dcrat | 49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 05:30 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d.exe
Size

1.3MB
MD5

00717087e107ae2e5c725cd8f20ef12f
SHA1

91631301f29d3cd71211bf19ebf1cde74dfe267b
SHA256

49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d
SHA512

a351ee0af409228a4181c2417271ddf7064f748a2306b1287114f6932a0f72a296df5ae036a82fe9a6e59e1542cc506b94a8395e4beb57a2de7526647599ea1e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2492	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2516	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2516	schtasks.exe	32

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014bda-9.dat	dcrat
behavioral1/memory/2644-13-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/2056-80-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/1052-139-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/1948-200-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2632-260-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2640-321-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/1540-381-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/2360-500-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2692-560-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1848	powershell.exe
1928	powershell.exe
2744	powershell.exe
2708	powershell.exe
1316	powershell.exe
2184	powershell.exe
1948	powershell.exe
1924	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2644	DllCommonsvc.exe
2056	services.exe
1052	services.exe
1948	services.exe
2632	services.exe
2640	services.exe
1540	services.exe
2748	services.exe
2360	services.exe
2692	services.exe
2744	services.exe
2568	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	cmd.exe
2784	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
33	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1424	schtasks.exe
1480	schtasks.exe
2872	schtasks.exe
1984	schtasks.exe
2508	schtasks.exe
1976	schtasks.exe
1304	schtasks.exe
2720	schtasks.exe
2532	schtasks.exe
264	schtasks.exe
1340	schtasks.exe
2816	schtasks.exe
2840	schtasks.exe
2724	schtasks.exe
1980	schtasks.exe
2340	schtasks.exe
2364	schtasks.exe
2492	schtasks.exe
1244	schtasks.exe
1996	schtasks.exe
2540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2644	DllCommonsvc.exe
2644	DllCommonsvc.exe
2644	DllCommonsvc.exe
2708	powershell.exe
2184	powershell.exe
2744	powershell.exe
1928	powershell.exe
1948	powershell.exe
1316	powershell.exe
1924	powershell.exe
1848	powershell.exe
2056	services.exe
1052	services.exe
1948	services.exe
2632	services.exe
2640	services.exe
1540	services.exe
2748	services.exe
2360	services.exe
2692	services.exe
2744	services.exe
2568	services.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	DllCommonsvc.exe
Token: SeDebugPrivilege	2708	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	1928	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2056	services.exe
Token: SeDebugPrivilege	1052	services.exe
Token: SeDebugPrivilege	1948	services.exe
Token: SeDebugPrivilege	2632	services.exe
Token: SeDebugPrivilege	2640	services.exe
Token: SeDebugPrivilege	1540	services.exe
Token: SeDebugPrivilege	2748	services.exe
Token: SeDebugPrivilege	2360	services.exe
Token: SeDebugPrivilege	2692	services.exe
Token: SeDebugPrivilege	2744	services.exe
Token: SeDebugPrivilege	2568	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 800 wrote to memory of 2076	800	JaffaCakes118_49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d.exe	28
PID 800 wrote to memory of 2076	800	JaffaCakes118_49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d.exe	28
PID 800 wrote to memory of 2076	800	JaffaCakes118_49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d.exe	28
PID 800 wrote to memory of 2076	800	JaffaCakes118_49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d.exe	28
PID 2076 wrote to memory of 2784	2076	WScript.exe	29
PID 2076 wrote to memory of 2784	2076	WScript.exe	29
PID 2076 wrote to memory of 2784	2076	WScript.exe	29
PID 2076 wrote to memory of 2784	2076	WScript.exe	29
PID 2784 wrote to memory of 2644	2784	cmd.exe	31
PID 2784 wrote to memory of 2644	2784	cmd.exe	31
PID 2784 wrote to memory of 2644	2784	cmd.exe	31
PID 2784 wrote to memory of 2644	2784	cmd.exe	31
PID 2644 wrote to memory of 2708	2644	DllCommonsvc.exe	54
PID 2644 wrote to memory of 2708	2644	DllCommonsvc.exe	54
PID 2644 wrote to memory of 2708	2644	DllCommonsvc.exe	54
PID 2644 wrote to memory of 2744	2644	DllCommonsvc.exe	55
PID 2644 wrote to memory of 2744	2644	DllCommonsvc.exe	55
PID 2644 wrote to memory of 2744	2644	DllCommonsvc.exe	55
PID 2644 wrote to memory of 1316	2644	DllCommonsvc.exe	57
PID 2644 wrote to memory of 1316	2644	DllCommonsvc.exe	57
PID 2644 wrote to memory of 1316	2644	DllCommonsvc.exe	57
PID 2644 wrote to memory of 1928	2644	DllCommonsvc.exe	58
PID 2644 wrote to memory of 1928	2644	DllCommonsvc.exe	58
PID 2644 wrote to memory of 1928	2644	DllCommonsvc.exe	58
PID 2644 wrote to memory of 2184	2644	DllCommonsvc.exe	59
PID 2644 wrote to memory of 2184	2644	DllCommonsvc.exe	59
PID 2644 wrote to memory of 2184	2644	DllCommonsvc.exe	59
PID 2644 wrote to memory of 1848	2644	DllCommonsvc.exe	60
PID 2644 wrote to memory of 1848	2644	DllCommonsvc.exe	60
PID 2644 wrote to memory of 1848	2644	DllCommonsvc.exe	60
PID 2644 wrote to memory of 1924	2644	DllCommonsvc.exe	61
PID 2644 wrote to memory of 1924	2644	DllCommonsvc.exe	61
PID 2644 wrote to memory of 1924	2644	DllCommonsvc.exe	61
PID 2644 wrote to memory of 1948	2644	DllCommonsvc.exe	62
PID 2644 wrote to memory of 1948	2644	DllCommonsvc.exe	62
PID 2644 wrote to memory of 1948	2644	DllCommonsvc.exe	62
PID 2644 wrote to memory of 2932	2644	DllCommonsvc.exe	70
PID 2644 wrote to memory of 2932	2644	DllCommonsvc.exe	70
PID 2644 wrote to memory of 2932	2644	DllCommonsvc.exe	70
PID 2932 wrote to memory of 2268	2932	cmd.exe	72
PID 2932 wrote to memory of 2268	2932	cmd.exe	72
PID 2932 wrote to memory of 2268	2932	cmd.exe	72
PID 2932 wrote to memory of 2056	2932	cmd.exe	73
PID 2932 wrote to memory of 2056	2932	cmd.exe	73
PID 2932 wrote to memory of 2056	2932	cmd.exe	73
PID 2056 wrote to memory of 608	2056	services.exe	74
PID 2056 wrote to memory of 608	2056	services.exe	74
PID 2056 wrote to memory of 608	2056	services.exe	74
PID 608 wrote to memory of 2816	608	cmd.exe	76
PID 608 wrote to memory of 2816	608	cmd.exe	76
PID 608 wrote to memory of 2816	608	cmd.exe	76
PID 608 wrote to memory of 1052	608	cmd.exe	77
PID 608 wrote to memory of 1052	608	cmd.exe	77
PID 608 wrote to memory of 1052	608	cmd.exe	77
PID 1052 wrote to memory of 2696	1052	services.exe	78
PID 1052 wrote to memory of 2696	1052	services.exe	78
PID 1052 wrote to memory of 2696	1052	services.exe	78
PID 2696 wrote to memory of 2800	2696	cmd.exe	80
PID 2696 wrote to memory of 2800	2696	cmd.exe	80
PID 2696 wrote to memory of 2800	2696	cmd.exe	80
PID 2696 wrote to memory of 1948	2696	cmd.exe	83
PID 2696 wrote to memory of 1948	2696	cmd.exe	83
PID 2696 wrote to memory of 1948	2696	cmd.exe	83
PID 1948 wrote to memory of 1556	1948	services.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_49f443424d192710ddce95e88f2b46effa990d5ee300dadf30867e5aafac066d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2076
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2nt1kuf57q.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2268
      - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2816
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2800
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        11⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2368
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"
        13⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2400
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
        15⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1032
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat"
        17⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2724
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
        19⤵
        
        PID:804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2808
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        21⤵
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1148
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        23⤵
        
        PID:1136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1512
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        25⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2672
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

Network

DNS

raw.githubusercontent.com

services.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.109.133

185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

741 B
4.1kB
9
10
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

793 B
4.2kB
10
11
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

793 B
4.2kB
10
11
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

793 B
4.2kB
10
11
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

741 B
4.1kB
9
10
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

793 B
4.2kB
10
11
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

741 B
4.1kB
9
10
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

793 B
4.2kB
10
11
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

741 B
4.1kB
9
10
185.199.111.133:443

raw.githubusercontent.com

tls

services.exe

741 B
4.1kB
9
10

8.8.8.8:53

raw.githubusercontent.com

dns

services.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.111.133

185.199.110.133

185.199.108.133

185.199.109.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
657e5c0e368bda67b88a29b99922bdc9

SHA1
fb1c095830ef7e2dce0ad513ad0604ecd309fe2e

SHA256
ef4a8c59e4c8ac248992852a5c24b0eb5cf869dfe48b632ed2fd1e3b0bf294d9

SHA512
2320452af3f6095acc22fe13fb731e393bda97565ca2b1c030fbd3ea8501b2eaa85a96036bf00c3b95374b1bafb23722180ab12be81ae8bc40fba127a15ed41e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1fc2c958eb8b123446bf0fd122196156

SHA1
eeafcecf38a42894e0c6ca6efd9f357a3695242c

SHA256
c570fe9f83aefc658b2c255738a6097aa30fbb4844c7154844d1c95cb193338d

SHA512
65785881cc24ec498ac58b3a031c117f41ae90eea96a5277a19aa1bd6c92af3db31f8c04471733993501ecf9621732490da6200c66ce411e1f028417cdce7057

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b784a22dd4e44723b5473943eed7a537

SHA1
b684a311d59c5e3115d6a177a9060102491266f9

SHA256
af05032d9c9eb8aa44364922dded8c8b4ea9c3deb20e932c7b1640614aecb8be

SHA512
ba4c0d81eb52df507abfc992390185bd1026af819a053be48c6b41d5dd99ea0f7bd37b56bac2d191699b2c77e24ea0f74565a581fd33ad6c423f1a6c518b1bad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eaa39f2975f5d0e2f02e75fcbd71146f

SHA1
0be5f62a4597d6abebce856a4fb1995bec25822c

SHA256
7b2224d624c4ff5f388ec193224eaa6aa18141c25a2365fa5a4cda991eb0ff69

SHA512
9e616c16b804969b7550b3ac9a4be891c9bb74e306f0e8414d6d3898ea6565f743a651ba4b0ddd1e13743404066ceca1594d89044b7407766774f3b186e2b60b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aba383e121eb2047236f4524d2977fab

SHA1
4aec8ae6b08586bada62c5a0441e4c482c578289

SHA256
9694d12d62bc556e201c8230e7ab4a7384dc743a7e58a3efcf80d625991d0660

SHA512
24aac0cb85f4263518554243f7ff99a495b5bbdc388e505d219fe378d5170e5642976d1319a99854d1b18bbd0223553fce7591f66b10db4d6dff43f4298943ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
69f5e05cc471700b6fc6436c550e6e4b

SHA1
ed373dd3b0e533c0c4fa424dc66fade001bf985e

SHA256
f5b8a5422235c99490275ebed90ee0540dcfdd27481a15d5025614a79181ea78

SHA512
526acfef78d1b0bf95ab3b0986c9d2caba745f94c5ade5603077ee2ce544aaecfe0c5b1aede33e27f97e9f726d21d2f97c5b4ddcb13a0aa542cfa66bd77883eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f287e2ef676f74cb026906921937762d

SHA1
edfce8490a5549a70043bf5bcdabac595bf5f17a

SHA256
8d69c1a33e2e6257db44f7553fc7e437434cdc309cfb2d9044fb8750b6cb02a1

SHA512
54a544eca778ea9b285f2a21f1e0bbcc22a4a2c12522cd6f45955277fd4c166bd6199f9ac2134c6258249c360bfd1b80c3a43181e629e8ffadbd0b651b98b054

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce65ee3ca6638c10fbdf908ab8cef30c

SHA1
39eb847e96b3c641c1cca41d5ac85a4a3222cfb4

SHA256
c59cfd5c3dc818d0546161f86dc4181b018c20bd1b37040c1bcaed6a288b92a0

SHA512
555e5dbb0714f3aea35b9c9682828efa9a69a286f59e33da1aff0a7c6c11f28203b9b08691b7504b27c2fd032c9073d0cf5886174e11a4b0c16a86f662a4b446

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e1328993d6285283bf29ef9bbd98078

SHA1
e493d268fdcb010ea1a8044d02c81885bf70af32

SHA256
f6d13d8adee8e1781c35ec8c6c2fcd3206fc3b1f73f2b560afc99c233151f21b

SHA512
ffb3bda37324c3b33e7889666b9792af6f65b30471e833ee772e74803d2e66cfc87e06ba8bb680b49b8eb6af7c783992ec3b675a56e946f915c3b8f9bce8a381

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

Filesize
240B

MD5
3402873b1e4dba6c0690e1b7ef22ab31

SHA1
521bdad56c38980502e5378b9e15eb758d0e371b

SHA256
226c81efc598cd29b62dad62c121b711fb630e7dae735b8bda3c88df9f5a4cf5

SHA512
2182cb2ec9452aaab7e235c7553cca6e30bf76664d79e8647b71db9a46d47cbe3cf2f44dfa0cdd799ba92fb15ef32e8b617ff1fde9f25cdbc9fa763b62699456

Download Submit
C:\Users\Admin\AppData\Local\Temp\2nt1kuf57q.bat

Filesize
240B

MD5
2e4a33e608b4d704fd05d080b03076e4

SHA1
0d4035ab22971cd2a4940fdadc77e4de24c23740

SHA256
d8d3301c409df7b3d2c18b70597ad88346fb6e147f862f598aeb0dd2014d8fc2

SHA512
0fc3630b21769bce13a9118d2be98c2886730b95063a5cb2c8d138ef7687da766a1dce5c138a155ac0112e70529c81201080dc0dcb688946583223d4e01120e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
240B

MD5
67791bc6f7eef53c931d287ec458b8bd

SHA1
c1c5a23421dca6811d81dd1ffa2c859883a194cf

SHA256
7a9534ce6f376579a8a8dd02e2bc68c05d0ae27bf232242f9ca7b3de5254989f

SHA512
8ac2bf1e3854d470d908e856d585df4c8267c0d1dce38a03e24c1d710399f9c39a43208a65018eafd9d50c5f20abd52f754d769437302981c47e701266368764

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
240B

MD5
05a408b664f23bc2a90dcbb4bf66acad

SHA1
91937b24f9b8acdb63496cea660d0451e3cb1c6f

SHA256
8822ad086c44b942469cfae3a452ea7762375349bc4f7d46dbe5a8ea494968cb

SHA512
262198db5d03aa670bab5cd0cc44c2dd95424b83b5348cb67acdabd2923bc7e491d06913890ce65c50264507c2d7a3a793461c2a24b67350aab110665f8ac9a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
240B

MD5
38b5aa56ebff95ef29f04a8b4d2b7b31

SHA1
0d206f94c2fe0f548ceef031197a70be5c9a2bf6

SHA256
32c4bab44d160a4d3f57415e637898938cfc1033a7bfcbda7729060177ff1dcc

SHA512
b9a5c829b161f9ed068eb04cded0ceddee715232a8d68ba26698a72360829d95551e10b9325bc03fe6963d1c69e95c10a6e41f3de167aed41c779de7c2b670d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
240B

MD5
6ff5b9f4c58a9addc964e977d5aed9aa

SHA1
039b8ab26e47c334362c542180c2303c6bdbe87e

SHA256
956df39ff5483d1f41e4565c2409beef6ab5277ea98bc38504e8c7fe3965f1e9

SHA512
3485cf2db9d6e0792466660de2b69a350e0bbe12690d61591743af48ea916f3956389a100537ecd2c022bfd439e2961aa3b32fc87cdabae057bf8910ba370158

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9149.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar916C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat

Filesize
240B

MD5
5892ae70cba067c405cb2c62131d8f9c

SHA1
dd41a4d025590c25bf7973632af971b334ea7024

SHA256
4f31052a2f10ceb5aaeed2bc643f53960a474c91dad6cee8309733c57e6739a8

SHA512
682c10a537ad51cf238ff5d1b0b66d619a373118c8491f422780ea5577155953591acb204c57ff9189d2f41d5879c9b91a6e75fac0dd298ce69af7fb33989b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat

Filesize
240B

MD5
d1d33de08b3c04f8ca6adf6b5c26f854

SHA1
955f9155d5c341630d1c3824b8437619badbeb78

SHA256
dcd9b31ee49feb8d5b92b913850e222d4761994a8f9f0266a0a50fb1f46244a8

SHA512
20303bf643664813a19b52f47e1e30e0b0f52070465425b55593c08421db912dd667e851eedeb90b3247fa610c29d45507b69a9847ce8a58607e255e5b7c1502

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
240B

MD5
e6879d56e37948734e94ce7eef279699

SHA1
dc127c7d612cbd943bbb86b652a29bae80791296

SHA256
725c3380b47fca881d5af8172eea29200b714c904338960f0c0c80e2eba310e6

SHA512
552a3eac84e0c1f4ef39d8e705165e1b12f00484067254b6344f204783936d5f3eecf58a27750f81578a0e0ae4b71066ee4f1f98f3d1e98861be34f4a1b8d86b

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
240B

MD5
27871720f30a1e332d33b15897c83bfc

SHA1
2d9392ac47e8b44eb7d9c943f72de2bdd882e498

SHA256
e8cac2628cc107537f4c7dced046ae783ea28e8e870ea46b19757ccd4c1b04b4

SHA512
0661683bc327534b2a500c55fa3c4501a985517fd07ed56c7e1bf27cf2d44cd64b57604e2d8f79aec7e5505f2190fe3b0e19037660e2c488d8fd4a1e7ccf0d82

Download Submit
C:\Users\Admin\AppData\Local\Temp\xc1v93Hoh1.bat

Filesize
240B

MD5
ca75d5ac505edc9f9f8183b15442d19a

SHA1
1e2266fdd84a23680af88ea2862914608a6fe254

SHA256
52a6718353468469d317b59d6783e562853d0b1c1e0058b79829d50ee95e9c68

SHA512
a8995eebbca5017145fe0d06bdd609f325ab8d6e2814a5af8a8bb09045e10ee1cbfcfecb7684a48fcc64863286d6f48aa9db7adbe99dcd9c9fd8639688648acb

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
968fc9b6bcdccaa0f72c8a63ec06ffdd

SHA1
6120c7f089093d70e43b828362c43155e0dd9922

SHA256
be81125fe10498f7bc6240225c371780edf613676d63c67d506126e3582b3eeb

SHA512
fd97751ebcea3121911d8f9c8747cc9b73623433442be2e955ac6a9971442df0aea0291875f4e572b4a14423a59e5c039926787a3ce5c1581b06338e177e045d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1052-140-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1052-139-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/1540-381-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/1948-200-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/2056-80-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2184-50-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2360-500-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2632-260-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2632-261-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2640-321-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/2644-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2644-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2644-15-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2644-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2644-13-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/2692-560-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2708-62-0x0000000001F00000-0x0000000001F08000-memory.dmp

Filesize
32KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.