dcrat | 18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
10-01-2025 04:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Size

827KB
MD5

c847a23633e81d799fba45bde7cc9951
SHA1

090035126cabb2fb574175c271097042025202de
SHA256

18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c
SHA512

6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb
SSDEEP

12288:EP4wqKCH1Hq0nAwv+j49dkrI58NAyZixuj8zXcdFjfpdpoyqQ6Tz:ENdgHqBj49dkrIscuQwbrqQ6Tz

Score

10^/10

dcrat infostealer persistence rat

Malware Config

Signatures

DcRat 42 IoCs

DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

rat infostealer dcrat

pid	Process
1920	schtasks.exe
2536	schtasks.exe
2152	schtasks.exe
1992	schtasks.exe
1212	schtasks.exe
2576	schtasks.exe
3044	schtasks.exe
2036	schtasks.exe
2896	schtasks.exe
1864	schtasks.exe
1248	schtasks.exe
1896	schtasks.exe
2188	schtasks.exe
2228	schtasks.exe
2832	schtasks.exe
580	schtasks.exe
2944	schtasks.exe
908	schtasks.exe
1948	schtasks.exe
1472	schtasks.exe
1712	schtasks.exe
2292	schtasks.exe
564	schtasks.exe
1220	schtasks.exe
344	schtasks.exe
3036	schtasks.exe
2732	schtasks.exe
2876	schtasks.exe
2916	schtasks.exe
2852	schtasks.exe
676	schtasks.exe
1716	schtasks.exe
2840	schtasks.exe
340	schtasks.exe
2724	schtasks.exe
2712	schtasks.exe
1588	schtasks.exe
2184	schtasks.exe
2572	schtasks.exe
2120	schtasks.exe
1672	schtasks.exe
1328	schtasks.exe

Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 14 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\addins\\explorer.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\addins\\explorer.exe\", \"C:\\Users\\Default User\\taskhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\addins\\explorer.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\All Users\\Templates\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\", \"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\", \"C:\\Windows\\Migration\\dllhost.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\", \"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\", \"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\", \"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\", \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\", \"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dwm.exe\", \"C:\\Windows\\addins\\explorer.exe\", \"C:\\Users\\Default User\\taskhost.exe\", \"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\", \"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2676	schtasks.exe	30
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2676	schtasks.exe	30

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/memory/2660-1-0x0000000001250000-0x0000000001326000-memory.dmp	dcrat
behavioral1/files/0x00050000000193d9-11.dat	dcrat
behavioral1/memory/2180-37-0x0000000000AB0000-0x0000000000B86000-memory.dmp	dcrat
behavioral1/memory/2628-51-0x0000000000340000-0x0000000000416000-memory.dmp	dcrat
behavioral1/memory/1904-58-0x0000000000290000-0x0000000000366000-memory.dmp	dcrat
behavioral1/memory/3004-65-0x0000000000E70000-0x0000000000F46000-memory.dmp	dcrat
behavioral1/memory/1072-78-0x00000000012E0000-0x00000000013B6000-memory.dmp	dcrat
behavioral1/memory/2972-97-0x0000000001350000-0x0000000001426000-memory.dmp	dcrat
behavioral1/memory/2724-104-0x0000000000030000-0x0000000000106000-memory.dmp	dcrat
behavioral1/memory/2900-111-0x0000000000A10000-0x0000000000AE6000-memory.dmp	dcrat
behavioral1/memory/1548-118-0x0000000000CC0000-0x0000000000D96000-memory.dmp	dcrat

Executes dropped EXE 13 IoCs

pid	Process
2180	System.exe
1260	System.exe
2628	System.exe
1904	System.exe
3004	System.exe
1660	System.exe
1072	System.exe
1784	System.exe
1944	System.exe
2972	System.exe
2724	System.exe
2900	System.exe
1548	System.exe

Adds Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Migration\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\MSOCache\\All Users\\{90140000-0018-0409-0000-0000000FF1CE}-C\\dwm.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\taskhost = "\"C:\\Users\\Default User\\taskhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\audiodg = "\"C:\\MSOCache\\All Users\\{90140000-0016-0409-0000-0000000FF1CE}-C\\audiodg.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Microsoft Analysis Services\\AS OLEDB\\10\\Cartridges\\services.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\MSOCache\\All Users\\{90140000-0117-0409-0000-0000000FF1CE}-C\\Access.en-us\\sppsvc.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\addins\\explorer.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Windows\\assembly\\NativeImages_v4.0.30319_64\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Templates\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\Migration\\dllhost.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files (x86)\\Windows Media Player\\it-IT\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\explorer.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\smss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "\"C:\\Windows\\addins\\explorer.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Users\\All Users\\Templates\\csrss.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Program Files (x86)\\Common Files\\microsoft shared\\MSInfo\\es-ES\\System.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Windows\\SoftwareDistribution\\Download\\d881ecfb1357f383d18f1e4fd0554eb0\\cbshandler\\winlogon.exe\""	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
11	pastebin.com
13	pastebin.com
21	pastebin.com
5	pastebin.com
7	pastebin.com
17	pastebin.com
29	pastebin.com
27	pastebin.com
9	pastebin.com
19	pastebin.com
23	pastebin.com
25	pastebin.com
4	pastebin.com
15	pastebin.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\27d1bcfc3c54e0	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\c5b4cb5e9653cc	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\886983d96e3d3e	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Drops file in Windows directory 8 IoCs

description	ioc	Process
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\System.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\assembly\NativeImages_v4.0.30319_64\27d1bcfc3c54e0	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\Migration\dllhost.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\Migration\5940a34987c991	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\winlogon.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\cc11b995f2a76d	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\addins\explorer.exe	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
File created	C:\Windows\addins\7a0fd90576e088	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1920	schtasks.exe
344	schtasks.exe
2712	schtasks.exe
2036	schtasks.exe
1896	schtasks.exe
3036	schtasks.exe
2576	schtasks.exe
2572	schtasks.exe
564	schtasks.exe
2188	schtasks.exe
1672	schtasks.exe
1328	schtasks.exe
2832	schtasks.exe
3044	schtasks.exe
1864	schtasks.exe
1716	schtasks.exe
2184	schtasks.exe
340	schtasks.exe
580	schtasks.exe
2916	schtasks.exe
1712	schtasks.exe
1220	schtasks.exe
2536	schtasks.exe
2152	schtasks.exe
1588	schtasks.exe
2840	schtasks.exe
2120	schtasks.exe
1992	schtasks.exe
1212	schtasks.exe
2732	schtasks.exe
2876	schtasks.exe
2724	schtasks.exe
2292	schtasks.exe
2896	schtasks.exe
2852	schtasks.exe
1248	schtasks.exe
676	schtasks.exe
2944	schtasks.exe
908	schtasks.exe
2228	schtasks.exe
1948	schtasks.exe
1472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
2180	System.exe
1260	System.exe
2628	System.exe
1904	System.exe
3004	System.exe
1660	System.exe
1072	System.exe
1784	System.exe
1944	System.exe
2972	System.exe
2724	System.exe
2900	System.exe
1548	System.exe

Suspicious use of AdjustPrivilegeToken 14 IoCs

description	pid	Process
Token: SeDebugPrivilege	2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
Token: SeDebugPrivilege	2180	System.exe
Token: SeDebugPrivilege	1260	System.exe
Token: SeDebugPrivilege	2628	System.exe
Token: SeDebugPrivilege	1904	System.exe
Token: SeDebugPrivilege	3004	System.exe
Token: SeDebugPrivilege	1660	System.exe
Token: SeDebugPrivilege	1072	System.exe
Token: SeDebugPrivilege	1784	System.exe
Token: SeDebugPrivilege	1944	System.exe
Token: SeDebugPrivilege	2972	System.exe
Token: SeDebugPrivilege	2724	System.exe
Token: SeDebugPrivilege	2900	System.exe
Token: SeDebugPrivilege	1548	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2660 wrote to memory of 2180	2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	73
PID 2660 wrote to memory of 2180	2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	73
PID 2660 wrote to memory of 2180	2660	18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe	73
PID 2180 wrote to memory of 1596	2180	System.exe	74
PID 2180 wrote to memory of 1596	2180	System.exe	74
PID 2180 wrote to memory of 1596	2180	System.exe	74
PID 1596 wrote to memory of 2056	1596	cmd.exe	76
PID 1596 wrote to memory of 2056	1596	cmd.exe	76
PID 1596 wrote to memory of 2056	1596	cmd.exe	76
PID 1596 wrote to memory of 1260	1596	cmd.exe	77
PID 1596 wrote to memory of 1260	1596	cmd.exe	77
PID 1596 wrote to memory of 1260	1596	cmd.exe	77
PID 1260 wrote to memory of 2984	1260	System.exe	78
PID 1260 wrote to memory of 2984	1260	System.exe	78
PID 1260 wrote to memory of 2984	1260	System.exe	78
PID 2984 wrote to memory of 2688	2984	cmd.exe	80
PID 2984 wrote to memory of 2688	2984	cmd.exe	80
PID 2984 wrote to memory of 2688	2984	cmd.exe	80
PID 2984 wrote to memory of 2628	2984	cmd.exe	81
PID 2984 wrote to memory of 2628	2984	cmd.exe	81
PID 2984 wrote to memory of 2628	2984	cmd.exe	81
PID 2628 wrote to memory of 2720	2628	System.exe	82
PID 2628 wrote to memory of 2720	2628	System.exe	82
PID 2628 wrote to memory of 2720	2628	System.exe	82
PID 2720 wrote to memory of 2844	2720	cmd.exe	84
PID 2720 wrote to memory of 2844	2720	cmd.exe	84
PID 2720 wrote to memory of 2844	2720	cmd.exe	84
PID 2720 wrote to memory of 1904	2720	cmd.exe	85
PID 2720 wrote to memory of 1904	2720	cmd.exe	85
PID 2720 wrote to memory of 1904	2720	cmd.exe	85
PID 1904 wrote to memory of 536	1904	System.exe	86
PID 1904 wrote to memory of 536	1904	System.exe	86
PID 1904 wrote to memory of 536	1904	System.exe	86
PID 536 wrote to memory of 2900	536	cmd.exe	88
PID 536 wrote to memory of 2900	536	cmd.exe	88
PID 536 wrote to memory of 2900	536	cmd.exe	88
PID 536 wrote to memory of 3004	536	cmd.exe	89
PID 536 wrote to memory of 3004	536	cmd.exe	89
PID 536 wrote to memory of 3004	536	cmd.exe	89
PID 3004 wrote to memory of 2392	3004	System.exe	90
PID 3004 wrote to memory of 2392	3004	System.exe	90
PID 3004 wrote to memory of 2392	3004	System.exe	90
PID 2392 wrote to memory of 324	2392	cmd.exe	92
PID 2392 wrote to memory of 324	2392	cmd.exe	92
PID 2392 wrote to memory of 324	2392	cmd.exe	92
PID 2392 wrote to memory of 1660	2392	cmd.exe	93
PID 2392 wrote to memory of 1660	2392	cmd.exe	93
PID 2392 wrote to memory of 1660	2392	cmd.exe	93
PID 1660 wrote to memory of 1532	1660	System.exe	94
PID 1660 wrote to memory of 1532	1660	System.exe	94
PID 1660 wrote to memory of 1532	1660	System.exe	94
PID 1532 wrote to memory of 2764	1532	cmd.exe	96
PID 1532 wrote to memory of 2764	1532	cmd.exe	96
PID 1532 wrote to memory of 2764	1532	cmd.exe	96
PID 1532 wrote to memory of 1072	1532	cmd.exe	97
PID 1532 wrote to memory of 1072	1532	cmd.exe	97
PID 1532 wrote to memory of 1072	1532	cmd.exe	97
PID 1072 wrote to memory of 2508	1072	System.exe	98
PID 1072 wrote to memory of 2508	1072	System.exe	98
PID 1072 wrote to memory of 2508	1072	System.exe	98
PID 2508 wrote to memory of 1988	2508	cmd.exe	100
PID 2508 wrote to memory of 1988	2508	cmd.exe	100
PID 2508 wrote to memory of 1988	2508	cmd.exe	100
PID 2508 wrote to memory of 1784	2508	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe
"C:\Users\Admin\AppData\Local\Temp\18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d153.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2660
- C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
  "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1596
  - - C:\Windows\system32\w32tm.exe
      w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
      4⤵
      PID:2056
  - - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
      "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1260
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2984
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2688
      - C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2844
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2900
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:324
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2764
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1988
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        17⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2088
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        19⤵
        
        PID:1260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2564
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat"
        21⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1408
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
        23⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2532
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat"
        25⤵
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:900
        
        C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe
        
        "C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat"
        27⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Templates\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\es-ES\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\dllhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Migration\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\dllhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\services.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\winlogon.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Windows\SoftwareDistribution\Download\d881ecfb1357f383d18f1e4fd0554eb0\cbshandler\winlogon.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\csrss.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\explorer.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\explorer.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\taskhost.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\taskhost.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\sppsvc.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\System.exe'" /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\NativeImages_v4.0.30319_64\System.exe'" /rl HIGHEST /f
1⤵
- DcRat
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\smss.exe

Filesize
827KB

MD5
c847a23633e81d799fba45bde7cc9951

SHA1
090035126cabb2fb574175c271097042025202de

SHA256
18e568eb4ca89f8a3e4f04b1eb15472b55b4548f4d15367377a7b942c259319c

SHA512
6b057e15133fe58bc1d105a90b761d2f3558e8a8d3a901d9892905dd75f6be569a4bff4a02d919623305c4d524d96b7f902ef3dded6782cc237b1a47807f34bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
241B

MD5
7a328793db76ca75b6d6ca46a64f7ec6

SHA1
0d816e168488a696dc1f18ed6b8de8c942efde9c

SHA256
b816fe4e8ffc5c6d3be1c391df9d258e3ff8ae9f12d0dd6e48d27ce3c28569cc

SHA512
4659e905db07055e6939e6b4fdf346678b8ae42833dc4ef06228a0254e0ecec64dbc1054607176d170b5158b99663e6dd99fcbb797983b833fa2d1905059fcde

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat

Filesize
241B

MD5
950fde5fc92748c0fd8a3f93c755f79d

SHA1
42ba2bd916c3bc9b43cd6e42d1fad8b756c2d916

SHA256
fe40c103addb98f06bf4070aaedb1eea0032646eafcd778707c45b3c307fc3a9

SHA512
a4d0a98176abfebd78afa327f93cc84f756fcc6e0f274d3138eb1e2341374631927f454bc287eade25f3130cc4837074972e43ff38b115375eb96d80a90ceffc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gy1gqmGK9f.bat

Filesize
241B

MD5
b8107a96b14ceea090b443b2c87d2045

SHA1
a6d525004df7214431c0073294efa562023df54a

SHA256
dcb74577688172a0a86c97f0a10036bc6b095feed20be018a98d41bca283ede5

SHA512
8260f670fc3a6d107ddd47edc58202ae84fb50f0ef976f6ab65c83c03c32f61e95fb522a309f78848115491d160ac98b63035cc857efa14e274339ef9d8bd52b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
241B

MD5
cf33dab1b967d9063342da8555066bbf

SHA1
785f3fd29af7eabaaebf43a75a0c6c985e351de8

SHA256
98a459c260ba9aef83ff6a16b6f2fe35f2d92bc789337268c06208f2708d1fdf

SHA512
e3537ba97acf22cafb999ca772b7169179218294b03d56a47138c2808b2e5dd746695e938fdbc883da467ef41f3e260a888451b9de6d8e892b16e68948ac6480

Download Submit
C:\Users\Admin\AppData\Local\Temp\J97QZsi4Oz.bat

Filesize
241B

MD5
324d7594303143545df93bfe8d267cdb

SHA1
57dba4d00960e8bd4f9bbfc891f10bafda720209

SHA256
8c3cd49700655eaa1041ff6cc9e91f5e198f729bd1371fb8b263b063ac474b48

SHA512
5a287e2b6ee6c1b14d10f9724d2c021feea7d3c62ea91539aea96d753ddc58743c168f214cd4cd95396c5c12297010598a7104ddbeb4504340cebef66a26e44e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
241B

MD5
1e601477097c5cb32777ae9b4d24f65e

SHA1
6cf1af8b0872de9ebbfe14ddbb10cb9ca9d27446

SHA256
5868d1a4f7e4b8a1d55f9084bdd8a9a2939d0f7e5add732e82e2cbbfeef8c12f

SHA512
7a1b3b2f6654a70fb671a7b0b39aa2548f8648425a7fef28e19b297939d063df45913dcec718d450bcd2b1067e255dffc8a70e34b54b4f1da21e3809ec721e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZh5ueQJla.bat

Filesize
241B

MD5
ae38f81659043a18862a9243da57537f

SHA1
c6e9774236eb4d2fdced3da2f8ca1edbe56891de

SHA256
60a28655e8115d0da06e2dfac6a60a3e2816bc0a547b729bd68968e02c91dfd3

SHA512
1c1448ba679dfff8a456bf506f33ac98ca8b2818ecd674b2ebef7327f034b508334a51cb9cd5f6731662aeb6a40e86d6389b1ee999fefe7947636410f0c526e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

Filesize
241B

MD5
08812e4cba7be8fc22896e3d04b4a8f5

SHA1
59e643334259249c56f52dbb4e0623ce565b2b80

SHA256
1a337809e57ccf06d06ef30b313356a8ed844527b2155eef155d562b80829db7

SHA512
ea3d13f89a2f3df910eaf601cfdea61685de4bcd670308e735c0970ebad9ccf9d1b69e2e0189250b0737d22f4081e493598ea120a6628df9449b37f64b703f0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LgxiiauvsB.bat

Filesize
241B

MD5
7a215a119dc7f5f607f0f430ba03e742

SHA1
5d0d7896bad5ec58ae7bcf7d9ec8eabbd54d69c7

SHA256
c08391ebcc370f8fef517b4438856f3d29e930ff9a311c2c6af4947201712b1d

SHA512
06f2ca56d984b99f582b96b5aed7b688572a33dfb961a9c24153222f67119892fe1fd0a000c6640b4cfefe38b639b3b6ca296a2b9dae1a3bce9144f893656d05

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat

Filesize
241B

MD5
4e0bb018bc8386b01568bc0d12e9b7c1

SHA1
16587c402533b3ce8893ae6903c25066564fc460

SHA256
23c240e67fa97db9936b12ba7fc4a811ce8972e3256d0d03a0905bfa718b89e8

SHA512
5e239147cfa08c031e4bf6d29e703169545a6f505a1727e57e133385cbf3930b45da8ce8ffeda3cd1c4be8415bdb78d3e02c9a9d77e926c97e744d533788fc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
241B

MD5
65866b107bf935eda28fdb447a0de391

SHA1
217d76db767a9f732e594a7694166dc8d3b3445c

SHA256
bee393a163bc5436178c4ee9251b16df0b3d7bf6ee7ba8f8b8bd372f895b6a89

SHA512
71b78705032ef892854f363c2ab90d29248d23d8182f646b750d17fc8fafc939335cbd89713fa2ed9657c59698aac8cba1d40b8a800564fc4cc6dc3a1bf27e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
241B

MD5
3cc5cb1c3680c3d1ed41f878cb4c8e12

SHA1
e16b559cbda6a0fd143bbce60ec681da5c1f45c1

SHA256
ef81386375eb91134bd57b4c1c4beb99898bb807824f5d85a9c904b7ca2a7c70

SHA512
386775d0ae67379e84aa890b7da06d7a4377dde8fb3571ab8722ca8742735d98edb8e086f8b07b87a7c207d9ff52f81c9fa60d5130bb2144f04a96798b04796d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEoBbgPmrR.bat

Filesize
241B

MD5
88e0d31263b03d89a3c3f2f20b514de9

SHA1
401d04e70589d6bd4653365f948134262705d272

SHA256
a7f1be0ac3b7724a3bdb61b59179039e87b61b2cbdfbec94f32220902d2e71a1

SHA512
3589c8d0042dfe57514b486d3e260fb9065d0f56e3d618693b1595e0f678bae8ae58388973686f74af480f8bec102ecfc8b70b076cc3c75fa14068cb550dce01

Download Submit
memory/1072-78-0x00000000012E0000-0x00000000013B6000-memory.dmp

Filesize
856KB

Download
memory/1548-118-0x0000000000CC0000-0x0000000000D96000-memory.dmp

Filesize
856KB

Download
memory/1904-58-0x0000000000290000-0x0000000000366000-memory.dmp

Filesize
856KB

Download
memory/2180-37-0x0000000000AB0000-0x0000000000B86000-memory.dmp

Filesize
856KB

Download
memory/2628-51-0x0000000000340000-0x0000000000416000-memory.dmp

Filesize
856KB

Download
memory/2660-38-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2660-0-0x000007FEF6003000-0x000007FEF6004000-memory.dmp

Filesize
4KB

Download
memory/2660-1-0x0000000001250000-0x0000000001326000-memory.dmp

Filesize
856KB

Download
memory/2660-2-0x000007FEF6000000-0x000007FEF69EC000-memory.dmp

Filesize
9.9MB

Download
memory/2724-104-0x0000000000030000-0x0000000000106000-memory.dmp

Filesize
856KB

Download
memory/2900-111-0x0000000000A10000-0x0000000000AE6000-memory.dmp

Filesize
856KB

Download
memory/2972-97-0x0000000001350000-0x0000000001426000-memory.dmp

Filesize
856KB

Download
memory/3004-65-0x0000000000E70000-0x0000000000F46000-memory.dmp

Filesize
856KB

Download