dcrat | 2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497

Analysis

max time kernel
147s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 18:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

32db4bf35b9c2efc730718e2f8cd4fbc.exe
Size

1.8MB
MD5

32db4bf35b9c2efc730718e2f8cd4fbc
SHA1

616a5c549f6c1c191f82d8cea82c65e25869241e
SHA256

2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497
SHA512

577146b764a00bcd3ff34a4ec278c49db91e7a5eb3647f561455499a7c01c52c513a5283041a378ffb57747e0ad0c93795d7287b5814a01f94612ac81f1828c2
SSDEEP

24576:PYWx+zBv7JhqvqIsCHeX2RYk1ORuQfAb3ev4XwpgcYZSqu/lYXeHB80K:PAz2H5RYj4QyQZviTu/Ouh

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\\pris\\SearchApp.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\\pris\\SearchApp.exe\", \"C:\\Users\\Admin\\Links\\wininit.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\\pris\\SearchApp.exe\", \"C:\\Users\\Admin\\Links\\wininit.exe\", \"C:\\Users\\Admin\\3D Objects\\lsass.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\\pris\\SearchApp.exe\", \"C:\\Users\\Admin\\Links\\wininit.exe\", \"C:\\Users\\Admin\\3D Objects\\lsass.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\\pris\\SearchApp.exe\", \"C:\\Users\\Admin\\Links\\wininit.exe\", \"C:\\Users\\Admin\\3D Objects\\lsass.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SystemApps\\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\\pris\\SearchApp.exe\", \"C:\\Users\\Admin\\Links\\wininit.exe\", \"C:\\Users\\Admin\\3D Objects\\lsass.exe\", \"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\", \"C:\\Recovery\\WindowsRE\\sppsvc.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\32db4bf35b9c2efc730718e2f8cd4fbc.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3444	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3596	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4012	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3612	4900	schtasks.exe	82
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3788	4900	schtasks.exe	82

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3568	powershell.exe
2348	powershell.exe
2008	powershell.exe
4420	powershell.exe
3584	powershell.exe
3832	powershell.exe

Checks computer location settings 2 TTPs 19 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	wininit.exe

Executes dropped EXE 18 IoCs

pid	Process
1484	wininit.exe
4048	wininit.exe
872	wininit.exe
4400	wininit.exe
4724	wininit.exe
1020	wininit.exe
2508	wininit.exe
3812	wininit.exe
2720	wininit.exe
1732	wininit.exe
2764	wininit.exe
3580	wininit.exe
2908	wininit.exe
1564	wininit.exe
3600	wininit.exe
2404	wininit.exe
4820	wininit.exe
2520	wininit.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32db4bf35b9c2efc730718e2f8cd4fbc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\32db4bf35b9c2efc730718e2f8cd4fbc.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\\pris\\SearchApp.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\3D Objects\\lsass.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Recovery\\WindowsRE\\sppsvc.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\dllhost.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\32db4bf35b9c2efc730718e2f8cd4fbc = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\32db4bf35b9c2efc730718e2f8cd4fbc.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Windows\\SystemApps\\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\\pris\\SearchApp.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Links\\wininit.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Admin\\Links\\wininit.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\Admin\\3D Objects\\lsass.exe\""	32db4bf35b9c2efc730718e2f8cd4fbc.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCE60D380E19A64107ABF259554ED3319A.TMP	csc.exe
File created	\??\c:\Windows\System32\enb1sa.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\5940a34987c991	32db4bf35b9c2efc730718e2f8cd4fbc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe	32db4bf35b9c2efc730718e2f8cd4fbc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ImmersiveControlPanel\it-IT\32db4bf35b9c2efc730718e2f8cd4fbc.exe	32db4bf35b9c2efc730718e2f8cd4fbc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\SearchApp.exe	32db4bf35b9c2efc730718e2f8cd4fbc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\38384e6a620884	32db4bf35b9c2efc730718e2f8cd4fbc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 8 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4756	PING.EXE
2804	PING.EXE
4036	PING.EXE
2128	PING.EXE
2548	PING.EXE
4364	PING.EXE
2808	PING.EXE
3056	PING.EXE

Modifies registry class 19 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	wininit.exe

Runs ping.exe 1 TTPs 8 IoCs

Remote System Discovery

T1018

pid	Process
3056	PING.EXE
4756	PING.EXE
2804	PING.EXE
4036	PING.EXE
2128	PING.EXE
2548	PING.EXE
4364	PING.EXE
2808	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
944	schtasks.exe
732	schtasks.exe
3444	schtasks.exe
1936	schtasks.exe
1288	schtasks.exe
4408	schtasks.exe
3612	schtasks.exe
3288	schtasks.exe
2424	schtasks.exe
1468	schtasks.exe
3788	schtasks.exe
4012	schtasks.exe
3576	schtasks.exe
552	schtasks.exe
3596	schtasks.exe
2668	schtasks.exe
1840	schtasks.exe
1320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe
Token: SeDebugPrivilege	4420	powershell.exe
Token: SeDebugPrivilege	3832	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	3584	powershell.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeDebugPrivilege	3568	powershell.exe
Token: SeDebugPrivilege	1484	wininit.exe
Token: SeDebugPrivilege	4048	wininit.exe
Token: SeDebugPrivilege	872	wininit.exe
Token: SeDebugPrivilege	4400	wininit.exe
Token: SeDebugPrivilege	4724	wininit.exe
Token: SeDebugPrivilege	1020	wininit.exe
Token: SeDebugPrivilege	2508	wininit.exe
Token: SeDebugPrivilege	3812	wininit.exe
Token: SeDebugPrivilege	2720	wininit.exe
Token: SeDebugPrivilege	1732	wininit.exe
Token: SeDebugPrivilege	2764	wininit.exe
Token: SeDebugPrivilege	3580	wininit.exe
Token: SeDebugPrivilege	2908	wininit.exe
Token: SeDebugPrivilege	1564	wininit.exe
Token: SeDebugPrivilege	3600	wininit.exe
Token: SeDebugPrivilege	2404	wininit.exe
Token: SeDebugPrivilege	4820	wininit.exe
Token: SeDebugPrivilege	2520	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2912 wrote to memory of 4412	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	86
PID 2912 wrote to memory of 4412	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	86
PID 4412 wrote to memory of 1484	4412	csc.exe	88
PID 4412 wrote to memory of 1484	4412	csc.exe	88
PID 2912 wrote to memory of 3568	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	104
PID 2912 wrote to memory of 3568	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	104
PID 2912 wrote to memory of 3832	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	105
PID 2912 wrote to memory of 3832	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	105
PID 2912 wrote to memory of 3584	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	106
PID 2912 wrote to memory of 3584	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	106
PID 2912 wrote to memory of 4420	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	107
PID 2912 wrote to memory of 4420	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	107
PID 2912 wrote to memory of 2008	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	108
PID 2912 wrote to memory of 2008	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	108
PID 2912 wrote to memory of 2348	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	109
PID 2912 wrote to memory of 2348	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	109
PID 2912 wrote to memory of 4940	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	116
PID 2912 wrote to memory of 4940	2912	32db4bf35b9c2efc730718e2f8cd4fbc.exe	116
PID 4940 wrote to memory of 2292	4940	cmd.exe	118
PID 4940 wrote to memory of 2292	4940	cmd.exe	118
PID 4940 wrote to memory of 3232	4940	cmd.exe	119
PID 4940 wrote to memory of 3232	4940	cmd.exe	119
PID 4940 wrote to memory of 1484	4940	cmd.exe	120
PID 4940 wrote to memory of 1484	4940	cmd.exe	120
PID 1484 wrote to memory of 3600	1484	wininit.exe	121
PID 1484 wrote to memory of 3600	1484	wininit.exe	121
PID 3600 wrote to memory of 1936	3600	cmd.exe	123
PID 3600 wrote to memory of 1936	3600	cmd.exe	123
PID 3600 wrote to memory of 732	3600	cmd.exe	124
PID 3600 wrote to memory of 732	3600	cmd.exe	124
PID 3600 wrote to memory of 4048	3600	cmd.exe	125
PID 3600 wrote to memory of 4048	3600	cmd.exe	125
PID 4048 wrote to memory of 5024	4048	wininit.exe	128
PID 4048 wrote to memory of 5024	4048	wininit.exe	128
PID 5024 wrote to memory of 2312	5024	cmd.exe	130
PID 5024 wrote to memory of 2312	5024	cmd.exe	130
PID 5024 wrote to memory of 2144	5024	cmd.exe	131
PID 5024 wrote to memory of 2144	5024	cmd.exe	131
PID 5024 wrote to memory of 872	5024	cmd.exe	134
PID 5024 wrote to memory of 872	5024	cmd.exe	134
PID 872 wrote to memory of 548	872	wininit.exe	135
PID 872 wrote to memory of 548	872	wininit.exe	135
PID 548 wrote to memory of 4564	548	cmd.exe	137
PID 548 wrote to memory of 4564	548	cmd.exe	137
PID 548 wrote to memory of 1144	548	cmd.exe	138
PID 548 wrote to memory of 1144	548	cmd.exe	138
PID 548 wrote to memory of 4400	548	cmd.exe	141
PID 548 wrote to memory of 4400	548	cmd.exe	141
PID 4400 wrote to memory of 4980	4400	wininit.exe	142
PID 4400 wrote to memory of 4980	4400	wininit.exe	142
PID 4980 wrote to memory of 4304	4980	cmd.exe	144
PID 4980 wrote to memory of 4304	4980	cmd.exe	144
PID 4980 wrote to memory of 4036	4980	cmd.exe	145
PID 4980 wrote to memory of 4036	4980	cmd.exe	145
PID 4980 wrote to memory of 4724	4980	cmd.exe	148
PID 4980 wrote to memory of 4724	4980	cmd.exe	148
PID 4724 wrote to memory of 2524	4724	wininit.exe	149
PID 4724 wrote to memory of 2524	4724	wininit.exe	149
PID 2524 wrote to memory of 2892	2524	cmd.exe	151
PID 2524 wrote to memory of 2892	2524	cmd.exe	151
PID 2524 wrote to memory of 3344	2524	cmd.exe	152
PID 2524 wrote to memory of 3344	2524	cmd.exe	152
PID 2524 wrote to memory of 1020	2524	cmd.exe	153
PID 2524 wrote to memory of 1020	2524	cmd.exe	153

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\32db4bf35b9c2efc730718e2f8cd4fbc.exe
"C:\Users\Admin\AppData\Local\Temp\32db4bf35b9c2efc730718e2f8cd4fbc.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2912
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\ehykonu2\ehykonu2.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4412
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES6F15.tmp" "c:\Windows\System32\CSCE60D380E19A64107ABF259554ED3319A.TMP"
    3⤵
    PID:1484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3568
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3832
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\3D Objects\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3584
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4420
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2008
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\32db4bf35b9c2efc730718e2f8cd4fbc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uFAGhnQDKy.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4940
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2292
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:3232
- - C:\Users\Admin\Links\wininit.exe
    "C:\Users\Admin\Links\wininit.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1484
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G1mQn2m5Eg.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3600
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:1936
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:732
    - - C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4048
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YlsA6cJawy.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2144
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfaLCNk3Y7.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1144
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4036
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YlsA6cJawy.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3344
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ip3Bhi35Fh.bat"
        14⤵
        
        PID:4708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3236
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2128
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat"
        16⤵
        
        PID:2916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2548
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat"
        18⤵
        
        PID:1040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4756
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat"
        20⤵
        
        PID:408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4316
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat"
        22⤵
        
        PID:548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:1332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2520
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dskflg4gU2.bat"
        24⤵
        
        PID:3388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:4760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4364
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fBqx2BHh5U.bat"
        26⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4780
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\szcAPjpm25.bat"
        28⤵
        
        PID:3236
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:4332
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        29⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2808
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\utpnwKYKap.bat"
        30⤵
        
        PID:556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:4572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        31⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3056
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04ySO8WbXQ.bat"
        32⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:2144
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4756
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YlsA6cJawy.bat"
        34⤵
        
        PID:1184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        35⤵
        
        PID:852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:4896
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        35⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ex1oYQHqtZ.bat"
        36⤵
        
        PID:1312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        37⤵
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        37⤵
        
        PID:2660
        
        C:\Users\Admin\Links\wininit.exe
        
        "C:\Users\Admin\Links\wininit.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dskflg4gU2.bat"
        38⤵
        
        PID:1668
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        39⤵
        
        PID:3992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        39⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 10 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Links\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\Links\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\3D Objects\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\3D Objects\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\3D Objects\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "32db4bf35b9c2efc730718e2f8cd4fbc3" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\32db4bf35b9c2efc730718e2f8cd4fbc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "32db4bf35b9c2efc730718e2f8cd4fbc" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\32db4bf35b9c2efc730718e2f8cd4fbc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "32db4bf35b9c2efc730718e2f8cd4fbc3" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\32db4bf35b9c2efc730718e2f8cd4fbc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\wininit.exe.log

Filesize
1KB

MD5
f8b2fca3a50771154571c11f1c53887b

SHA1
2e83b0c8e2f4c10b145b7fb4832ed1c78743de3f

SHA256
0efa72802031a8f902c3a4ab18fe3d667dafc71c93eb3a1811e78353ecf4a6b6

SHA512
b98b8d5516593d13415199d4ac6fbe4ff924488487c4bd863cb677601048785d872a3ff30129148e2961cb6fb2fc33117540302980a132f57f7ec9a497813f1a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Temp\04ySO8WbXQ.bat

Filesize
160B

MD5
4ef60d9a321bc9e608a1ac16128e6746

SHA1
f25eb885c5c5a4711fef7f6a1d3029d504abd573

SHA256
4213dee36a88ae27b0b17e25190f803d8d0d2586cd56fea8a2c79728c0bf0ebf

SHA512
f8cf6a64325c869aa6f48c1b27081966911837e955b42541521c388e5b6e0ab6f4baec0b0738ad863db3143850e2ed654c28f691e6cee5a56925ff0f49ec43e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7vUbsmDZqq.bat

Filesize
208B

MD5
47b745e48873915919e90b0d4141e1a7

SHA1
3daddeedb4c4d4bb9dac7e9b646a9cebef83cf64

SHA256
5426771d878e9b22f8d9d08f086bd933973b6cdc886a084cd9c9ec9bacc9c3da

SHA512
a5ce3a40a3e7f332d1b6edfc6b861b559ca2ca05618a75c3f29939a8354c9927ddff61e17a2cafde3648a47ddd617ad140e168e06816da6ba03b3524c54f452c

Download Submit
C:\Users\Admin\AppData\Local\Temp\CeuXGu4pI7.bat

Filesize
160B

MD5
79612ca1a1f7f036d48e99ba653c04d1

SHA1
4fdcb16d58b894a0e90288b742acbae8148b7dc6

SHA256
00dcbbf500a472e4a24a67485251baa46581341b37b35fff63548af215fb4b34

SHA512
4e5d89f4e195abc02bd802346a2b847fa076f50fa81d0c43964c3c65418b0844bf61960dcca7a44bc0dc25d02119a7aa0e679873336d8c9e5308d9aee8df2a78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dskflg4gU2.bat

Filesize
160B

MD5
3184a108b9c0c1dfe9cbbef5c0aa0858

SHA1
c4325723b59fd1fbeee8e60814e4f41e5e6dea59

SHA256
94272df075e5824e06933e7fa50e35e3a3c0f0084303ba0c9c00014ce86a64b8

SHA512
0106d6406f29f6389a34b59a7a224d630146189fb46c08d5d6e15ba51dac7c26f831eddf97ba2d879fbd52d01725c5f512603973c5dace80790b44411c928787

Download Submit
C:\Users\Admin\AppData\Local\Temp\G1mQn2m5Eg.bat

Filesize
208B

MD5
a0e16977e0e75ebe61cae0e1fe4c4b38

SHA1
11812ec21a6b959d0737484885000da77aaeba0c

SHA256
884e16f3ef3873161ab78078598187eff8ce6d659b774037a540f6943582589b

SHA512
d732315e7be040c45eac522337c39df21c97a8e9ab39b17f43b913b0c00c6b34db8fef956b6f67fc20f61b8f08753d41e68b11c28accf76bb0cf72e28df55b29

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ip3Bhi35Fh.bat

Filesize
160B

MD5
a3b06dff25c5ededc0ca20c6fe0ea1d7

SHA1
7f58234967018eb2718429111b4bafb2a8966e4a

SHA256
92357139b94aa5169a75e2268f1f6635a9653fb192dc3d72ccf6419ec4683d03

SHA512
330ce24765a85c9076cfacfa08778a24c1f7065c05c812aeb57c287d3e01848dfa42e44a1eb0a5fe0e7d89df49a935f120285710fbd1b8c8e2fe1cdeeb4c822b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfaLCNk3Y7.bat

Filesize
208B

MD5
68988f1a0d6d8bbda92a18052111d2cf

SHA1
8a8391bfb8297d3eea079dc8899b621fa46ec6c0

SHA256
c012c22a537f820f3d29b6d80e3e2ba0e1b37b56e99479907ef15dbaa5948d15

SHA512
b02991c3c602af7a556e67e2478c3068af1b6ce53356fc4f9f9cdc2e7427ddfd648411bc1622ef97e213739b2baca37695c5c266c5e6b15df9625136defe9746

Download Submit
C:\Users\Admin\AppData\Local\Temp\RES6F15.tmp

Filesize
1KB

MD5
047f805574a2e68e46cf68d8f6561a48

SHA1
d3b5642a648ccf23481b9f83353528026b553c11

SHA256
b0ba49fd60efeb608e61f8519b20c1bf96b58dac3c9660fb12172003740a0a76

SHA512
c2764c33f2aa1c60b44a1066e21325731ee0865f419f9010c2ce5ed75691608fec383cf82855242703d3d7b9661f9aabe5980366450263a48ce6f52d42aecd26

Download Submit
C:\Users\Admin\AppData\Local\Temp\UHHMDGRBfc.bat

Filesize
208B

MD5
5ed80ffb65457e1d0302d629ddead8f7

SHA1
7a516136cffaf48956acbcb1cda93e5cacdd3507

SHA256
f118a14356d65a222b8c0853050168cf725a2c4fc576b00088fa8dd9b406386d

SHA512
e3fd0d199831b89c497ecaab14d0972210c3fd3e4f21a40d2d56159b55d2af8697f8b1de799c70225c25e1ae8ecb55a9a7334f685dc4a761063d36b6ed5e7508

Download Submit
C:\Users\Admin\AppData\Local\Temp\YlsA6cJawy.bat

Filesize
208B

MD5
11ec54ac30b41ef833d998efcd675208

SHA1
e583fd578a77e35e677b1f6c0c67575f94804f82

SHA256
8624a0f08dbf88a9b140367561258f3e035b10ef4965b6dde532fc9546457c11

SHA512
5deed3c4b210aa9fa457e8c73b05d7bc9815b05299e5b479858817729ed647ff778c3be6a0a2dd209e00b5f024e183d561735276aeae4257931ede98d5db84e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_eski3xhe.rxc.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ex1oYQHqtZ.bat

Filesize
208B

MD5
1a948fa3cbc3e0544e2d3a3f14e0fe57

SHA1
f1a85c40207000ee660139b348cde56ea21e4c52

SHA256
664b6b5695f6924e969565ff31cd6816d6bfbe595f7ebcc0e3bfb18d3113745c

SHA512
f099ff5b329f423ff817306232cda1b5bc087a462a49239b8cd8396c0d4229bc7a0332256deeea64609926dd417b7518e843ae3effee5a18c4e52d07e886fa64

Download Submit
C:\Users\Admin\AppData\Local\Temp\fBqx2BHh5U.bat

Filesize
208B

MD5
6c58c2c82791ee39a8f713072133500c

SHA1
06cf7b7f1152dc8e72fd72703aaff46d5efe9c9e

SHA256
52de91ac6e485ce72c544383faa13e8feb867c6a9308e7e8ee03e24aaabb36fe

SHA512
52edea1c3292912bef5ee9f1583b88d2f3e5b68e2d60c2a6b997ff402f2596287e7c279cf90d6876cba3a23ca3ec25db54e4c31b4a1d1418125d8016bf966e98

Download Submit
C:\Users\Admin\AppData\Local\Temp\grDS520PRI.bat

Filesize
208B

MD5
0f88080f9b3b4962d80bfbeb89082670

SHA1
488c2446559a0b99867dd874537743b61af3e7da

SHA256
3d45a51ffb479bd6fac559a3c6c8e128b4b9dee19785a81f4569c6950e480963

SHA512
2249c988fd0ab2c74a0bcda4b96e5c8e680e16155968f39dab0e15583179c363c79425e65c28235f72e4d6f2d071dc317900805d42f158bdcc0a36347f2f6b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\szcAPjpm25.bat

Filesize
160B

MD5
42ab97eeb236b24bae33d7f3019ef255

SHA1
e51b861c0594c9f263c781b335c21680168464e9

SHA256
4dddc617c944a04902e5dbf3662aecac44741899dd6b091ec44052e0e5cca754

SHA512
5537b0d97b3c349d464ef45ad3a436438188c0b0292c0058a3657d2833af9ecb0bdc70150e7f5d24430cbc3d083640ebd45d16434e015d0c8cd060a90f2ddad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uERItUpcE0.bat

Filesize
160B

MD5
0e1416cb9b5a507cec3dbd71f26b996f

SHA1
11ffcf7c600ba8e63c08d7f0f4903309eeb5db72

SHA256
376217305fd23b2d1a9dbc1877feba07edceb9ef57f7d94b55cf19308ddceb2b

SHA512
6b455c1509ee8bfaaf76778043c35cfd5bae17f448b9c1c4964b064afa0a47aa8769e088fb8f22f243da8151cd170e049ec5ed49bb5c8eaa386952c04ebdfbd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uFAGhnQDKy.bat

Filesize
208B

MD5
131237fc2ab57974acaf594adce612be

SHA1
50fde910920106160003a9d748f06bca62a5cdc4

SHA256
4bb991163d69b5a1fc58d12a4dcaea42c78c26d55af901d54d6d3a34036f24aa

SHA512
135d39b07e89690564b71e88cdc7cb9d758fe08e31cbf1efcbb961b94598bfe82f03c4c59821d7a41c2efb5d6f7ff4ad1213fdde1fd2c15af79c13516f08faf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\utpnwKYKap.bat

Filesize
160B

MD5
c1f9a438fe414f86784860066a1aee1e

SHA1
10bf0c627e7d9c907972852add00e1db6c2361c2

SHA256
1809c6beac35df5bc1e9b34749f85ddf8b76304b457371c72ea04d2436414280

SHA512
7629dcf79173d24c1b75f7e51e6762f18c9a493484ef545fc35ae846aa311ebdafb1192351ce7e542aace5fa5e76c5a1d07243f87d2386708a118d8f5e907af0

Download Submit
C:\Windows\SystemApps\Microsoft.Windows.AddSuggestedFoldersToLibraryDialog_cw5n1h2txyewy\pris\SearchApp.exe

Filesize
1.8MB

MD5
32db4bf35b9c2efc730718e2f8cd4fbc

SHA1
616a5c549f6c1c191f82d8cea82c65e25869241e

SHA256
2fb0b933c97aa9b37e31f7adf38695e8185b61c7d312c183f05fd4256ef38497

SHA512
577146b764a00bcd3ff34a4ec278c49db91e7a5eb3647f561455499a7c01c52c513a5283041a378ffb57747e0ad0c93795d7287b5814a01f94612ac81f1828c2

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ehykonu2\ehykonu2.0.cs

Filesize
439B

MD5
65eeaef0e9362884cbd53ec6b93a1ba0

SHA1
23a5c9ce5cc4db0dbcb9041db6c04d85d903be52

SHA256
02267169100a5156383dd0ae3abd47deb3e4dc941e12b4a545828775f62c2c25

SHA512
37848253724b2cb2ec0762fa958db962cb988ef5dd6ffba4ebe7e0d3c022cb1735f9e93183900a43755abcfbfbe5c37a1affe1ff666c7b5dac49e4c2c93cd95f

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\ehykonu2\ehykonu2.cmdline

Filesize
235B

MD5
94b5975bac2ea22f709de3d81478ca4f

SHA1
54d7dd6934d426b93b125abe0216a1fed15ea570

SHA256
40232164818d6efbb2910bffda53d7dc3579c296195eb4627d0ba4e2d69202a9

SHA512
efa34498646b96bdd24f9ec31a01ba5ed31fd2f3d7fac03aae5f354047399921f5051ac070a9adb8401bc284fc5d7e116686bde2af2bf825ee89599b16e71884

Download Submit
\??\c:\Windows\System32\CSCE60D380E19A64107ABF259554ED3319A.TMP

Filesize
1KB

MD5
5984679060d0fc54eba47cead995f65a

SHA1
f72bbbba060ac80ac6abedc7b8679e8963f63ebf

SHA256
4104fdf5499f0aa7dd161568257acae002620ec385f2ede2072d4f550ecff433

SHA512
bc8aadfabe5dbb4e3ea5e07a5ccbddd363400005675acda3e9cb414dc75fb0ba74f41b4a6baf34d42f85a9ae0af7d2418420c78b0c643f7243fe93a49b8140b5

Download Submit
memory/2912-15-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-14-0x000000001BB00000-0x000000001BB0C000-memory.dmp

Filesize
48KB

Download
memory/2912-1-0x0000000000E20000-0x0000000000FFA000-memory.dmp

Filesize
1.9MB

Download
memory/2912-34-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-30-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-29-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-26-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-19-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-0-0x00007FFF3DBE3000-0x00007FFF3DBE5000-memory.dmp

Filesize
8KB

Download
memory/2912-86-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-10-0x000000001BBA0000-0x000000001BBF0000-memory.dmp

Filesize
320KB

Download
memory/2912-12-0x000000001BB40000-0x000000001BB58000-memory.dmp

Filesize
96KB

Download
memory/2912-9-0x000000001BB20000-0x000000001BB3C000-memory.dmp

Filesize
112KB

Download
memory/2912-7-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-6-0x000000001BAB0000-0x000000001BABE000-memory.dmp

Filesize
56KB

Download
memory/2912-4-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-3-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/2912-2-0x00007FFF3DBE0000-0x00007FFF3E6A1000-memory.dmp

Filesize
10.8MB

Download
memory/4420-59-0x000001B99D7E0000-0x000001B99D802000-memory.dmp

Filesize
136KB

Download