5004	powershell.exe
Token: SeDebugPrivilege	196	powershell.exe
Token: SeDebugPrivilege	4156	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	3952	powershell.exe
Token: SeDebugPrivilege	4188	powershell.exe
Token: SeIncreaseQuotaPrivilege	3380	powershell.exe
Token: SeSecurityPrivilege	3380	powershell.exe
Token: SeTakeOwnershipPrivilege	3380	powershell.exe
Token: SeLoadDriverPrivilege	3380	powershell.exe
Token: SeSystemProfilePrivilege	3380	powershell.exe
Token: SeSystemtimePrivilege	3380	powershell.exe
Token: SeProfSingleProcessPrivilege	3380	powershell.exe
Token: SeIncBasePriorityPrivilege	3380	powershell.exe
Token: SeCreatePagefilePrivilege	3380	powershell.exe
Token: SeBackupPrivilege	3380	powershell.exe
Token: SeRestorePrivilege	3380	powershell.exe
Token: SeShutdownPrivilege	3380	powershell.exe
Token: SeDebugPrivilege	3380	powershell.exe
Token: SeSystemEnvironmentPrivilege	3380	powershell.exe
Token: SeRemoteShutdownPrivilege	3380	powershell.exe
Token: SeUndockPrivilege	3380	powershell.exe
Token: SeManageVolumePrivilege	3380	powershell.exe
Token: 33	3380	powershell.exe
Token: 34	3380	powershell.exe
Token: 35	3380	powershell.exe
Token: 36	3380	powershell.exe
Token: SeIncreaseQuotaPrivilege	4196	powershell.exe
Token: SeSecurityPrivilege	4196	powershell.exe
Token: SeTakeOwnershipPrivilege	4196	powershell.exe
Token: SeLoadDriverPrivilege	4196	powershell.exe
Token: SeSystemProfilePrivilege	4196	powershell.exe
Token: SeSystemtimePrivilege	4196	powershell.exe
Token: SeProfSingleProcessPrivilege	4196	powershell.exe
Token: SeIncBasePriorityPrivilege	4196	powershell.exe
Token: SeCreatePagefilePrivilege	4196	powershell.exe
Token: SeBackupPrivilege	4196	powershell.exe
Token: SeRestorePrivilege	4196	powershell.exe
Token: SeShutdownPrivilege	4196	powershell.exe
Token: SeDebugPrivilege	4196	powershell.exe
Token: SeSystemEnvironmentPrivilege	4196	powershell.exe
Token: SeRemoteShutdownPrivilege	4196	powershell.exe
Token: SeUndockPrivilege	4196	powershell.exe
Token: SeManageVolumePrivilege	4196	powershell.exe
Token: 33	4196	powershell.exe
Token: 34	4196	powershell.exe
Token: 35	4196	powershell.exe
Token: 36	4196	powershell.exe
Token: SeIncreaseQuotaPrivilege	3420	powershell.exe
Token: SeSecurityPrivilege	3420	powershell.exe
Token: SeTakeOwnershipPrivilege	3420	powershell.exe
Token: SeLoadDriverPrivilege	3420	powershell.exe
Token: SeSystemProfilePrivilege	3420	powershell.exe
Token: SeSystemtimePrivilege	3420	powershell.exe
Token: SeProfSingleProcessPrivilege	3420	powershell.exe
Token: SeIncBasePriorityPrivilege	3420	powershell.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4664	YammiBeta.exe

Suspicious use of WriteProcessMemory 41 IoCs

description	pid	Process	procid_target
PID 4664 wrote to memory of 500	4664	YammiBeta.exe	70
PID 4664 wrote to memory of 500	4664	YammiBeta.exe	70
PID 4664 wrote to memory of 500	4664	YammiBeta.exe	70
PID 500 wrote to memory of 4436	500	Loader.exe	71
PID 500 wrote to memory of 4436	500	Loader.exe	71
PID 500 wrote to memory of 4436	500	Loader.exe	71
PID 4436 wrote to memory of 3432	4436	WScript.exe	72
PID 4436 wrote to memory of 3432	4436	WScript.exe	72
PID 4436 wrote to memory of 3432	4436	WScript.exe	72
PID 3432 wrote to memory of 4876	3432	cmd.exe	74
PID 3432 wrote to memory of 4876	3432	cmd.exe	74
PID 4876 wrote to memory of 4196	4876	MsServerfont.exe	112
PID 4876 wrote to memory of 4196	4876	MsServerfont.exe	112
PID 4876 wrote to memory of 3380	4876	MsServerfont.exe	135
PID 4876 wrote to memory of 3380	4876	MsServerfont.exe	135
PID 4876 wrote to memory of 3420	4876	MsServerfont.exe	134
PID 4876 wrote to memory of 3420	4876	MsServerfont.exe	134
PID 4876 wrote to memory of 4996	4876	MsServerfont.exe	133
PID 4876 wrote to memory of 4996	4876	MsServerfont.exe	133
PID 4876 wrote to memory of 1036	4876	MsServerfont.exe	130
PID 4876 wrote to memory of 1036	4876	MsServerfont.exe	130
PID 4876 wrote to memory of 4188	4876	MsServerfont.exe	129
PID 4876 wrote to memory of 4188	4876	MsServerfont.exe	129
PID 4876 wrote to memory of 3952	4876	MsServerfont.exe	128
PID 4876 wrote to memory of 3952	4876	MsServerfont.exe	128
PID 4876 wrote to memory of 196	4876	MsServerfont.exe	126
PID 4876 wrote to memory of 196	4876	MsServerfont.exe	126
PID 4876 wrote to memory of 5004	4876	MsServerfont.exe	125
PID 4876 wrote to memory of 5004	4876	MsServerfont.exe	125
PID 4876 wrote to memory of 2292	4876	MsServerfont.exe	124
PID 4876 wrote to memory of 2292	4876	MsServerfont.exe	124
PID 4876 wrote to memory of 2068	4876	MsServerfont.exe	123
PID 4876 wrote to memory of 2068	4876	MsServerfont.exe	123
PID 4876 wrote to memory of 4156	4876	MsServerfont.exe	122
PID 4876 wrote to memory of 4156	4876	MsServerfont.exe	122
PID 4876 wrote to memory of 368	4876	MsServerfont.exe	136
PID 4876 wrote to memory of 368	4876	MsServerfont.exe	136
PID 368 wrote to memory of 2356	368	cmd.exe	138
PID 368 wrote to memory of 2356	368	cmd.exe	138
PID 368 wrote to memory of 2804	368	cmd.exe	140
PID 368 wrote to memory of 2804	368	cmd.exe	140

C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe
"C:\Users\Admin\AppData\Local\Temp\YammiBeta.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4664
- C:\Users\Admin\AppData\Local\Temp\Loader.exe
  "C:\Users\Admin\AppData\Local\Temp\Loader.exe"
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:500
- - C:\Windows\SysWOW64\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4436
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat" "
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3432
    - - C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4876
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:196
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4188
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/odt/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\emMfNO2QCu.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2356
        
        C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe
        
        "C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious behavior: GetForegroundWindowSpam
        
        PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\images\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\images\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\images\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 5 /tr "'C:\odt\ApplicationFrameHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHost" /sc ONLOGON /tr "'C:\odt\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "ApplicationFrameHostA" /sc MINUTE /mo 9 /tr "'C:\odt\ApplicationFrameHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\WindowsPowerShell\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\WindowsPowerShell\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\WindowsPowerShell\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Common Files\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\odt\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\odt\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Users\Default\AppData\Local\Temp\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\AppData\Local\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Users\Default\AppData\Local\Temp\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchUI.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUI" /sc ONLOGON /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchUIS" /sc MINUTE /mo 5 /tr "'C:\odt\SearchUI.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Documents\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Program Files\Microsoft Office 15\ClientX64\wininit.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Recovery\WindowsRE\sysmon.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
3KB

MD5
ad5cd538ca58cb28ede39c108acb5785

SHA1
1ae910026f3dbe90ed025e9e96ead2b5399be877

SHA256
c9e6cb04d6c893458d5a7e12eb575cf97c3172f5e312b1f63a667cbbc5f0c033

SHA512
c066c5d9b276a68fa636647bb29aea05bfa2292217bc77f5324d9c1d93117772ee8277e1f7cff91ec8d6b7c05ca078f929cecfdbb09582522a9067f54740af13

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fb8e485a202d28a1a374ba6af39b2fb

SHA1
15e1794a859fc5ff0ec022026a4ecc062df8f252

SHA256
61cfb6a71b2a98e8a4fad7af0d89955e206634f3eeb0bbf5005db1ce07c8805f

SHA512
daccd31f3bd8d09f668b29f05d253820048f3a4c48e4ba5c7dde7e6eab6072e2f4ff4ce88519d23b9ee682fbacdd893a13e21f6ee4f897838bdc1f9570eb6afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
9fb8e485a202d28a1a374ba6af39b2fb

SHA1
15e1794a859fc5ff0ec022026a4ecc062df8f252

SHA256
61cfb6a71b2a98e8a4fad7af0d89955e206634f3eeb0bbf5005db1ce07c8805f

SHA512
daccd31f3bd8d09f668b29f05d253820048f3a4c48e4ba5c7dde7e6eab6072e2f4ff4ce88519d23b9ee682fbacdd893a13e21f6ee4f897838bdc1f9570eb6afd

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
5569ea2ee7332ac9a2fa7c2adf1e483f

SHA1
efad9190d84ed5cbbbd70d923b08fd9e68c31d76

SHA256
2386b4c01a14bff0c9a131b4325ded9a1fec922a771f670f8de16d23b607d29d

SHA512
84ed06483f9c0ea74841d3e69a26c8cde9900d6cc6c539262893bb23e94fc0a5c6570870fb6b69a27e106870bf6bfbb5f45e3c641cc8afe11f3432a3a5bd8fa5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
0e1f015c36e277c4dc58198adf345270

SHA1
3f60ade8c75e6f431ad800fd543a551fe488794a

SHA256
8c0f02f9c0a756ee4282411c48a6c332bd45e9923742629e08426d0172a19463

SHA512
7ab23f03303575827b1c08f0be5188efe55e368daa424c7b3b0788377d968c17dba72d7c1c55fba9df44bf708fb0af2bafeef86031c2b9a57d3c1dc9d5cc6da5

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
31dfc7b893f5a881cccdb79c6f8f6888

SHA1
816dc01027159aededb78648031e3e0a24d64333

SHA256
3af2994775f11d256370ed8cfdd2f5ac4be15319fd666f8a3d4efd2679790688

SHA512
fc60f9129cec15503f2a7f918d7b8de1e8d36ed84e7f9507fbc664d464c7200802ac5cdb958ef7f24e704b0240828c51170681f42d69a80d15a56cb006236c12

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1c8687df3e83f7e1cd66eaf0b005951

SHA1
9ceb5900fa0e66fdb678c4db845ce5d2e9cb9974

SHA256
47cbaaab728ca2f62d410f26f6221597e447fdabed35b7494ab8779c363a9efa

SHA512
8a6694f33e6916a8186464758e92a33c690c62fcb68814cdd8563f840bbe1adacb7eee83b1c88e49891209774c037e31cf6972bfadedbb2acde6e0b30c9b4ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
f1c8687df3e83f7e1cd66eaf0b005951

SHA1
9ceb5900fa0e66fdb678c4db845ce5d2e9cb9974

SHA256
47cbaaab728ca2f62d410f26f6221597e447fdabed35b7494ab8779c363a9efa

SHA512
8a6694f33e6916a8186464758e92a33c690c62fcb68814cdd8563f840bbe1adacb7eee83b1c88e49891209774c037e31cf6972bfadedbb2acde6e0b30c9b4ef4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27e0682e6675dc938d6595409d41885e

SHA1
0230bb86fcbb910a9e3dee163ff33ec7dea02643

SHA256
e00117e04960132991cc811dd44d99957ce50cb2693c77474db700a22ee0b33e

SHA512
f74f483135039787a57ed6084380319865af2501e176d50278ec8547458ac9b05b52ff8f6e0fb68498a953e60bcdc4e685e87e58bab02edc379f4551d183fba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
27e0682e6675dc938d6595409d41885e

SHA1
0230bb86fcbb910a9e3dee163ff33ec7dea02643

SHA256
e00117e04960132991cc811dd44d99957ce50cb2693c77474db700a22ee0b33e

SHA512
f74f483135039787a57ed6084380319865af2501e176d50278ec8547458ac9b05b52ff8f6e0fb68498a953e60bcdc4e685e87e58bab02edc379f4551d183fba2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
3a4ad6368d367884795ab3ef97f35e7c

SHA1
62cd01f92cff2ebb9d9abbfced18f2ad44f1a730

SHA256
8c291aead97dbe6e11004c833a7da59d6be89514f15ae1182ff993e988caba49

SHA512
602ee744278e23497ce6c37fbbb05b374032107ae67b74fcf6316fafe079fa23c28086115af57c938dea6880580ca5ea8e01fa91ba68c213d973ee4d9cabd023

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
1KB

MD5
fe934593c119ba80810cf184c0cc30e3

SHA1
4cb08a431d0967232cfb44083ce2cdc19530ebbd

SHA256
6451aeb949e4b38f62ab6a574655a3ba158b4cf19bcd769eb5e338022647cd2e

SHA512
31706d88c6bc12fd624437b98dbf429929a6544c07e93253f3955d0e84f264da49740ccbde07804564986ab2fe868868581d5dfd399c12755c04979126cbf75b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CH1kWkn72

Filesize
20KB

MD5
c9ff7748d8fcef4cf84a5501e996a641

SHA1
02867e5010f62f97ebb0cfb32cb3ede9449fe0c9

SHA256
4d3f3194cb1133437aa69bb880c8cbb55ddf06ff61a88ca6c3f1bbfbfd35d988

SHA512
d36054499869a8f56ac8547ccd5455f1252c24e17d2b185955390b32da7e2a732ace4e0f30f9493fcc61425a2e31ed623465f998f41af69423ee0e3ed1483a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\MsServerfont.exe

Filesize
1.5MB

MD5
18ae88963bf2b89b3ea24f1cd998c0dd

SHA1
0200af4fb7dbe83bb230f2ebf14c3561b4f2af85

SHA256
1b1e4e67bcb116b6e6a7fd6f9f717853b8b8c490b959f161eae356eda25992e9

SHA512
16c280ab0a242a13075c249b615a8f013e614eed240e37e20565c31078d14f917fb96559915a056279c4747d1d319b3ed9915141883991fa019ea6e6332d9157

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\RlJdCeTbjnR.vbe

Filesize
214B

MD5
f246d91170758c560dcc804e79b689ce

SHA1
8e9820729c33e492c5d76722607a38379b1cbd38

SHA256
8558d7ec61aa5e0e6162d9f59103a6d3340cc359ee0526e765a061c6673a9665

SHA512
dcc48971a6a4a1b3af13a420a8de6ddfd765c780bfe76cbf1a459a855c14f0ca6510994fc988dfecd92257b99b41e2caf68025991ca80663331ce1c61110e5c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HyperCrtsvc\xD4oxlRfvWBkgaTyTKGRnb.bat

Filesize
37B

MD5
c87d31ff7b6bc8e971808bc819561137

SHA1
000f77a2d2596c87d3e2085ad74794b0627c034a

SHA256
738675ead6e7e54b7f0298824578cdfb659584a16f4f0cc2a0bdba654a482872

SHA512
34d995cf1fd3908a190aac08cefae4fb0d4fae7fd0cef2fb625a5e2d76864ce99724a2da4d1f05327bad80dab08f08038e17785e23c49087968e6c569964ffde

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Loader.exe

Filesize
1.7MB

MD5
fea5051ff55437d8510d9dba5159efba

SHA1
cc6dcfad3e10dc075ba815f2a1d815c97c95e0c3

SHA256
9d81caf5187bce5f5d2c1bf2b50d5c15b7f26bdc6ec954c8801bc358f0cfba5f

SHA512
796f7e8663206c9acbaf06aae656291821c02111a812bd9c71d62a18247ac6b2ef0cd27993dded6d08f6268e854207bba3c62e020afa8d06fee1e693b920daf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\UqCtunyH88

Filesize
46KB

MD5
02d2c46697e3714e49f46b680b9a6b83

SHA1
84f98b56d49f01e9b6b76a4e21accf64fd319140

SHA256
522cad95d3fa6ebb3274709b8d09bbb1ca37389d0a924cd29e934a75aa04c6c9

SHA512
60348a145bfc71b1e07cb35fa79ab5ff472a3d0a557741ea2d39b3772bc395b86e261bd616f65307ae0d997294e49b5548d32f11e86ef3e2704959ca63da8aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kdxj0acj.ldv.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\AppData\Local\Temp\emMfNO2QCu.bat

Filesize
223B

MD5
d25b5025c5af408e9af032dda9effefc

SHA1
b6c3eef1be6cabb760e42212db3062743dc7d57c

SHA256
f1c18c3326adb6d73c391063fc8e6a3430f5ddf0cccdb798a9f51b83d56a225e

SHA512
70beb68b95ebe300080ac285b6155a727b6b2772373597e2dd4caeaf36aaf4429e72033617e495dc188f8742de25a83a3dd0b372c8a6d92348edf7adec179d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\kTACMQfEmo

Filesize
92KB

MD5
463c1926a90e1c8a31cfec7afff4aefb

SHA1
caacc7f0749cc95e72fb2f69c579ee2779d2e331

SHA256
7ad5746f6ec7a87c5c4b706f7bea273808022ebe36fc5f59dacfd58e83fe9f7b

SHA512
e916336ea6d7046597cbea785eb7f6edd699c48ea9de9042b05635927d18b24c445478bcc03f805f408922daa101247edc6e5b09a7f63bfc372d4e72a8ffaf98

Download Submit
memory/196-158-0x0000025DCA600000-0x0000025DCA610000-memory.dmp

Filesize
64KB

Download
memory/196-130-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/1036-151-0x00000202A5F30000-0x00000202A5F40000-memory.dmp

Filesize
64KB

Download
memory/1036-153-0x00000202A5F30000-0x00000202A5F40000-memory.dmp

Filesize
64KB

Download
memory/1036-100-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-137-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/2068-184-0x000001FF66AD0000-0x000001FF66AE0000-memory.dmp

Filesize
64KB

Download
memory/2068-162-0x000001FF66AD0000-0x000001FF66AE0000-memory.dmp

Filesize
64KB

Download
memory/2292-172-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-293-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/2804-326-0x000000001BC10000-0x000000001BC20000-memory.dmp

Filesize
64KB

Download
memory/3380-185-0x0000016B8E050000-0x0000016B8E060000-memory.dmp

Filesize
64KB

Download
memory/3380-132-0x0000016B8E050000-0x0000016B8E060000-memory.dmp

Filesize
64KB

Download
memory/3380-128-0x0000016BA6610000-0x0000016BA6632000-memory.dmp

Filesize
136KB

Download
memory/3380-139-0x0000016BA67C0000-0x0000016BA6836000-memory.dmp

Filesize
472KB

Download
memory/3380-133-0x0000016B8E050000-0x0000016B8E060000-memory.dmp

Filesize
64KB

Download
memory/3380-77-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/3420-119-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/3420-237-0x000002967B440000-0x000002967B450000-memory.dmp

Filesize
64KB

Download
memory/3420-174-0x000002967B440000-0x000002967B450000-memory.dmp

Filesize
64KB

Download
memory/3420-155-0x000002967B440000-0x000002967B450000-memory.dmp

Filesize
64KB

Download
memory/3952-141-0x000001BDE92F0000-0x000001BDE9300000-memory.dmp

Filesize
64KB

Download
memory/3952-150-0x000001BDE92F0000-0x000001BDE9300000-memory.dmp

Filesize
64KB

Download
memory/3952-171-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4156-160-0x0000026DFCA30000-0x0000026DFCA40000-memory.dmp

Filesize
64KB

Download
memory/4156-140-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4188-152-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4188-168-0x0000017DEB340000-0x0000017DEB350000-memory.dmp

Filesize
64KB

Download
memory/4188-165-0x0000017DEB340000-0x0000017DEB350000-memory.dmp

Filesize
64KB

Download
memory/4196-83-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4196-135-0x000001B5B3B80000-0x000001B5B3B90000-memory.dmp

Filesize
64KB

Download
memory/4196-134-0x000001B5B3B80000-0x000001B5B3B90000-memory.dmp

Filesize
64KB

Download
memory/4196-228-0x000001B5B3B80000-0x000001B5B3B90000-memory.dmp

Filesize
64KB

Download
memory/4664-3-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4664-4-0x0000000001140000-0x00000000014BE000-memory.dmp

Filesize
3.5MB

Download
memory/4664-6-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4664-7-0x0000000002C20000-0x0000000002C30000-memory.dmp

Filesize
64KB

Download
memory/4664-24-0x0000000006630000-0x0000000006B2E000-memory.dmp

Filesize
5.0MB

Download
memory/4664-25-0x0000000006220000-0x00000000062B2000-memory.dmp

Filesize
584KB

Download
memory/4664-29-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4664-28-0x0000000001140000-0x00000000014BE000-memory.dmp

Filesize
3.5MB

Download
memory/4664-0-0x0000000001140000-0x00000000014BE000-memory.dmp

Filesize
3.5MB

Download
memory/4664-1-0x0000000001140000-0x00000000014BE000-memory.dmp

Filesize
3.5MB

Download
memory/4664-2-0x00000000739D0000-0x00000000740BE000-memory.dmp

Filesize
6.9MB

Download
memory/4876-44-0x000000001B860000-0x000000001B86A000-memory.dmp

Filesize
40KB

Download
memory/4876-34-0x0000000000A90000-0x0000000000C10000-memory.dmp

Filesize
1.5MB

Download
memory/4876-40-0x0000000002DB0000-0x0000000002DC0000-memory.dmp

Filesize
64KB

Download
memory/4876-39-0x000000001B820000-0x000000001B836000-memory.dmp

Filesize
88KB

Download
memory/4876-45-0x000000001B7C0000-0x000000001B7CC000-memory.dmp

Filesize
48KB

Download
memory/4876-38-0x000000001BDA0000-0x000000001BDF0000-memory.dmp

Filesize
320KB

Download
memory/4876-37-0x000000001B800000-0x000000001B81C000-memory.dmp

Filesize
112KB

Download
memory/4876-36-0x0000000002DC0000-0x0000000002DD0000-memory.dmp

Filesize
64KB

Download
memory/4876-35-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4876-41-0x0000000002DD0000-0x0000000002DDC000-memory.dmp

Filesize
48KB

Download
memory/4876-42-0x000000001B840000-0x000000001B84E000-memory.dmp

Filesize
56KB

Download
memory/4876-43-0x000000001B850000-0x000000001B85E000-memory.dmp

Filesize
56KB

Download
memory/4876-131-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4996-154-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/4996-167-0x000002A4E9370000-0x000002A4E9380000-memory.dmp

Filesize
64KB

Download
memory/4996-163-0x000002A4E9370000-0x000002A4E9380000-memory.dmp

Filesize
64KB

Download
memory/5004-157-0x000001811CD30000-0x000001811CD40000-memory.dmp

Filesize
64KB

Download
memory/5004-127-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download
memory/5004-156-0x000001811CD30000-0x000001811CD40000-memory.dmp

Filesize
64KB

Download
memory/5004-354-0x00007FFD2C1B0000-0x00007FFD2CB9C000-memory.dmp

Filesize
9.9MB

Download