dcrat | d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 09:11 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad.exe
Size

1.3MB
MD5

13ea626d2883cbda1309e7cebdb11418
SHA1

cf461b5338661a1a43a422dc1389d08177ab1c79
SHA256

d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad
SHA512

889a0d246d0f8b65568868da5d510b3155f5e3352611700cc96c557cc647181adf5e3f2a6c9e4568fe7218ca4847dcd2acf9d0bbc70455d43762280f95ef981f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	716	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	3004	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3004	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016c7b-11.dat	dcrat
behavioral1/memory/2528-13-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/552-108-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/2652-168-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/1560-288-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/1484-348-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/1540-526-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1256-586-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2352	powershell.exe
1856	powershell.exe
2124	powershell.exe
1716	powershell.exe
1708	powershell.exe
1688	powershell.exe
2448	powershell.exe
832	powershell.exe
2116	powershell.exe
1528	powershell.exe
1804	powershell.exe
812	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2528	DllCommonsvc.exe
552	lsm.exe
2652	lsm.exe
2516	lsm.exe
1560	lsm.exe
1484	lsm.exe
2952	lsm.exe
2976	lsm.exe
1540	lsm.exe
1256	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2656	cmd.exe
2656	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Speech\Engines\SR\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Cursors\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2064	schtasks.exe
764	schtasks.exe
980	schtasks.exe
2044	schtasks.exe
2860	schtasks.exe
1164	schtasks.exe
2244	schtasks.exe
340	schtasks.exe
1548	schtasks.exe
1404	schtasks.exe
1776	schtasks.exe
716	schtasks.exe
2336	schtasks.exe
1132	schtasks.exe
2076	schtasks.exe
1600	schtasks.exe
1848	schtasks.exe
1632	schtasks.exe
2356	schtasks.exe
1484	schtasks.exe
2312	schtasks.exe
760	schtasks.exe
616	schtasks.exe
1036	schtasks.exe
1896	schtasks.exe
2900	schtasks.exe
2740	schtasks.exe
2392	schtasks.exe
1236	schtasks.exe
1820	schtasks.exe
264	schtasks.exe
2940	schtasks.exe
2232	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2528	DllCommonsvc.exe
832	powershell.exe
2352	powershell.exe
2124	powershell.exe
1716	powershell.exe
2448	powershell.exe
812	powershell.exe
1856	powershell.exe
1708	powershell.exe
1688	powershell.exe
1528	powershell.exe
2116	powershell.exe
1804	powershell.exe
552	lsm.exe
2652	lsm.exe
2516	lsm.exe
1560	lsm.exe
1484	lsm.exe
2952	lsm.exe
2976	lsm.exe
1540	lsm.exe
1256	lsm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2528	DllCommonsvc.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1708	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	552	lsm.exe
Token: SeDebugPrivilege	2652	lsm.exe
Token: SeDebugPrivilege	2516	lsm.exe
Token: SeDebugPrivilege	1560	lsm.exe
Token: SeDebugPrivilege	1484	lsm.exe
Token: SeDebugPrivilege	2952	lsm.exe
Token: SeDebugPrivilege	2976	lsm.exe
Token: SeDebugPrivilege	1540	lsm.exe
Token: SeDebugPrivilege	1256	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2788 wrote to memory of 2876	2788	JaffaCakes118_d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad.exe	31
PID 2788 wrote to memory of 2876	2788	JaffaCakes118_d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad.exe	31
PID 2788 wrote to memory of 2876	2788	JaffaCakes118_d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad.exe	31
PID 2788 wrote to memory of 2876	2788	JaffaCakes118_d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad.exe	31
PID 2876 wrote to memory of 2656	2876	WScript.exe	32
PID 2876 wrote to memory of 2656	2876	WScript.exe	32
PID 2876 wrote to memory of 2656	2876	WScript.exe	32
PID 2876 wrote to memory of 2656	2876	WScript.exe	32
PID 2656 wrote to memory of 2528	2656	cmd.exe	34
PID 2656 wrote to memory of 2528	2656	cmd.exe	34
PID 2656 wrote to memory of 2528	2656	cmd.exe	34
PID 2656 wrote to memory of 2528	2656	cmd.exe	34
PID 2528 wrote to memory of 2352	2528	DllCommonsvc.exe	69
PID 2528 wrote to memory of 2352	2528	DllCommonsvc.exe	69
PID 2528 wrote to memory of 2352	2528	DllCommonsvc.exe	69
PID 2528 wrote to memory of 1856	2528	DllCommonsvc.exe	70
PID 2528 wrote to memory of 1856	2528	DllCommonsvc.exe	70
PID 2528 wrote to memory of 1856	2528	DllCommonsvc.exe	70
PID 2528 wrote to memory of 1528	2528	DllCommonsvc.exe	71
PID 2528 wrote to memory of 1528	2528	DllCommonsvc.exe	71
PID 2528 wrote to memory of 1528	2528	DllCommonsvc.exe	71
PID 2528 wrote to memory of 2124	2528	DllCommonsvc.exe	72
PID 2528 wrote to memory of 2124	2528	DllCommonsvc.exe	72
PID 2528 wrote to memory of 2124	2528	DllCommonsvc.exe	72
PID 2528 wrote to memory of 1804	2528	DllCommonsvc.exe	73
PID 2528 wrote to memory of 1804	2528	DllCommonsvc.exe	73
PID 2528 wrote to memory of 1804	2528	DllCommonsvc.exe	73
PID 2528 wrote to memory of 1688	2528	DllCommonsvc.exe	74
PID 2528 wrote to memory of 1688	2528	DllCommonsvc.exe	74
PID 2528 wrote to memory of 1688	2528	DllCommonsvc.exe	74
PID 2528 wrote to memory of 1716	2528	DllCommonsvc.exe	75
PID 2528 wrote to memory of 1716	2528	DllCommonsvc.exe	75
PID 2528 wrote to memory of 1716	2528	DllCommonsvc.exe	75
PID 2528 wrote to memory of 812	2528	DllCommonsvc.exe	76
PID 2528 wrote to memory of 812	2528	DllCommonsvc.exe	76
PID 2528 wrote to memory of 812	2528	DllCommonsvc.exe	76
PID 2528 wrote to memory of 1708	2528	DllCommonsvc.exe	77
PID 2528 wrote to memory of 1708	2528	DllCommonsvc.exe	77
PID 2528 wrote to memory of 1708	2528	DllCommonsvc.exe	77
PID 2528 wrote to memory of 2448	2528	DllCommonsvc.exe	78
PID 2528 wrote to memory of 2448	2528	DllCommonsvc.exe	78
PID 2528 wrote to memory of 2448	2528	DllCommonsvc.exe	78
PID 2528 wrote to memory of 832	2528	DllCommonsvc.exe	79
PID 2528 wrote to memory of 832	2528	DllCommonsvc.exe	79
PID 2528 wrote to memory of 832	2528	DllCommonsvc.exe	79
PID 2528 wrote to memory of 2116	2528	DllCommonsvc.exe	80
PID 2528 wrote to memory of 2116	2528	DllCommonsvc.exe	80
PID 2528 wrote to memory of 2116	2528	DllCommonsvc.exe	80
PID 2528 wrote to memory of 2492	2528	DllCommonsvc.exe	88
PID 2528 wrote to memory of 2492	2528	DllCommonsvc.exe	88
PID 2528 wrote to memory of 2492	2528	DllCommonsvc.exe	88
PID 2492 wrote to memory of 2688	2492	cmd.exe	95
PID 2492 wrote to memory of 2688	2492	cmd.exe	95
PID 2492 wrote to memory of 2688	2492	cmd.exe	95
PID 2492 wrote to memory of 552	2492	cmd.exe	96
PID 2492 wrote to memory of 552	2492	cmd.exe	96
PID 2492 wrote to memory of 552	2492	cmd.exe	96
PID 552 wrote to memory of 2564	552	lsm.exe	97
PID 552 wrote to memory of 2564	552	lsm.exe	97
PID 552 wrote to memory of 2564	552	lsm.exe	97
PID 2564 wrote to memory of 2072	2564	cmd.exe	99
PID 2564 wrote to memory of 2072	2564	cmd.exe	99
PID 2564 wrote to memory of 2072	2564	cmd.exe	99
PID 2564 wrote to memory of 2652	2564	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d981902835b82db6148a861088607f5025b17f685d96d3024bb2a9bfa139e8ad.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2788
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2876
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2656
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2688
      - C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2072
        
        C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
        9⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1816
        
        C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
        11⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1928
        
        C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"
        13⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1664
        
        C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat"
        15⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1776
        
        C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        17⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2716
        
        C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
        19⤵
        
        PID:1284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1832
        
        C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        21⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1380
        
        C:\Program Files (x86)\Windows Portable Devices\lsm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        23⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

Network

DNS

raw.githubusercontent.com

lsm.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133

185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

793 B
4.2kB
10
11
185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

793 B
4.2kB
10
11
185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

789 B
4.2kB
10
11
185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

741 B
4.1kB
9
10
185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

793 B
4.2kB
10
11
185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

793 B
4.2kB
10
11
185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

741 B
4.1kB
9
10
185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

793 B
4.2kB
10
11
185.199.110.133:443

raw.githubusercontent.com

tls

lsm.exe

793 B
4.2kB
10
11

8.8.8.8:53

raw.githubusercontent.com

dns

lsm.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.110.133

185.199.108.133

185.199.111.133

185.199.109.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f085191feb51d8e0860bc4d34ecea2c

SHA1
b492ac1839360cddc1cbfeed659c23f71143009a

SHA256
ebfb3c51391667cf8ea163d5d2b7c08b51519ea5a698333f78dbf3a2b6d2d2e1

SHA512
e8dfbde2374b136d865c2b251e2e944e354a80ac9248c20de06ca17d8386b2af19ca4e8d2567c6cb250987314a87c4ed058a0690260d98146ec25862e0f5562b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0e6da3608f085a43de7ce8e412e876f

SHA1
c3ba06325994a17782b4b0f189597a4212d46cfc

SHA256
260b3ffc0176e23022e1f4a26ec4e7f731ece597a2823b988450b395374a5c4d

SHA512
2d2766aca0c6811ac6e6f7da917dc1d3372f20a2f7cb3eac61387d703fa6d0fb4e5f80635be0414529f0b8677776d1af83d194914f92896863be92746a598f62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a5b3267f819791898063619918c07ea2

SHA1
1a2104a963640536e9e54d9f58c15728c7c449fe

SHA256
7da8b8c389c19f8b44bdc41bd10a67ca80076e538500f208a3eb303ea2090b15

SHA512
8caa5c4fdbc842d02d1920017359c75cd743c45a548731a07e3889e250ffb3aa9dad2c500226ed8d968bae038a8ddebd5e2abb79910d94d3568224d62ff87b2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da63ce80cbfe630e58d0e8bd551ff38c

SHA1
33b976db24bcc37cdfa75958bb7a38481e128abe

SHA256
da587df1e81d175e81f2f396dca21fbd8f7d2943092374cfb7950259ef6af558

SHA512
e410509613a20c70584c6a8d6c4deae71d01e057cc2938d4d1b79a72d52cfaae04a0a7bbf9a0626d2d9b8332ae7d74c6ecfacc3badb0e7da2c51e89dd5a7baf6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc1930db1ed5ce1a1b553fa7e1087f6d

SHA1
da90c30c64a4937f3ef322a90958b63c703192c4

SHA256
32cbc179a3036568c17106ddc32d71953c2c149363ca7b1461555bcd654a6d87

SHA512
dc5c2b79bac8431ba395d89d31d56d7ac888e8d825f3ab6102842d68920b47a0452446e9a284962218f9972dd7270b25e7d7c00e9bf0fc2722b15e0a1955258b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
98399071a7a3c32450004a8dc1ae5abb

SHA1
bb7b08ea243c630ecbefd11ba329e1e262e30d03

SHA256
d3c61ec17b89185c735283ae1737b21b06c26d62cce3bbe34085a46d449baba8

SHA512
d8e29944ff801eba9a84eda5ce5d703982aedd1897e02862934fcfd5fb58924296bcffcb80585fff710e961b0bf5a223ec28ea404084f6993a1b09d7ba036ebb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4491e6773951b756ad60bb55953ed79b

SHA1
4060c9a97a25496d084040ec75678c47576d2d84

SHA256
a02af4320a405143b14ec574ae3feed71d7f3cd988d4b34ad161af18211d5622

SHA512
16dd8429ce7eb16945644d8cd9d868ccc384ecc86a30428f1c52e0130e7bf4e316bdc91e6716f4b9fc665fa747933207ac05d6632cb3fbc40a78d337b739a28c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e84efc71ed8a648028151d3630e9723

SHA1
864629c41be46ecb97bd7f4ad9cbc014cf9b126d

SHA256
869e91abb613135dcecdbecffdfaff3964e4ba2fe33de500048a7a6bcea350d6

SHA512
ac0326dc31ffba2eb3df9b94035969deb0a8f3639cbb8bc095d6c40f47d7cd69ba790963cb2b50e918c87a954c3b8b71ab61ded394f4100942d7d189a074538b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1Gu59oh2IN.bat

Filesize
220B

MD5
3f3aeeae291d141846958286b5422d5d

SHA1
da564eb8b6ce241b5d75f7631f582b9eb4d010e4

SHA256
0338828e482192e77be06f649626de46687923047a720b20d1b2c76563469a09

SHA512
4766e95c365a59b66b97cce3d96661bd1a4a7e51376169d3e547e14d992451e41690b673466c08fda1ac7adf863533835784035716e15d5b22d38144418dc7aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat

Filesize
220B

MD5
f2b75f91855ce575f37d443b4843f868

SHA1
a9160be94cb2b31ee2504dd5f1a8b0ce1b9b49db

SHA256
0a6f7d8969e77ef34cd56e61e7c1033dbe2a68c76ebd46f626f2ec7249a987f4

SHA512
3e6624befdd966c36d8ba264937a7c658b7a70853498befdb3e8bcfd5d2fc189c7aeea2c080b4f46d4f4cf0db26a4f9d19a8439a27c844c557695a119ef29edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

Filesize
220B

MD5
1d4725ee5aed78d6a7d65c0f45bb9278

SHA1
542a5aa936271f4ff0a3e17c40e3996f6e6cfdf3

SHA256
57e52e80546d5f0cf90d74b4d1cc3407df96fc015cbb31bcf9714d6d865d163b

SHA512
fa0544f577c2c658481ae7ec096e5bd856a6acb2928fdb465c6ee9d7dcae182e969e33874b559d58e5a2f4a432183b6a1cab73a77d1de7b853b909c80b74eb16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4388.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
220B

MD5
0541d84772c6721808441fca3fe714bb

SHA1
47034ff629db6ed3d70c6ccf43ca4600c6b2430e

SHA256
17e28d14aeb347b303215d36a238ffe5312193d643d76800a3d75a432ce06901

SHA512
b57b22afc1106055f1d5864a94c1f1731e559aaa6c1b061c5ede368671f3695449085c4e43084e7f5c75f8b37617bceaa3639f82a7fcba361fc1115145cd6e7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat

Filesize
220B

MD5
0e823c689cf71552fcf3f7e28d0f3acf

SHA1
49b203904db9e7f585814517f78d2b7a6ee52345

SHA256
7fa5b8c5c6210cab2dfb536d5b03569156980ceb959b5988e137505175445133

SHA512
a283a71f1b84ce06c1d968cfcc57fdcc3ea4261eb16307a571715d75a470c4ea448fad1139fa72777566740cf7a61490b53d11c506573cbab75c6c236f4a9719

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

Filesize
220B

MD5
91cb9d76f1276ccaf327d3af734e3c2b

SHA1
fe32e09e5ac57cf771738ed72bfbfb22aafce0df

SHA256
ae056daabc187bd31a79f12b02d5be9b36255db386bdbb6bfac6230de72c5839

SHA512
1a294b72dac4d6139f1cf6961f85c7448e3858dbc7cf1b6f6471085022aed604eedc666446e6f6584920182887ffee2580c7c75b1932c988b4d6e0e9ed0ed289

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar439A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
220B

MD5
7241f9b641d2a6a3fa6ed3e5e6c09410

SHA1
94a56ba1e2d6bee44f31b88e5cfd22d15a6035e8

SHA256
c7f231abce429efad53910b0b1c3f9d021def1d7040ea26ccf2691257c797736

SHA512
d5fcac84a6aac3a7475496bb1aeae111705d97f61ed8cb336370f18853b9b16b46417b588d8ee6c6fdd7051044eb50566e18453bf1a01eb3d12d858ca70d2c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

Filesize
220B

MD5
db04fc6bfab792f1c462d38df7a821da

SHA1
647717a9b16824bc8553fe610ede776d529fb569

SHA256
2a050d09e0f27a90baa3a56f0e884cebb1bfdbc962d4690d1957a58174e42e04

SHA512
afba1665434c2e746983d66a41726e912bc9d43cb83c8649d53179e3ae021446aab3119569afe0ef05e9b6c2458382038d47c06daaaacf5dc0b0920c59dddba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
220B

MD5
51188761c2574d7d1a4c8abc5b7ad3e2

SHA1
f86495177b2dea7e66d728f89948b0d7c9bc3743

SHA256
3562f0a78cc685b81d6bef0981e1be84513190a9aca411804bf90e77bc5b64c3

SHA512
d0a9352cae4627c9e4b2fcd256395194e0fdbf8d189b100897f34de64f89e9183ee123507f2af8e398e0ef0c868f3fde43b6805256b2a464c33f7e47b2f2ff80

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
220B

MD5
660984343cee887fceae05571f57bb03

SHA1
b3bc53b63695666246791b89117deec1fa0fcb06

SHA256
49a8569f52a6095aa20ecae77affa71466bc30c1d3f83d2337556fe0a851ddb5

SHA512
fd23ac2f4fd05d178870ee59343ea1f34601dd43614ef0bdb32429f43e69374349efb105fa98fb37295863517b8dcc707b90550c09efffc140969d1736565d90

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5554404aa664d71ff0e62a56a7e07d33

SHA1
d20d93513ed58fa74b34c8b1f4149d43962ae46c

SHA256
796e8421748a968af8535c5c77bf0503d6d9dcf34cc7c77ae504bf9b0f32b8e4

SHA512
0defa9ff3cb9cb7afee05a741ae8d81fab75c170104a0e173e527eed24f04ba2ea9d92ba59734539c0b945c2aa44b6514b1e7400a68058bdb129d59183358f50

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/552-109-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/552-108-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/832-56-0x0000000002870000-0x0000000002878000-memory.dmp

Filesize
32KB

Download
memory/832-55-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/1256-586-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1484-348-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/1540-526-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/1560-288-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2528-13-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2528-14-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2528-15-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2528-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2528-17-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2652-169-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2652-168-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.