dcrat | e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 13:08 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904.exe
Size

1.3MB
MD5

fdac0c74650163a8d39014f211e2cefe
SHA1

decd8f915f10cb8bb3af2892da5011948452dd18
SHA256

e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904
SHA512

aaf7edf7d6748bd5316844f4aa82ce89bdb7c3ce51a696092e924398c9673e5783343be75989373ca601b381381de75d5725d4ac74612e2d803ae62d2f079351
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2216	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2216	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015d30-10.dat	dcrat
behavioral1/memory/3056-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp	dcrat
behavioral1/memory/2320-101-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/2940-220-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/620-458-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/2700-518-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/316-578-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/1488-638-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
764	powershell.exe
1284	powershell.exe
2696	powershell.exe
1456	powershell.exe
1996	powershell.exe
1672	powershell.exe
2316	powershell.exe
1180	powershell.exe
1260	powershell.exe
2364	powershell.exe
1540	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3056	DllCommonsvc.exe
2320	dllhost.exe
3008	dllhost.exe
2940	dllhost.exe
1436	dllhost.exe
2288	dllhost.exe
2436	dllhost.exe
620	dllhost.exe
2700	dllhost.exe
316	dllhost.exe
1488	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1652	cmd.exe
1652	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
13	raw.githubusercontent.com
24	raw.githubusercontent.com
31	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\7a0fd90576e088	DllCommonsvc.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\es-ES\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\es-ES\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
1772	schtasks.exe
2092	schtasks.exe
848	schtasks.exe
1940	schtasks.exe
572	schtasks.exe
324	schtasks.exe
2908	schtasks.exe
3024	schtasks.exe
2272	schtasks.exe
2884	schtasks.exe
2776	schtasks.exe
1708	schtasks.exe
568	schtasks.exe
648	schtasks.exe
2480	schtasks.exe
2312	schtasks.exe
2876	schtasks.exe
1116	schtasks.exe
2084	schtasks.exe
1048	schtasks.exe
1656	schtasks.exe
2296	schtasks.exe
2500	schtasks.exe
2864	schtasks.exe
2660	schtasks.exe
1204	schtasks.exe
1872	schtasks.exe
2676	schtasks.exe
2448	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3056	DllCommonsvc.exe
1180	powershell.exe
1672	powershell.exe
2316	powershell.exe
1260	powershell.exe
1996	powershell.exe
764	powershell.exe
2364	powershell.exe
2696	powershell.exe
1284	powershell.exe
1540	powershell.exe
1456	powershell.exe
2320	dllhost.exe
3008	dllhost.exe
2940	dllhost.exe
1436	dllhost.exe
2288	dllhost.exe
2436	dllhost.exe
620	dllhost.exe
2700	dllhost.exe
316	dllhost.exe
1488	dllhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	DllCommonsvc.exe
Token: SeDebugPrivilege	1180	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	1260	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	2320	dllhost.exe
Token: SeDebugPrivilege	3008	dllhost.exe
Token: SeDebugPrivilege	2940	dllhost.exe
Token: SeDebugPrivilege	1436	dllhost.exe
Token: SeDebugPrivilege	2288	dllhost.exe
Token: SeDebugPrivilege	2436	dllhost.exe
Token: SeDebugPrivilege	620	dllhost.exe
Token: SeDebugPrivilege	2700	dllhost.exe
Token: SeDebugPrivilege	316	dllhost.exe
Token: SeDebugPrivilege	1488	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2236 wrote to memory of 2572	2236	JaffaCakes118_e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904.exe	30
PID 2236 wrote to memory of 2572	2236	JaffaCakes118_e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904.exe	30
PID 2236 wrote to memory of 2572	2236	JaffaCakes118_e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904.exe	30
PID 2236 wrote to memory of 2572	2236	JaffaCakes118_e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904.exe	30
PID 2572 wrote to memory of 1652	2572	WScript.exe	32
PID 2572 wrote to memory of 1652	2572	WScript.exe	32
PID 2572 wrote to memory of 1652	2572	WScript.exe	32
PID 2572 wrote to memory of 1652	2572	WScript.exe	32
PID 1652 wrote to memory of 3056	1652	cmd.exe	34
PID 1652 wrote to memory of 3056	1652	cmd.exe	34
PID 1652 wrote to memory of 3056	1652	cmd.exe	34
PID 1652 wrote to memory of 3056	1652	cmd.exe	34
PID 3056 wrote to memory of 1672	3056	DllCommonsvc.exe	66
PID 3056 wrote to memory of 1672	3056	DllCommonsvc.exe	66
PID 3056 wrote to memory of 1672	3056	DllCommonsvc.exe	66
PID 3056 wrote to memory of 2316	3056	DllCommonsvc.exe	67
PID 3056 wrote to memory of 2316	3056	DllCommonsvc.exe	67
PID 3056 wrote to memory of 2316	3056	DllCommonsvc.exe	67
PID 3056 wrote to memory of 2696	3056	DllCommonsvc.exe	68
PID 3056 wrote to memory of 2696	3056	DllCommonsvc.exe	68
PID 3056 wrote to memory of 2696	3056	DllCommonsvc.exe	68
PID 3056 wrote to memory of 1996	3056	DllCommonsvc.exe	70
PID 3056 wrote to memory of 1996	3056	DllCommonsvc.exe	70
PID 3056 wrote to memory of 1996	3056	DllCommonsvc.exe	70
PID 3056 wrote to memory of 1456	3056	DllCommonsvc.exe	71
PID 3056 wrote to memory of 1456	3056	DllCommonsvc.exe	71
PID 3056 wrote to memory of 1456	3056	DllCommonsvc.exe	71
PID 3056 wrote to memory of 1284	3056	DllCommonsvc.exe	73
PID 3056 wrote to memory of 1284	3056	DllCommonsvc.exe	73
PID 3056 wrote to memory of 1284	3056	DllCommonsvc.exe	73
PID 3056 wrote to memory of 1540	3056	DllCommonsvc.exe	74
PID 3056 wrote to memory of 1540	3056	DllCommonsvc.exe	74
PID 3056 wrote to memory of 1540	3056	DllCommonsvc.exe	74
PID 3056 wrote to memory of 1180	3056	DllCommonsvc.exe	75
PID 3056 wrote to memory of 1180	3056	DllCommonsvc.exe	75
PID 3056 wrote to memory of 1180	3056	DllCommonsvc.exe	75
PID 3056 wrote to memory of 2364	3056	DllCommonsvc.exe	76
PID 3056 wrote to memory of 2364	3056	DllCommonsvc.exe	76
PID 3056 wrote to memory of 2364	3056	DllCommonsvc.exe	76
PID 3056 wrote to memory of 764	3056	DllCommonsvc.exe	77
PID 3056 wrote to memory of 764	3056	DllCommonsvc.exe	77
PID 3056 wrote to memory of 764	3056	DllCommonsvc.exe	77
PID 3056 wrote to memory of 1260	3056	DllCommonsvc.exe	79
PID 3056 wrote to memory of 1260	3056	DllCommonsvc.exe	79
PID 3056 wrote to memory of 1260	3056	DllCommonsvc.exe	79
PID 3056 wrote to memory of 2280	3056	DllCommonsvc.exe	88
PID 3056 wrote to memory of 2280	3056	DllCommonsvc.exe	88
PID 3056 wrote to memory of 2280	3056	DllCommonsvc.exe	88
PID 2280 wrote to memory of 544	2280	cmd.exe	90
PID 2280 wrote to memory of 544	2280	cmd.exe	90
PID 2280 wrote to memory of 544	2280	cmd.exe	90
PID 2280 wrote to memory of 2320	2280	cmd.exe	91
PID 2280 wrote to memory of 2320	2280	cmd.exe	91
PID 2280 wrote to memory of 2320	2280	cmd.exe	91
PID 2320 wrote to memory of 2080	2320	dllhost.exe	92
PID 2320 wrote to memory of 2080	2320	dllhost.exe	92
PID 2320 wrote to memory of 2080	2320	dllhost.exe	92
PID 2080 wrote to memory of 2848	2080	cmd.exe	94
PID 2080 wrote to memory of 2848	2080	cmd.exe	94
PID 2080 wrote to memory of 2848	2080	cmd.exe	94
PID 2080 wrote to memory of 3008	2080	cmd.exe	95
PID 2080 wrote to memory of 3008	2080	cmd.exe	95
PID 2080 wrote to memory of 3008	2080	cmd.exe	95
PID 3008 wrote to memory of 1616	3008	dllhost.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e534ce1b99a49a19df44a06f93f09c3dca0e52964b606c2549f3da0ecf115904.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2236
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1652
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\es-ES\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1260
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LrVckam5rx.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2280
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:544
      - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2848
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        9⤵
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1208
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
        11⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1620
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
        13⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2116
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat"
        15⤵
        
        PID:1872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2736
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat"
        17⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2364
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat"
        19⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2092
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        21⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2688
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        23⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2728
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Videos\Sample Videos\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\it\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

Network

DNS

raw.githubusercontent.com

dllhost.exe

Remote address:

8.8.8.8:53

Request

raw.githubusercontent.com

IN A

Response

raw.githubusercontent.com

IN A

185.199.108.133

raw.githubusercontent.com

IN A

185.199.111.133

raw.githubusercontent.com

IN A

185.199.109.133

raw.githubusercontent.com

IN A

185.199.110.133

185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

741 B
4.1kB
9
10
185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

793 B
4.2kB
10
11
185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

793 B
4.2kB
10
10
185.199.108.133:443

raw.githubusercontent.com

tls

dllhost.exe

741 B
4.1kB
9
10

8.8.8.8:53

raw.githubusercontent.com

dns

dllhost.exe

71 B
135 B
1
1

DNS Request

raw.githubusercontent.com

DNS Response

185.199.108.133

185.199.111.133

185.199.109.133

185.199.110.133

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd42d16f1c07775e6b8bba9ba24cc655

SHA1
8696d4d3b0ab97c45cbf80b0c45ac54b745a0c4b

SHA256
eed2a288bcf5b683ed0c41927f79e347655d50371af9d791304e4e889f24dd5e

SHA512
89e8b9bc574ba951a6da3e0d9021057ce221bc40ee5f8d8a6b6035efac3264415c4117f16d54ee32cd1e867d20061fc30487d5039f3a1f412ad2e25d269a8bac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a586469b34dd2f966e79b59425e8fe52

SHA1
51f3a0dd10e4fde8aed545a5cd363e4f87b6307c

SHA256
17e9220c0a9a6db91fb442226fa09ca2e77e03968298fae0cf40c3b4f8f9347d

SHA512
5a9b4216d3b4a53ac26ee33ff91b668960ee05b2c9fb23705579ad88243274521fb556e91ac79bf1cc7eeae013313921a2edf8036eb31864f589b33da397b04c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f7f269885d794cbeacdf19146cff196

SHA1
1cf8c957eafd336c90f5406979d4bc01f0a72d00

SHA256
3c00f2964a867c9bdfe47a56743ad97c023a6c7149b90e897671024c098d15c1

SHA512
cf55b1af7adeb89700aa49a2d037047f8a7f2cbd5af19434860143047ab7912ac174b0f26d7965328d15f7f741fe78c5d15c858ca57f1364d25ae801e3fd1bf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04fbedc1440bef4589e759c0a9e537ee

SHA1
082de8898be1b75a97e2fa5abababdc69b0f5949

SHA256
11f290b9f14e9c0541dec3a5c0186be645b3422eb4857f7e37f47228e95aa8b3

SHA512
c7fcbb406e6aa2d52314ab0d6cdf7a05ff0764fefbb866a29d4cac174e58c06a0b2e84828a6084dda1bd4673ab99800bab8069e2bb35829d6bb8021702abad30

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3db633897203d6fe677fb554902dbc86

SHA1
f7dbee7e7a8e193bba1637abf7f500a1c4ffd8f1

SHA256
d6f11baf9c82722346cdb3d86af968a90579032c21a51093b9c7ecb3a9a3d6f7

SHA512
4963ce550a3a1563a582f0a103c082534eb9e0316166eaf2fd4988e35367fe2c94fb48d9fe0cdb171924ca021aa4214753842f89c7c8784e1561739e839bf692

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
401313f898b337f232cfee77ef0684fb

SHA1
a152335efc7474534a48472f4d27b3ea420c0b00

SHA256
a0e21f457e4fa3cb72e4fa3726757fe7c12d7ca4ebe6fc288627d8df235add23

SHA512
c2828187d81f671b98fd12595d684b1cb06e3c4c9501cd7836a0011594eb555e3ffc717e25d44ac072915a0ee23dae1084501964590e708327262f21704a6ebd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ad6d990807adef837d5ae544f50aa3b

SHA1
b284f535f2216c9559878068344e6436ce204aad

SHA256
1a9e3f8be2129be861caac7f2254242ddb880a2a326bf9c5770b24c08e95d08f

SHA512
2254f33c3536da40a9b6a049de20a1ed8c025389e46fa06310df8323bce0a3aae7c18a71c64ac2b656a2384b37f8c0d9f7d578c568611cae54f49986175f5214

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e50659c76e953629c294f8cdecd6334

SHA1
ded6a51484111b2c86e6c950614770cd3d3ca3b5

SHA256
0a6a83f242285734a5431553dc6d189bf6c49a0334080553d09954c324593a48

SHA512
21603c6a8389e5706cabbe3e3c6da0c5cfe2cd9a43104d1bd8475c618d7303d57849c0ad8d1971168c9e6c81ebef2f5e4330a06a5a27298e2b1578c501a093f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8D9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GTS4B5cy6p.bat

Filesize
239B

MD5
bcd2ffb9609fe681f305293c76f3593b

SHA1
bf90b09154a848c637c496d79b19c3464a52bec6

SHA256
6b0643a43d094d151bc3bbbb4941bf8e1ee948d93fef68a729e53539d5b7ff26

SHA512
91be72eba48f380527d5cdc0843ed950d50c1064c70a2093168b1a5d97fe7b2f0232bb78c15291250f67380ab8883b51d4bf1673c0782049827b54505db4d249

Download Submit
C:\Users\Admin\AppData\Local\Temp\KYEunsIO9t.bat

Filesize
239B

MD5
0c8102f4137c5b4797f9354e41faa25f

SHA1
c249c539f6ea4d06ef6d9fc11bf193ba6038a57b

SHA256
92d04b32896164755d3684306d17c364bb21f46d3a1c13e539cc536a9c05967b

SHA512
bb3581485d7696aeb44a78e51a927c0c35e8def909435699b4fa8d1c0d786e33ff09efff26935925b7a92fbcbe551e782350b8a51cfb86a0cb21e0c94646c6c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

Filesize
239B

MD5
a41630a7c014371ea196a1d28e9db305

SHA1
4ab9f5062a70205db2efd8bae18001bc30b94dd0

SHA256
ff9e29a45fcd474fe56c80641c34ee5ab096ff3cf9e4b15b19bd965367967fbd

SHA512
ce4732fd68b748a1c1b381a4943beb109190ccb461bbcd10f36ee3a9b0bd71d7507e88c0d3959fdf0773a78afd1f6e8ba61a248bde13860c277116886220d652

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
239B

MD5
d61278b95ea294c470bcea4ecaae9827

SHA1
99bea7cc9add6e9a8cfe03c9207c3981ac19f80e

SHA256
895beb447b8c04ab4cf24df063e33833f8115f90ac9537426092c3a727d34e5d

SHA512
86ab566321640a9c4c38ac36848457395c8650115c36e38f67833ed08cc6d688f5adddeedc86cbbf759eda65b99af1784ac19b911088a28614965a9f9c042c71

Download Submit
C:\Users\Admin\AppData\Local\Temp\LrVckam5rx.bat

Filesize
239B

MD5
03c54151cd5fd655766eb20ee11a7118

SHA1
a135faa7a7c5ef434e6f5d118497900cb47b06e4

SHA256
e324e7444b1f9502c28ff69d09240e37cd44d456ed1eb1163a6b824cbf196b50

SHA512
415febf7b2b9f973ad816c5930e2fea4f403487ac050a2abcf41ca27694553a94236975a144a8b584a9fc61ef743c2585ffeae6705e492c9539a8a444b36e8df

Download Submit
C:\Users\Admin\AppData\Local\Temp\OoUlhQHDc2.bat

Filesize
239B

MD5
f48f356e5973856bca109846a139e8dc

SHA1
c25dfb2a874fbc10f34e2d608301f21a0414257e

SHA256
97a25c0bebe6a1a96917076e9aea1eb455674378e1fe4c67820932d89b8be6b5

SHA512
747ba109379047609d9af534ca585fb71bfa3a44091e96946132fafb153626d10952ef3a0d9a6e1716474f919f15dd2959c9f4def76f1aa5d0942b58dee2826c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
239B

MD5
12c69556850d71cf516fe5e329a61ace

SHA1
17eeb131241500af67ada60b46d63508a723cf45

SHA256
639930354dfd0a51fc33ac10d03d34656e6b4b110e72fdd420c94a494462c975

SHA512
63460fb0745d0ff297dcd1ff47670a0d678652dc13090fbfb2dd20e9a52e2eee7790749b759b99e7817acb645a98f5807aa16f6c5dc1bf165fefc9a95754fa9f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat

Filesize
239B

MD5
1580f04ca502bce4574d870ff28d2cee

SHA1
61e05d2dfef203bd3d0cd033b025303c58b1f304

SHA256
7b071065546c51d9c16eb410febd44641c1f28235b8d44594f58ba46b1cd4edb

SHA512
32fe8712c537dbd55d4e4ec3453e20dac69400d26daaf03f123b1ca05290af1d5292668f30ec9c849384e340b3eb3d271660473570a07b70a41d46f9e88b0f09

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8EB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

Filesize
239B

MD5
536ac2b780145a6cc9a63743ec28897b

SHA1
920a536a8e13ad15c6df9803277b197e7de7e820

SHA256
28616b7f5d337350553fb8171648ee770a65bd458b3e15707d6dcf37e923be17

SHA512
584192a5b46e5d775516ae2e83b7746e583a965aecea897d7d4aefc6cb5d5e2cc76a8a4292ab0353806681ea52020a6414807f54fb63d9247d5cebd81251196b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

Filesize
239B

MD5
9705dff9a733769dbef57a4fb73aa929

SHA1
901ebb12aa5f34e319c803fee9c5849039647cf5

SHA256
a3747dfd19691513e1ed112876cc90f7d653f3bdb9fb471b7bfdb54921044352

SHA512
3a937094490dc08f73a05d10c9e41a3c3c0e4f3c3c5ace0a3a34664b48cf6c49e5bdc5fe56ed4a3091eff15b7da85e465f35c137f550e3944baef25de2759947

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1675ccae5f9e925ef567c2ef34f7e798

SHA1
7ea6c5a5e594ebf41b2f13c55a82f3ae176819c2

SHA256
180230601030f97d36413bf31849e4acaa07ab709a046f5d0c61ec28ea95a14e

SHA512
1a9e6d597172bc69065868f5ff8f4b3cb49e1bfd4b25d891b88d82c818ac4e09d1f91d0d51fae4be388062d78b4073b35ef529d0a19885a8398a64bbd82632af

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/316-578-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/620-458-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/1180-59-0x0000000002680000-0x0000000002688000-memory.dmp

Filesize
32KB

Download
memory/1488-638-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/1672-58-0x000000001B4C0000-0x000000001B7A2000-memory.dmp

Filesize
2.9MB

Download
memory/2288-339-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2320-102-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2320-101-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/2700-518-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2940-220-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/3056-17-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/3056-13-0x00000000009C0000-0x0000000000AD0000-memory.dmp

Filesize
1.1MB

Download
memory/3056-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/3056-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/3056-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

DNS Request

DNS Response

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.