dcrat | 3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
12-01-2025 02:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Size

1.9MB
MD5

6b9554367a439d39a00a0dff9a08b123
SHA1

e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
SHA256

3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
SHA512

72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720
SSDEEP

49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\fontdrvhost.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\fontdrvhost.exe\", \"C:\\Users\\Default User\\Idle.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\fontdrvhost.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\sppsvc.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\fontdrvhost.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\fontdrvhost.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Recent\\wininit.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files (x86)\\Windows Multimedia Platform\\fontdrvhost.exe\", \"C:\\Users\\Default User\\Idle.exe\", \"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\sppsvc.exe\", \"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\", \"C:\\Users\\Default\\Recent\\wininit.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4628	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3384	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3924	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2104	schtasks.exe	83
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2104	schtasks.exe	83

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4016	powershell.exe
3624	powershell.exe
3172	powershell.exe
3016	powershell.exe
3740	powershell.exe
960	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	RuntimeBroker.exe

Executes dropped EXE 15 IoCs

pid	Process
2868	RuntimeBroker.exe
1576	RuntimeBroker.exe
2200	RuntimeBroker.exe
1108	RuntimeBroker.exe
1144	RuntimeBroker.exe
4000	RuntimeBroker.exe
2300	RuntimeBroker.exe
4960	RuntimeBroker.exe
3636	RuntimeBroker.exe
996	RuntimeBroker.exe
4552	RuntimeBroker.exe
4164	RuntimeBroker.exe
4016	RuntimeBroker.exe
1032	RuntimeBroker.exe
1624	RuntimeBroker.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Idle = "\"C:\\Users\\Default User\\Idle.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\sppsvc.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Recent\\wininit.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Users\\Default\\Recent\\wininit.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\fontdrvhost.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sppsvc = "\"C:\\Program Files (x86)\\Reference Assemblies\\Microsoft\\Framework\\v3.5\\sppsvc.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Recovery\\WindowsRE\\RuntimeBroker.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\fontdrvhost = "\"C:\\Program Files (x86)\\Windows Multimedia Platform\\fontdrvhost.exe\""	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\-63gkj.exe	csc.exe
File created	\??\c:\Windows\System32\CSCE00F149CD5341B4BBC8ED4656B9E186.TMP	csc.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sppsvc.exe	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\0a1fd5f707cd16	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Program Files\ModifiableWindowsApps\SppExtComObj.exe	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\5b884080fd4f94	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4488	PING.EXE
2096	PING.EXE
688	PING.EXE
4796	PING.EXE
1612	PING.EXE
1932	PING.EXE
8	PING.EXE

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	RuntimeBroker.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
2096	PING.EXE
688	PING.EXE
4796	PING.EXE
1612	PING.EXE
1932	PING.EXE
8	PING.EXE
4488	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4328	schtasks.exe
3908	schtasks.exe
3064	schtasks.exe
2880	schtasks.exe
3924	schtasks.exe
644	schtasks.exe
2888	schtasks.exe
1780	schtasks.exe
2764	schtasks.exe
4692	schtasks.exe
3628	schtasks.exe
3336	schtasks.exe
2740	schtasks.exe
3416	schtasks.exe
3384	schtasks.exe
2364	schtasks.exe
1396	schtasks.exe
4628	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	3172	powershell.exe
Token: SeDebugPrivilege	4016	powershell.exe
Token: SeDebugPrivilege	3624	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	2868	RuntimeBroker.exe
Token: SeDebugPrivilege	1576	RuntimeBroker.exe
Token: SeDebugPrivilege	2200	RuntimeBroker.exe
Token: SeDebugPrivilege	1108	RuntimeBroker.exe
Token: SeDebugPrivilege	1144	RuntimeBroker.exe
Token: SeDebugPrivilege	4000	RuntimeBroker.exe
Token: SeDebugPrivilege	2300	RuntimeBroker.exe
Token: SeDebugPrivilege	4960	RuntimeBroker.exe
Token: SeDebugPrivilege	3636	RuntimeBroker.exe
Token: SeDebugPrivilege	996	RuntimeBroker.exe
Token: SeDebugPrivilege	4552	RuntimeBroker.exe
Token: SeDebugPrivilege	4164	RuntimeBroker.exe
Token: SeDebugPrivilege	4016	RuntimeBroker.exe
Token: SeDebugPrivilege	1032	RuntimeBroker.exe
Token: SeDebugPrivilege	1624	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2276 wrote to memory of 2012	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	87
PID 2276 wrote to memory of 2012	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	87
PID 2012 wrote to memory of 4084	2012	csc.exe	89
PID 2012 wrote to memory of 4084	2012	csc.exe	89
PID 2276 wrote to memory of 960	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	105
PID 2276 wrote to memory of 960	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	105
PID 2276 wrote to memory of 3740	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	106
PID 2276 wrote to memory of 3740	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	106
PID 2276 wrote to memory of 3016	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	107
PID 2276 wrote to memory of 3016	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	107
PID 2276 wrote to memory of 3172	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	108
PID 2276 wrote to memory of 3172	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	108
PID 2276 wrote to memory of 3624	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	109
PID 2276 wrote to memory of 3624	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	109
PID 2276 wrote to memory of 4016	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	110
PID 2276 wrote to memory of 4016	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	110
PID 2276 wrote to memory of 3004	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	117
PID 2276 wrote to memory of 3004	2276	3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe	117
PID 3004 wrote to memory of 1932	3004	cmd.exe	119
PID 3004 wrote to memory of 1932	3004	cmd.exe	119
PID 3004 wrote to memory of 4100	3004	cmd.exe	120
PID 3004 wrote to memory of 4100	3004	cmd.exe	120
PID 3004 wrote to memory of 2868	3004	cmd.exe	122
PID 3004 wrote to memory of 2868	3004	cmd.exe	122
PID 2868 wrote to memory of 2408	2868	RuntimeBroker.exe	124
PID 2868 wrote to memory of 2408	2868	RuntimeBroker.exe	124
PID 2408 wrote to memory of 3580	2408	cmd.exe	126
PID 2408 wrote to memory of 3580	2408	cmd.exe	126
PID 2408 wrote to memory of 1364	2408	cmd.exe	127
PID 2408 wrote to memory of 1364	2408	cmd.exe	127
PID 2408 wrote to memory of 1576	2408	cmd.exe	134
PID 2408 wrote to memory of 1576	2408	cmd.exe	134
PID 1576 wrote to memory of 5020	1576	RuntimeBroker.exe	137
PID 1576 wrote to memory of 5020	1576	RuntimeBroker.exe	137
PID 5020 wrote to memory of 4044	5020	cmd.exe	139
PID 5020 wrote to memory of 4044	5020	cmd.exe	139
PID 5020 wrote to memory of 920	5020	cmd.exe	140
PID 5020 wrote to memory of 920	5020	cmd.exe	140
PID 5020 wrote to memory of 2200	5020	cmd.exe	148
PID 5020 wrote to memory of 2200	5020	cmd.exe	148
PID 2200 wrote to memory of 4804	2200	RuntimeBroker.exe	150
PID 2200 wrote to memory of 4804	2200	RuntimeBroker.exe	150
PID 4804 wrote to memory of 4428	4804	cmd.exe	152
PID 4804 wrote to memory of 4428	4804	cmd.exe	152
PID 4804 wrote to memory of 4488	4804	cmd.exe	153
PID 4804 wrote to memory of 4488	4804	cmd.exe	153
PID 4804 wrote to memory of 1108	4804	cmd.exe	157
PID 4804 wrote to memory of 1108	4804	cmd.exe	157
PID 1108 wrote to memory of 3448	1108	RuntimeBroker.exe	160
PID 1108 wrote to memory of 3448	1108	RuntimeBroker.exe	160
PID 3448 wrote to memory of 4664	3448	cmd.exe	162
PID 3448 wrote to memory of 4664	3448	cmd.exe	162
PID 3448 wrote to memory of 3372	3448	cmd.exe	163
PID 3448 wrote to memory of 3372	3448	cmd.exe	163
PID 3448 wrote to memory of 1144	3448	cmd.exe	165
PID 3448 wrote to memory of 1144	3448	cmd.exe	165
PID 1144 wrote to memory of 4360	1144	RuntimeBroker.exe	168
PID 1144 wrote to memory of 4360	1144	RuntimeBroker.exe	168
PID 4360 wrote to memory of 4344	4360	cmd.exe	170
PID 4360 wrote to memory of 4344	4360	cmd.exe	170
PID 4360 wrote to memory of 2096	4360	cmd.exe	171
PID 4360 wrote to memory of 2096	4360	cmd.exe	171
PID 4360 wrote to memory of 4000	4360	cmd.exe	173
PID 4360 wrote to memory of 4000	4360	cmd.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe
"C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2276
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\kv2a5yur\kv2a5yur.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2012
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESA817.tmp" "c:\Windows\System32\CSCE00F149CD5341B4BBC8ED4656B9E186.TMP"
    3⤵
    PID:4084
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:960
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3740
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sppsvc.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3172
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3624
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4016
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dfT0lGStZN.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1932
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:4100
- - C:\Recovery\WindowsRE\RuntimeBroker.exe
    "C:\Recovery\WindowsRE\RuntimeBroker.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nBqbaEi3SG.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2408
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:3580
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1364
    - - C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:920
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9Anfm3pCF.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4804
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4488
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:4664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3372
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4344
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2096
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat"
        14⤵
        
        PID:5064
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4348
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat"
        16⤵
        
        PID:3096
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:3544
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:688
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LsjJJiW2rn.bat"
        18⤵
        
        PID:2268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3768
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zkmgT0HHEw.bat"
        20⤵
        
        PID:464
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:4928
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4796
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9JnEQwxo67.bat"
        22⤵
        
        PID:4944
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:4348
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1612
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CmSUPSwWTx.bat"
        24⤵
        
        PID:3552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3872
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KduBpxWBgt.bat"
        26⤵
        
        PID:4036
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1932
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nBqbaEi3SG.bat"
        28⤵
        
        PID:2584
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4948
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat"
        30⤵
        
        PID:632
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:3248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:712
        
        C:\Recovery\WindowsRE\RuntimeBroker.exe
        
        "C:\Recovery\WindowsRE\RuntimeBroker.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XfZzlPBQvt.bat"
        32⤵
        
        PID:4440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        33⤵
        
        PID:4744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        33⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:8

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Recent\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a93" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a93" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3384

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Windows Multimedia Platform\fontdrvhost.exe

Filesize
1.9MB

MD5
6b9554367a439d39a00a0dff9a08b123

SHA1
e1d22cde90c297c10f4fcba5b3980e5d551eb0b3

SHA256
3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

SHA512
72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2ERwRXGzbm.bat

Filesize
167B

MD5
996fb345ec94be14b5b35f481f9b2a4b

SHA1
03e628e0b663fde5c09e56312b4545f3587835c1

SHA256
7c700ebe9c657b160a8b0130bd740041be3fb0659df83258a10c31b521708180

SHA512
8a73e76ee150682f204e64705c318c5558f339894ef0f7efab50e272fb80fad3f204ceae99cc5ed718a2054801ac80a79dbd6a57a4315bbfc486b40d1bc8a3fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\4h6CQ3Ghzc.bat

Filesize
215B

MD5
c800cdbe0a30b8dc9e0797ebc07723d4

SHA1
d6312c1ee53283e7e197d4708786cfd1857d7788

SHA256
cca34681fe1a31b1145727d3e98646695bffe8bd5dd241e25c8c87eddd3f7b7d

SHA512
5795a52c452c8ed0a461ac3a54461a39e69f10fe98b33dee199f96723437f0d2f8a79b9688b9e0c88a9672d714d8d53c4221a0f4c7462ac6696f64290cb929c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6bJqyfyFWM.bat

Filesize
215B

MD5
f65aac5ddafb4609500998f6d3c5dedb

SHA1
bc154a28caf74096884bc78686b7e30700901a24

SHA256
d2dd0fdcebb3b74ed490a16a7f4e5292793d49af603055fd8c9e48c50adcca5f

SHA512
59ec59334fe6a40bca14239352020582a72afd35733fd41dfbe797f5f1a1695a2d3b2f055a1178f1e063819f23ed22a4b1af7ad49bfd27b719e1e70f1f85d925

Download Submit
C:\Users\Admin\AppData\Local\Temp\7AlTOZFOMS.bat

Filesize
167B

MD5
241b05801e7f952fa9348c35541dbf69

SHA1
ddfbd1739703983b47c75d3a3c82527a63120bc8

SHA256
238be1b42a3f463ecc1782d461d254e4ffdb79a1babdc03ad9d00d9287639001

SHA512
25020a105066b5607fb6a52b2d9485956ad14988162c3b165ba31722aea8ee175758c771c6d50a459411e1683fb3867c2502d6393255102e3c2208386e43386b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9JnEQwxo67.bat

Filesize
167B

MD5
562639bfc2f30fcf4bfb39835ddc8fc6

SHA1
1c974788869d065c9851911f42e7b5f5141cf4f4

SHA256
b6b858c4d97c48c5a032490b73aab2f0465dd3f8205067a2a3d342754901b7d4

SHA512
c3fc18c4ec5bd038fa7b9eef11c32ea9a6f1735e06d54ddfe17a36bf4d47786076f1f049492e19843d0e6f84e81e8905a45f2c8b9db93e55a3488e709f85634a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BXcMvhxfI2.bat

Filesize
215B

MD5
d41bd4d862087eebc5ddf68d13756bf5

SHA1
4d788400dcc87ebdeb44db8aea712a52a044fe58

SHA256
49e8ed43c05da3e8ca1c35d9e13d7d84479015e9ebe94724eb4e07ad7da9c67a

SHA512
22d80fd25132992d2f5418e6e43343f52ca051aa4546477ccfaa803c68690e200547aeea17910e41cefd45fc3f60933fb9e1242644f9955afc4be1808a5e8822

Download Submit
C:\Users\Admin\AppData\Local\Temp\CmSUPSwWTx.bat

Filesize
215B

MD5
02266b9a7bb1c948b913233004c4e4e3

SHA1
6d7f38e35b6470f0cb1ca9e25d9786cce7d64e1f

SHA256
00e617ffb01911f7e1b0b210716223d0517fc777176d171636ede536c53da248

SHA512
de5734eff3e43c8cfbb9f658a44a1f51b3f82b1fa6405dce461323d9aa23a6108a4381e8faadb133bbde0f6d10e534ed9802084bfe0f35b4dcb2967f3c07f21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\KduBpxWBgt.bat

Filesize
167B

MD5
eb916370b962f5eb501addac6a013656

SHA1
943549973617e73c8be7faaba74976e965a33157

SHA256
51400f7c9761bcf7a653edc6712007864d8f72133db5f49413653b160ac60bbe

SHA512
b93ba20b3aa13bd84fbe5d7642c63966f740dc8e72895590a9286d2b1bf8f3cb049d6f19c0d02e4f8d56d3bd46ac92c63e39ecaa2c1773771c1ca09b36760f43

Download Submit
C:\Users\Admin\AppData\Local\Temp\LsjJJiW2rn.bat

Filesize
215B

MD5
c5ff8456f037727581d4a58237de1374

SHA1
2ecae593b8483bbd31db68897d74908a0c7d569d

SHA256
d9b4f34a4d121d1b92ff9ed165c5b3ce35026ed57140bf2c2c05ad30a80150d6

SHA512
31427acf79cb248bf664f619d00bada08770d392ff4d4b175ca499e614c5e594ed8bba0dba6b27837c60971b8a507a82967d6057e9fe5471f793028db067e795

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESA817.tmp

Filesize
1KB

MD5
0009b16b52f536a4d7578f9270bdbdf0

SHA1
c6d1665288530a8814e0ca5b7c5c21dbcda4366a

SHA256
eeb7e5ba9eae66d10b85f02b476c951e4db4368333b6b8f9dc5518c55f4ce0d3

SHA512
8a2594a72a7973be6e7e53e71ef73cdf8957fd97a92f83566a3958c0589886273d0cbf34eae3fa1dce86a4855a1709c5b7f57f4fb5d324f1c99720cec5b1b23c

Download Submit
C:\Users\Admin\AppData\Local\Temp\XfZzlPBQvt.bat

Filesize
167B

MD5
ecdea3495d0d10b197cff86ac713d4c8

SHA1
fa37d5de4d0e20cf563949da74b6f80a3087d899

SHA256
64223d428f740f36efd32bcbcab33752d21ec0c006e4585e38d7959c4826bad2

SHA512
54f6c68a87f86bfe9bb4f158b552c0e68459352fc1c08137cae1555a3d369f55d40d28c482bf6328078524c4d73abed147af7b2282d5d8b0081c8b502439904c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_q5ezm4fi.iwj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9Anfm3pCF.bat

Filesize
167B

MD5
60f05375a9c497b192534aa431c6f86d

SHA1
676b780eb5f160ba8183047acffa6b9e4b8affd1

SHA256
dd5297cd6b93dacc28d3c2f66c54cb77a8a32785ac83efc0daa07ec8b7f3ee00

SHA512
84b8e822f8ab78cc6a7ac9adf4e9d3d4d12b620e622cabc62d660d6b18ad1595d54889d8ffa2b5881887dc18532ac0ec5932777be238f7515a287674944ead6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dfT0lGStZN.bat

Filesize
215B

MD5
dcd9171193d4fc0679a2911ce75bf6da

SHA1
9c558e62ea59ab539460b5e9791f452a34fdeff9

SHA256
ff40c2274b873f72223951770ed5eb02f8990e3b5476332b5f03279c20c6c85c

SHA512
28806a735aeab4eef8d3b81dc35b71f73fadecfb4c4dc4bd2b5f7b4fc978d0d0698f32509246add9df5f7570bbcb69b8caa83ebe8e003d6736980e04438c86ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\nBqbaEi3SG.bat

Filesize
215B

MD5
078dcaf0927c28b098e679f4b202fde0

SHA1
816c540793ca46ce861475b156dcd93ff2c36118

SHA256
ad7820e8718bb7af2da2f41a20d40b8df53f28e17f0d337283b16d4690b613a3

SHA512
07683beb137f331647a5b8ad5b8c87518aaf1a74705bd7b99512a003e01d2eda9cd77f06a89fc29fd7631e0ba7837c47a823231dfd20efb8c9ed50c4ff0fdcbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\zkmgT0HHEw.bat

Filesize
167B

MD5
bd6318cafd5957eb60e598e766e929e9

SHA1
44ce264df747fa624acad1b95798db9e13b03235

SHA256
95d5ac5d93971d3dcf03e7ac81ac7e89e2f05185ae628e99d553ad4ddefb5e1e

SHA512
3f59606fbf02d83eed3660085e82ba96851c1ada2207c296a52fb55c0318601d143214cd86879655015416861fe47e565304878337bf4a92810c2120cd7ad653

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kv2a5yur\kv2a5yur.0.cs

Filesize
398B

MD5
a7c44313d7e2713ad482f9b9118364b7

SHA1
7735071bddd1f1af9f5c880c907609b8448ee1e7

SHA256
3ea135c53f2ef2d8f3c1da620505e80b4d18c526893fd7afb442da1ba220c6e8

SHA512
14be82e45e285388807ccdd4be86e376235eeac6ef0e64b28de10ff0153b2173cc949f24635a802d0caa02d409d2a8e4ec4f01160212250d0857316461442e91

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\kv2a5yur\kv2a5yur.cmdline

Filesize
235B

MD5
96eead6c42c4294d635955eb9e16fede

SHA1
a7b9f937b4ef19f169988640a080ce038a823a24

SHA256
8a51cdd34c1d1db22f2814942436d9857164d27893301296f498182dd3afaa04

SHA512
86be5aa1c9823e4657dcebc05499f7f7857148f179c0e0ecc747f8c6c0665d4d2f6983b2e038e26ab902c85420109149726cef569e9bb439967890dffea7e365

Download Submit
\??\c:\Windows\System32\CSCE00F149CD5341B4BBC8ED4656B9E186.TMP

Filesize
1KB

MD5
82a7b8ef3bc275711e3b27c6df93c7ff

SHA1
bdac909f26475c94c74145576bcf22adb0f8203c

SHA256
582921e5e6617cb736006c46c9c8576d8fdefb8763469bdbf305d52d298f6124

SHA512
f2100bca60280f6ad93f40254d6fe69bd9917a44973516874aa54c28042796503daac5c51869924f5ecd17615f461dda6441f479e1201c44ad07f5a7728af248

Download Submit
memory/2200-169-0x000000001DDE0000-0x000000001DF4A000-memory.dmp

Filesize
1.4MB

Download
memory/2276-10-0x000000001BCE0000-0x000000001BD30000-memory.dmp

Filesize
320KB

Download
memory/2276-17-0x000000001B840000-0x000000001B84C000-memory.dmp

Filesize
48KB

Download
memory/2276-67-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-39-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-38-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-36-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-35-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-34-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-9-0x000000001BC70000-0x000000001BC8C000-memory.dmp

Filesize
112KB

Download
memory/2276-0-0x00007FFB8A063000-0x00007FFB8A065000-memory.dmp

Filesize
8KB

Download
memory/2276-22-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-1-0x0000000000A20000-0x0000000000C14000-memory.dmp

Filesize
2.0MB

Download
memory/2276-37-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-21-0x000000001BCB0000-0x000000001BCBC000-memory.dmp

Filesize
48KB

Download
memory/2276-19-0x000000001B850000-0x000000001B85E000-memory.dmp

Filesize
56KB

Download
memory/2276-14-0x0000000001560000-0x000000000156C000-memory.dmp

Filesize
48KB

Download
memory/2276-15-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-12-0x000000001BC90000-0x000000001BCA8000-memory.dmp

Filesize
96KB

Download
memory/2276-7-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-6-0x0000000001550000-0x000000000155E000-memory.dmp

Filesize
56KB

Download
memory/2276-4-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-3-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/2276-2-0x00007FFB8A060000-0x00007FFB8AB21000-memory.dmp

Filesize
10.8MB

Download
memory/3740-66-0x000001F5713D0000-0x000001F5713F2000-memory.dmp

Filesize
136KB

Download