dcrat | 2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 09:01 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db.exe
Size

1.3MB
MD5

c182cdfd39ad5fa4dc25c8d00dc526a6
SHA1

87e1828fb12a322a3eaf49f1f0f3658b24393461
SHA256

2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db
SHA512

fa74b18ef090f02e217657869e4355033c10141a24b0c30b1bb0f4df588945c8c59afb226d6a3f2b848962e928c997ac67138ad32d1cc2cc30778881cbaac886
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	3020	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	3020	schtasks.exe	34

DCRat payload 3 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015e48-10.dat	dcrat
behavioral1/memory/2268-13-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/956-74-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe
2208	powershell.exe
956	powershell.exe
1896	powershell.exe
1760	powershell.exe
2044	powershell.exe
992	powershell.exe
1580	powershell.exe
2104	powershell.exe

Executes dropped EXE 17 IoCs

pid	Process
2268	DllCommonsvc.exe
1744	DllCommonsvc.exe
1896	powershell.exe
956	powershell.exe
2208	powershell.exe
2104	powershell.exe
2440	powershell.exe
1932	DllCommonsvc.exe
1816	powershell.exe
2968	powershell.exe
708	powershell.exe
1248	powershell.exe
1444	powershell.exe
2028	powershell.exe
2816	powershell.exe
2288	powershell.exe
1704	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
1300	cmd.exe
1300	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\powershell.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\powershell.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\e978f868350d50	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2616	schtasks.exe
1924	schtasks.exe
1776	schtasks.exe
2676	schtasks.exe
1288	schtasks.exe
1804	schtasks.exe
620	schtasks.exe
3052	schtasks.exe
2872	schtasks.exe
2628	schtasks.exe
1916	schtasks.exe
2296	schtasks.exe
1236	schtasks.exe
972	schtasks.exe
2988	schtasks.exe
1032	schtasks.exe
2716	schtasks.exe
2892	schtasks.exe
2072	schtasks.exe
2144	schtasks.exe
1844	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2268	DllCommonsvc.exe
1580	powershell.exe
2044	powershell.exe
1760	powershell.exe
992	powershell.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1896	powershell.exe
1816	powershell.exe
2968	powershell.exe
708	powershell.exe
1248	powershell.exe
1444	powershell.exe
2816	powershell.exe
2288	powershell.exe
1704	powershell.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2268	DllCommonsvc.exe
Token: SeDebugPrivilege	1744	DllCommonsvc.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	2044	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1932	DllCommonsvc.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3064 wrote to memory of 2092	3064	JaffaCakes118_2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db.exe	30
PID 3064 wrote to memory of 2092	3064	JaffaCakes118_2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db.exe	30
PID 3064 wrote to memory of 2092	3064	JaffaCakes118_2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db.exe	30
PID 3064 wrote to memory of 2092	3064	JaffaCakes118_2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db.exe	30
PID 2092 wrote to memory of 1300	2092	WScript.exe	31
PID 2092 wrote to memory of 1300	2092	WScript.exe	31
PID 2092 wrote to memory of 1300	2092	WScript.exe	31
PID 2092 wrote to memory of 1300	2092	WScript.exe	31
PID 1300 wrote to memory of 2268	1300	cmd.exe	33
PID 1300 wrote to memory of 2268	1300	cmd.exe	33
PID 1300 wrote to memory of 2268	1300	cmd.exe	33
PID 1300 wrote to memory of 2268	1300	cmd.exe	33
PID 2268 wrote to memory of 1580	2268	DllCommonsvc.exe	44
PID 2268 wrote to memory of 1580	2268	DllCommonsvc.exe	44
PID 2268 wrote to memory of 1580	2268	DllCommonsvc.exe	44
PID 2268 wrote to memory of 992	2268	DllCommonsvc.exe	45
PID 2268 wrote to memory of 992	2268	DllCommonsvc.exe	45
PID 2268 wrote to memory of 992	2268	DllCommonsvc.exe	45
PID 2268 wrote to memory of 2044	2268	DllCommonsvc.exe	47
PID 2268 wrote to memory of 2044	2268	DllCommonsvc.exe	47
PID 2268 wrote to memory of 2044	2268	DllCommonsvc.exe	47
PID 2268 wrote to memory of 1760	2268	DllCommonsvc.exe	48
PID 2268 wrote to memory of 1760	2268	DllCommonsvc.exe	48
PID 2268 wrote to memory of 1760	2268	DllCommonsvc.exe	48
PID 2268 wrote to memory of 1744	2268	DllCommonsvc.exe	52
PID 2268 wrote to memory of 1744	2268	DllCommonsvc.exe	52
PID 2268 wrote to memory of 1744	2268	DllCommonsvc.exe	52
PID 1744 wrote to memory of 1896	1744	DllCommonsvc.exe	65
PID 1744 wrote to memory of 1896	1744	DllCommonsvc.exe	65
PID 1744 wrote to memory of 1896	1744	DllCommonsvc.exe	65
PID 1744 wrote to memory of 956	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 956	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 956	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 2208	1744	DllCommonsvc.exe	67
PID 1744 wrote to memory of 2208	1744	DllCommonsvc.exe	67
PID 1744 wrote to memory of 2208	1744	DllCommonsvc.exe	67
PID 1744 wrote to memory of 2440	1744	DllCommonsvc.exe	68
PID 1744 wrote to memory of 2440	1744	DllCommonsvc.exe	68
PID 1744 wrote to memory of 2440	1744	DllCommonsvc.exe	68
PID 1744 wrote to memory of 2104	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 2104	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 2104	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 1932	1744	DllCommonsvc.exe	70
PID 1744 wrote to memory of 1932	1744	DllCommonsvc.exe	70
PID 1744 wrote to memory of 1932	1744	DllCommonsvc.exe	70
PID 1896 wrote to memory of 1804	1896	powershell.exe	72
PID 1896 wrote to memory of 1804	1896	powershell.exe	72
PID 1896 wrote to memory of 1804	1896	powershell.exe	72
PID 1804 wrote to memory of 2996	1804	cmd.exe	74
PID 1804 wrote to memory of 2996	1804	cmd.exe	74
PID 1804 wrote to memory of 2996	1804	cmd.exe	74
PID 1804 wrote to memory of 1816	1804	cmd.exe	75
PID 1804 wrote to memory of 1816	1804	cmd.exe	75
PID 1804 wrote to memory of 1816	1804	cmd.exe	75
PID 1816 wrote to memory of 2988	1816	powershell.exe	76
PID 1816 wrote to memory of 2988	1816	powershell.exe	76
PID 1816 wrote to memory of 2988	1816	powershell.exe	76
PID 2988 wrote to memory of 1844	2988	cmd.exe	78
PID 2988 wrote to memory of 1844	2988	cmd.exe	78
PID 2988 wrote to memory of 1844	2988	cmd.exe	78
PID 2988 wrote to memory of 2968	2988	cmd.exe	79
PID 2988 wrote to memory of 2968	2988	cmd.exe	79
PID 2988 wrote to memory of 2968	2988	cmd.exe	79
PID 2968 wrote to memory of 2612	2968	powershell.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2a0be5d3f2a557ba3ce021627e395ae699b5e9da6f7a7bae9b1962ff8e4235db.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2996
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1844
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        11⤵
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2404
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        13⤵
        
        PID:816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1980
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat"
        15⤵
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1884
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
        17⤵
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2852
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        18⤵
        Executes dropped EXE
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
        19⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:844
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        21⤵
        
        PID:1148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1484
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        23⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2472
        
        C:\providercommon\powershell.exe
        
        "C:\providercommon\powershell.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat"
        25⤵
        
        PID:1816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2384
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
      - C:\providercommon\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Default\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Default\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\Microsoft Shared\Triedit\it-IT\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 6 /tr "'C:\providercommon\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 7 /tr "'C:\providercommon\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

Network

DNS

raw.githubusercontent.com

powershell.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.110.133

raw.githubusercontent.com

IN A

185.199.108.133

185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

741 B
4.1kB
9
10
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

793 B
4.2kB
10
11
185.199.109.133:443

raw.githubusercontent.com

tls

powershell.exe

793 B
4.2kB
10
11

8.8.8.8:53

raw.githubusercontent.com

dns

powershell.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.109.133

185.199.111.133

185.199.110.133

185.199.108.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
383aed386cd0368036c1d722f70806d4

SHA1
529436805952aa4e61106041dd0fa0ae3dc9c80f

SHA256
3f023155cf409df401b2f880517dce0d34e8ee3eb73a30f4674d62b1b32d1e58

SHA512
3eaf0afe47b0c886279680fd6c4b983c0ee9efe029c3bf3644f3f4c9e0cc5110ceb81cb2223efc1ee4030e304e4c6545fa9ad4734b03f56239329c2c51e37923

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efc4a3edf48ffc4d90a47781b30f3692

SHA1
b43ea52a355b166156a12f8a7d4d69ae86848887

SHA256
23ea73bcb8671ea4eb5dd468e9949aca51b79a883301614bc3eb61012440ccdd

SHA512
42dd97857f3ee7c13c8b892f43afffb7735cba6c4834bb6d808643ca17958d2d370a8ef871c89aa99495c7531c716584b89b7f1f279d417cec1f05a22f07ab96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02fd5126aa69d8b14998e9f7196c127

SHA1
063e87ad75755359d9c6ae7c9f26bc4ad43dbf03

SHA256
a6493ae49be615a9b275bcdcb28594d928a5140655fd9aea43f6e91e8685550f

SHA512
115fd40be9eb0ca323bd9e9d01b07258d94e4e44f8a0cff2344a9573c70545aaf787c9722565b39b66ba7dee2c1fe9030dfc6d4fabab0eda188428c88f392396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f110d0795db52f789bead2388714b4b

SHA1
23c7ad2fb62793f7e6eff48e8397b902847d3c5e

SHA256
e4cd1c9504d499826fee52a424a36836f07bf740dbca51ad469f5e33e5a5d08d

SHA512
8db72ce56868a9da9fc96100b7d3b6aaa8257ce7172722f007cd03c2974b2ad41d37c1af8ba3f869b8e13c738818277b0d15daf6bff17597aaae01376319ad48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94833cbcc92e2d69f66ace0e44e3dcf7

SHA1
0738cffc365a2e37d258462f9155227e30f027be

SHA256
696dc20efd2417fa1396619ce29599c0c05f93eaa3d66fe32abfc6069cce3dc5

SHA512
5993cc9f9dc8d3d1cb49706cc216cac0f310b1705261ce55f91fe6563508f1cdd403caa7a13ae4dce67011ffa880de37f55700bd88e9747ae7126de8257e6297

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c1c61acd2fa3d5bd2fb1d919226061d

SHA1
3dab0df8503dad629d8ab7d26147891623897aee

SHA256
5c5aaf99410c2d19540a71fb20663365a0ccdab19d50394cda391df0a42bea39

SHA512
f2fad870f1e0cac9fd557e08b3832e39fdb8ae08c80b477d04ec33c14ba3b4c9d34f9438797ca346f2c3cdb405b41db44910cd7b45876a9fec12d338f691d6a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c337838fbb17b5f551356c2130d519a7

SHA1
3c7b207a9f4f3f165f3f9a51c89349783ff8b915

SHA256
1b26db5abfca62b381ec61856c75544cbcb5a6a88c48370a006d6025340c341e

SHA512
ba0f23476758181d8b7f05f89f711aaf7144c9d8f6224e3442754294f3df07881431de3ca2439e2099515cbbac0e8f1440396f7ad91b8b5cb56c0324de77796f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ecfd36726f82df9c1c11b0062d386b0

SHA1
fc7f02e308d69b33bf6d2d1742975fd2e44cd289

SHA256
61cca90040d07057c7fc867a7ee58253121385b18b8d75afa9f8d302a6a0ded0

SHA512
12d87c14c4da09cc0df482335e645c1def342fdd828df8e54c5e378f10ccdc6a2ce1c524e6e9345eda1fdd514f6bafaff702d3793d691eb7316c77117d0884f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat

Filesize
197B

MD5
ed1a35a37d1d778ef1cc2f3bc28004f4

SHA1
208dfde075c74dc1b7bd43f3bed8578f9a12fffa

SHA256
843783784d25c1e8f61f65d171e3d433f86e88b9537f19e58028452c4a891ee1

SHA512
916e17323fb24c505f754bfca94b8b5730260d9e1f89a0659734127ad20fc91cfec793455075e1085f0eb1faf6353279336dfda4c04bdaa860d02e4048a7542f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2RP5SY0RjS.bat

Filesize
197B

MD5
312b2bf2bad06890334393573e5fb0fd

SHA1
5d160e1cc8a0f313600a3fd39ee31362554281dd

SHA256
cb5102d83de85200730196b3cafd2d30699058985ea6340c4b7de5e00a82eba9

SHA512
2bef893faa2d6aca14556ab2fe3fa8f9b30c9882354dce543d1179b2c493f7ac7533ebbc693c0e1ae9d62960cdb991f89b5f83a5d0127f0c161cc2977071f253

Download Submit
C:\Users\Admin\AppData\Local\Temp\BikqvEHWfW.bat

Filesize
197B

MD5
95afe61799d1509ac92ce8a1865d2907

SHA1
c376ca5e6ac90e06130879f4185c362d872037ae

SHA256
a967efd1d5b9f8e71084df6b4a381b497eab96f81338634b25a64dab3fc75efa

SHA512
94446ac908fee3800c7745eeb8ea779782ffefd44509919d76d5cef9abe7c0eba59f72c61cdc7ce99f6d18b110d30ebcf9947a021105b316441a0736f27850fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat

Filesize
197B

MD5
891cfc8dd9dea5cbd946720b35ea4e55

SHA1
904236507bb40e0543f12d34f8ea973875b24b5c

SHA256
efed4fb5c929cda4bedefff318f859fcc51909255f626ff2c02354f2ea9f4afa

SHA512
87b06880b5d133f7c7b3fd035537793e0acf0a430b0afe49f14d1f482da8c22014eaa6d0eec4b3ea6dce267eb96a25ee346aa861354655bb8c02c3e8147d9886

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDFD6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
197B

MD5
6a0da33b9a6d8ac88befdc4792d8ce94

SHA1
e1809f26ec511a808b0545418627edc2ec407284

SHA256
52ab24da1db9fb4b968db1ff31d0da406949cf573e5e3c192cf405124b621714

SHA512
ae702d6f0144b45f84cc0e027efb20f129cc3ae95f3f29cdedb3ce5cb39deaac694e3a269f51e52d05903cbf99c1ea848434f7fc76e4f5d153b873365583bbcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDFE9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
197B

MD5
5b0170b2a3829e11b892dea46d7a26c3

SHA1
2841e457a3c43db3a45b461134377c5b8112a263

SHA256
85332192907a5020a9e0149a42be66f2901cf17afd50f91331a7e6a11750351e

SHA512
fa90708da56cdcdf931726e08b39b9f86f23dd93d8235e4fcab7a8d8e324e5c823335f181d647b3ad965e8b9ba80fe8cec5d1a7a08f60e5397b7cf84bc549190

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
197B

MD5
57106dce30d7c0cbcaf8f0389729b442

SHA1
d02932ed0d218b97906eacd1aa5054907b813239

SHA256
4cd56a3992f2ba81f45af182d6438b089a8e9b0ba931873f6b418708641c11f9

SHA512
c367f76970d678e000f3f4ca76e4c81a576381cbd660eb8296447a320a4cfc58c88286004e9771b65ccce351922e24a19cbf4dedd66b371ef9ad8257f014d0cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\tA3KztjMoN.bat

Filesize
197B

MD5
dbe3c2cff120e69fd1cfccb84b6af446

SHA1
4707f5cb519a22009a657bee5ba59f0738efb6b6

SHA256
9ad89765955383cb53f7805213a7fae105bed4bed862724c9f535a5bc33da729

SHA512
5beb470ed2fdcac4aa4ec27f8c829e07a71df9af59cb510ae5e679c2a45364bc0a01a5d885981ec5c987ba06e23178aff703f92b92d4ff50c898b0593c158669

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
197B

MD5
9d06cd834d0a031466a10ab8be93cc25

SHA1
5af5cc0ea53005b0861a4ab545e29e654c597713

SHA256
d146fe2b9eb1128474d26fd37da3fe875bddd71a80556346ef1820f5ec064348

SHA512
b3adf92ddc61ee2dbc6c75f208c0ab5a30064ad4e4be0fd480533806880162d06661d8fad36f415bdcdd30b81f3b642044deaeed416f580559aaf9935742b6a4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fee5f240d5f6d3023263e9fcd6cd1dc1

SHA1
4e0a91585844fb6032f526dacf1a72c2a96df7cc

SHA256
d7832e06b73dd107dad190ba7a87b4d17e3791e3af517e8682dbea05fe308ce8

SHA512
5a0b2178fff8afc1204374e5e001582d23a979dfc36a6c6b6303540ef7089174b8c3fc39ddc330758b44d8468cdeee25b33f4132438912bba63e18776bc713f9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/708-254-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/956-74-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/1248-314-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2044-39-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2044-40-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2268-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2268-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2268-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2268-13-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2268-17-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2288-494-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2968-194-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.