dcrat | 076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533

Analysis

max time kernel
145s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
13-01-2025 12:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SAMP_CHEAT_ATVECHAU2.exe.bin.exe
Size

2.2MB
MD5

be4ae5e0b545e43608ae6a60ce297871
SHA1

ded512ee44ed38b7a6541b4e1d797387a27a5d93
SHA256

076c80010cb400aa03881eb5d88c6e2e4677c0d405255c48154bcf780e549533
SHA512

45aafc3ec5787b1bf143a1d6b9f8ce79447157879c684849486d87a3a7b357862688016809277ff2c9e57a6d06a0613e12009c5a279d07ced4ecc3b3bc9cd0c3
SSDEEP

24576:2TbBv5rUyXVoEmEVLqBMwOk+ADUZjmwMUuTEZ/iJJjhs4P/r+iHtxItZPFtOObx5:IBJvZ+qwOZFM+aJJbL+iNuuMxoyW29L

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\en-US\\TextInputHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\smss.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\en-US\\TextInputHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\", \"C:\\Program Files\\Windows Mail\\smss.exe\", \"C:\\msportComWin\\BridgePortsurrogateserverref.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\en-US\\TextInputHost.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\en-US\\TextInputHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\en-US\\TextInputHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\en-US\\TextInputHost.exe\", \"C:\\Users\\Default User\\unsecapp.exe\", \"C:\\Recovery\\WindowsRE\\SearchApp.exe\", \"C:\\Recovery\\WindowsRE\\lsass.exe\""	BridgePortsurrogateserverref.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5032	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3256	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	3256	schtasks.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 18 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4892	powershell.exe
4488	powershell.exe
3996	powershell.exe
3816	powershell.exe
1900	powershell.exe
2040	powershell.exe
4592	powershell.exe
4100	powershell.exe
344	powershell.exe
2816	powershell.exe
3192	powershell.exe
4504	powershell.exe
4548	powershell.exe
2388	powershell.exe
436	powershell.exe
2844	powershell.exe
1080	powershell.exe
3204	powershell.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	SAMP_CHEAT_ATVECHAU2.exe.bin.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	BridgePortsurrogateserverref.exe

Executes dropped EXE 16 IoCs

pid	Process
1212	BridgePortsurrogateserverref.exe
116	lsass.exe
32	lsass.exe
1220	lsass.exe
1344	lsass.exe
4412	lsass.exe
752	lsass.exe
556	lsass.exe
3992	lsass.exe
4196	lsass.exe
4428	lsass.exe
4640	lsass.exe
3628	lsass.exe
1780	lsass.exe
1224	lsass.exe
4652	lsass.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\en-US\\TextInputHost.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Recovery\\WindowsRE\\lsass.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BridgePortsurrogateserverref = "\"C:\\msportComWin\\BridgePortsurrogateserverref.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\TextInputHost = "\"C:\\Windows\\Speech_OneCore\\Engines\\Lexicon\\en-US\\TextInputHost.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\unsecapp = "\"C:\\Users\\Default User\\unsecapp.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Recovery\\WindowsRE\\SearchApp.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Mail\\smss.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files\\Windows Mail\\smss.exe\""	BridgePortsurrogateserverref.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\BridgePortsurrogateserverref = "\"C:\\msportComWin\\BridgePortsurrogateserverref.exe\""	BridgePortsurrogateserverref.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCA3865E8AA54497E9E2A80FAE89269D.TMP	csc.exe
File created	\??\c:\Windows\System32\lhkpi-.exe	csc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\smss.exe	BridgePortsurrogateserverref.exe
File opened for modification	C:\Program Files\Windows Mail\smss.exe	BridgePortsurrogateserverref.exe
File created	C:\Program Files\Windows Mail\69ddcba757bf72	BridgePortsurrogateserverref.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\TextInputHost.exe	BridgePortsurrogateserverref.exe
File created	C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\22eafd247d37c3	BridgePortsurrogateserverref.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SAMP_CHEAT_ATVECHAU2.exe.bin.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 7 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4900	PING.EXE
4360	PING.EXE
432	PING.EXE
1948	PING.EXE
2368	PING.EXE
3628	PING.EXE
3672	PING.EXE

Modifies registry class 17 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	SAMP_CHEAT_ATVECHAU2.exe.bin.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	BridgePortsurrogateserverref.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000_Classes\Local Settings	lsass.exe

Runs ping.exe 1 TTPs 7 IoCs

Remote System Discovery

T1018

pid	Process
4360	PING.EXE
432	PING.EXE
1948	PING.EXE
2368	PING.EXE
3628	PING.EXE
3672	PING.EXE
4900	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
832	schtasks.exe
4916	schtasks.exe
3152	schtasks.exe
5032	schtasks.exe
1268	schtasks.exe
372	schtasks.exe
1840	schtasks.exe
2512	schtasks.exe
1072	schtasks.exe
2236	schtasks.exe
2376	schtasks.exe
1208	schtasks.exe
4216	schtasks.exe
2868	schtasks.exe
4900	schtasks.exe
1136	schtasks.exe
4116	schtasks.exe
1968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe
1212	BridgePortsurrogateserverref.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeDebugPrivilege	1212	BridgePortsurrogateserverref.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	4592	powershell.exe
Token: SeDebugPrivilege	4892	powershell.exe
Token: SeDebugPrivilege	3204	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	344	powershell.exe
Token: SeDebugPrivilege	4548	powershell.exe
Token: SeDebugPrivilege	3816	powershell.exe
Token: SeDebugPrivilege	4504	powershell.exe
Token: SeDebugPrivilege	436	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2040	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	3192	powershell.exe
Token: SeDebugPrivilege	4100	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	116	lsass.exe
Token: SeDebugPrivilege	32	lsass.exe
Token: SeDebugPrivilege	1220	lsass.exe
Token: SeDebugPrivilege	1344	lsass.exe
Token: SeDebugPrivilege	4412	lsass.exe
Token: SeDebugPrivilege	752	lsass.exe
Token: SeDebugPrivilege	556	lsass.exe
Token: SeDebugPrivilege	3992	lsass.exe
Token: SeDebugPrivilege	4196	lsass.exe
Token: SeDebugPrivilege	4428	lsass.exe
Token: SeDebugPrivilege	4640	lsass.exe
Token: SeDebugPrivilege	3628	lsass.exe
Token: SeDebugPrivilege	1780	lsass.exe
Token: SeDebugPrivilege	1224	lsass.exe
Token: SeDebugPrivilege	4652	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4896 wrote to memory of 3672	4896	SAMP_CHEAT_ATVECHAU2.exe.bin.exe	82
PID 4896 wrote to memory of 3672	4896	SAMP_CHEAT_ATVECHAU2.exe.bin.exe	82
PID 4896 wrote to memory of 3672	4896	SAMP_CHEAT_ATVECHAU2.exe.bin.exe	82
PID 3672 wrote to memory of 4572	3672	WScript.exe	83
PID 3672 wrote to memory of 4572	3672	WScript.exe	83
PID 3672 wrote to memory of 4572	3672	WScript.exe	83
PID 4572 wrote to memory of 1212	4572	cmd.exe	85
PID 4572 wrote to memory of 1212	4572	cmd.exe	85
PID 1212 wrote to memory of 3004	1212	BridgePortsurrogateserverref.exe	90
PID 1212 wrote to memory of 3004	1212	BridgePortsurrogateserverref.exe	90
PID 3004 wrote to memory of 2616	3004	csc.exe	92
PID 3004 wrote to memory of 2616	3004	csc.exe	92
PID 1212 wrote to memory of 4592	1212	BridgePortsurrogateserverref.exe	108
PID 1212 wrote to memory of 4592	1212	BridgePortsurrogateserverref.exe	108
PID 1212 wrote to memory of 2388	1212	BridgePortsurrogateserverref.exe	109
PID 1212 wrote to memory of 2388	1212	BridgePortsurrogateserverref.exe	109
PID 1212 wrote to memory of 4892	1212	BridgePortsurrogateserverref.exe	110
PID 1212 wrote to memory of 4892	1212	BridgePortsurrogateserverref.exe	110
PID 1212 wrote to memory of 4548	1212	BridgePortsurrogateserverref.exe	111
PID 1212 wrote to memory of 4548	1212	BridgePortsurrogateserverref.exe	111
PID 1212 wrote to memory of 4100	1212	BridgePortsurrogateserverref.exe	112
PID 1212 wrote to memory of 4100	1212	BridgePortsurrogateserverref.exe	112
PID 1212 wrote to memory of 4504	1212	BridgePortsurrogateserverref.exe	113
PID 1212 wrote to memory of 4504	1212	BridgePortsurrogateserverref.exe	113
PID 1212 wrote to memory of 436	1212	BridgePortsurrogateserverref.exe	114
PID 1212 wrote to memory of 436	1212	BridgePortsurrogateserverref.exe	114
PID 1212 wrote to memory of 2844	1212	BridgePortsurrogateserverref.exe	115
PID 1212 wrote to memory of 2844	1212	BridgePortsurrogateserverref.exe	115
PID 1212 wrote to memory of 1080	1212	BridgePortsurrogateserverref.exe	116
PID 1212 wrote to memory of 1080	1212	BridgePortsurrogateserverref.exe	116
PID 1212 wrote to memory of 4488	1212	BridgePortsurrogateserverref.exe	117
PID 1212 wrote to memory of 4488	1212	BridgePortsurrogateserverref.exe	117
PID 1212 wrote to memory of 344	1212	BridgePortsurrogateserverref.exe	118
PID 1212 wrote to memory of 344	1212	BridgePortsurrogateserverref.exe	118
PID 1212 wrote to memory of 2816	1212	BridgePortsurrogateserverref.exe	119
PID 1212 wrote to memory of 2816	1212	BridgePortsurrogateserverref.exe	119
PID 1212 wrote to memory of 3204	1212	BridgePortsurrogateserverref.exe	120
PID 1212 wrote to memory of 3204	1212	BridgePortsurrogateserverref.exe	120
PID 1212 wrote to memory of 2040	1212	BridgePortsurrogateserverref.exe	122
PID 1212 wrote to memory of 2040	1212	BridgePortsurrogateserverref.exe	122
PID 1212 wrote to memory of 1900	1212	BridgePortsurrogateserverref.exe	123
PID 1212 wrote to memory of 1900	1212	BridgePortsurrogateserverref.exe	123
PID 1212 wrote to memory of 3996	1212	BridgePortsurrogateserverref.exe	128
PID 1212 wrote to memory of 3996	1212	BridgePortsurrogateserverref.exe	128
PID 1212 wrote to memory of 3816	1212	BridgePortsurrogateserverref.exe	133
PID 1212 wrote to memory of 3816	1212	BridgePortsurrogateserverref.exe	133
PID 1212 wrote to memory of 3192	1212	BridgePortsurrogateserverref.exe	134
PID 1212 wrote to memory of 3192	1212	BridgePortsurrogateserverref.exe	134
PID 1212 wrote to memory of 3452	1212	BridgePortsurrogateserverref.exe	144
PID 1212 wrote to memory of 3452	1212	BridgePortsurrogateserverref.exe	144
PID 3452 wrote to memory of 3620	3452	cmd.exe	146
PID 3452 wrote to memory of 3620	3452	cmd.exe	146
PID 3452 wrote to memory of 3628	3452	cmd.exe	147
PID 3452 wrote to memory of 3628	3452	cmd.exe	147
PID 3452 wrote to memory of 116	3452	cmd.exe	154
PID 3452 wrote to memory of 116	3452	cmd.exe	154
PID 116 wrote to memory of 2176	116	lsass.exe	155
PID 116 wrote to memory of 2176	116	lsass.exe	155
PID 2176 wrote to memory of 4576	2176	cmd.exe	157
PID 2176 wrote to memory of 4576	2176	cmd.exe	157
PID 2176 wrote to memory of 5096	2176	cmd.exe	158
PID 2176 wrote to memory of 5096	2176	cmd.exe	158
PID 2176 wrote to memory of 32	2176	cmd.exe	159
PID 2176 wrote to memory of 32	2176	cmd.exe	159

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\SAMP_CHEAT_ATVECHAU2.exe.bin.exe
"C:\Users\Admin\AppData\Local\Temp\SAMP_CHEAT_ATVECHAU2.exe.bin.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4896
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4572
  - - C:\msportComWin\BridgePortsurrogateserverref.exe
      "C:\msportComWin/BridgePortsurrogateserverref.exe"
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1212
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\i5ss14zc\i5ss14zc.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:3004
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESABEF.tmp" "c:\Windows\System32\CSCA3865E8AA54497E9E2A80FAE89269D.TMP"
        6⤵
        
        PID:2616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/msportComWin/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\msportComWin\BridgePortsurrogateserverref.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3192
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9wXs9GAU2M.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3452
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3620
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3628
      - C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kMcIkiaMXi.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:5096
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:32
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vGBsZePsxa.bat"
        9⤵
        
        PID:3140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3672
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat"
        11⤵
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:3248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2528
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yPEeb07IgF.bat"
        13⤵
        
        PID:4240
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:4140
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4900
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YuP7FABH7o.bat"
        15⤵
        
        PID:3808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:4896
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4360
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat"
        17⤵
        
        PID:4984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:3264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2088
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VQkrGeCZky.bat"
        19⤵
        
        PID:1172
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:4592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:32
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XKxUoGu8Hi.bat"
        21⤵
        
        PID:4968
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3152
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VQkrGeCZky.bat"
        23⤵
        
        PID:4548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2516
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat"
        25⤵
        
        PID:3008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:4396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3940
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sYhU7MQKNp.bat"
        27⤵
        
        PID:5016
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:1476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:432
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CmSUPSwWTx.bat"
        29⤵
        
        PID:4828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3612
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAOW7F8RUK.bat"
        31⤵
        
        PID:4756
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1948
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ll0PvUMuW1.bat"
        33⤵
        
        PID:3404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:3432
        
        C:\Recovery\WindowsRE\lsass.exe
        
        "C:\Recovery\WindowsRE\lsass.exe"
        34⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat"
        35⤵
        
        PID:4416
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:5092
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 10 /tr "'C:\Windows\Speech_OneCore\Engines\Lexicon\en-US\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Mail\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Mail\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 5 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgePortsurrogateserverref" /sc ONLOGON /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "BridgePortsurrogateserverrefB" /sc MINUTE /mo 6 /tr "'C:\msportComWin\BridgePortsurrogateserverref.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
aaaac7c68d2b7997ed502c26fd9f65c2

SHA1
7c5a3731300d672bf53c43e2f9e951c745f7fbdf

SHA256
8724dc2c3c8e8f17aeefae44a23741b1ea3b43c490fbc52fd61575ffe1cd82bb

SHA512
c526febd9430413b48bed976edd9a795793ad1f06c8ff4f6b768b4ad63f4d2f06b9da72d4fcfa7cb9530a64e2dc3554f5ad97fd0ab60129701d175f2724ef1ac

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\9wXs9GAU2M.bat

Filesize
159B

MD5
3883b5087c5011c54d7d24631efec0ac

SHA1
6fac7770c5c5a2266f4b8d0ee6520488074a4de7

SHA256
1246a19276acee55155f5483da8e7f09b5cd918d1415c202557676371d7be5a9

SHA512
882b769d1452dc44ac924ae943f3791ebf35ee0c8f69bce470be81c70a4f85ced0ae5de86de36929102d82703c05bac9aa8e9373d6495a44036bc22d110d0e0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CmSUPSwWTx.bat

Filesize
207B

MD5
77a165b0e1c602af1e02a470e11a7017

SHA1
807a311c51b40dd4f9e2968f8bfc66ed998d16c8

SHA256
489cf94717f50a8ee34026359af9749fc5d1b66c8ed7310ce5bb3422392d30f8

SHA512
fb59911f3f76b6e88af4d7f5b3d8d54219a3973b3b0db9af04de41a3b1f646e66b23de6858eaae02f7e831c3054ca158eddb290b12ed307f4c79a87f0f1f603d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KrnlOsdLyH.bat

Filesize
207B

MD5
370945e328aca8fe6f9469789e0d5f88

SHA1
01b733709eaccdbed48f7df8f4e9a6a52fc6e415

SHA256
a53bc33097aae0397ad216ab28a14ade2461224f754f3442a27e561074737ec2

SHA512
c6bb98ab2fde4b33477340c9fca6d727a9213d7df8bb41b1bcd6896ad1f7524363bdb9d7540a53273b9285f53749056858b353b4a9267ae02cb64711d79feffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ll0PvUMuW1.bat

Filesize
207B

MD5
431ac0f63bda3622c9447a8d17246342

SHA1
3425ef1e4432c92ec21f995af1ff8a6bace1cf81

SHA256
7e882ddac749d2a5486b62089d5877918e327c4aa808e1362048d77ddb928b2a

SHA512
d911da3322fc7559bc7993f81b64b7c8bd7d85f1af33782ed3d1056cfd2a09e1e5893cd37e79c207825ac8662834d498146b9268dae540ba73d94a9a5926a17b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESABEF.tmp

Filesize
1KB

MD5
ad48efd4cdf93f3392442ae7ea807bcf

SHA1
ab0afe206270882a98c5e2ff7b032d1bd9da8fd2

SHA256
0a76f43aa17905b0ea8e4bb553a454654ae564da87dc00a41f7002e5234e559b

SHA512
62194dc83cb22e57ff43f066cca3104133016520aa39c2e4b241440a0ec617503e684b47a2b9fb2b35c6d8a3434d2f203ec9d46cae5eeee1af208746d5403557

Download Submit
C:\Users\Admin\AppData\Local\Temp\VQkrGeCZky.bat

Filesize
207B

MD5
897bbe64fb11051b1fc0ce868bf56d85

SHA1
b9f65e392779262989350ba9a90614d7a722887c

SHA256
83659c0d94ae2dc278be15080222697eef2009c8a8dd6957fe8bb557424e7d39

SHA512
85c03314e4ae575d4564f3483ca8afaf4e6f41f506682920758b1a3612e29db5632e260f5b0610ce00790d4cf9826bc045bd744e6fd2411d394b402e1160028a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XKxUoGu8Hi.bat

Filesize
207B

MD5
7c948432650c5455ae46fb5a9e9e988b

SHA1
2b47d8f599eb09e2dfa9c278b890ad356544ddd1

SHA256
ea01d70fd1f999f3dd1ec38c54ab9109f3fe1d06f32d267839cf69c79672374f

SHA512
889f1efb5fb84416073da508e8f948e7b8d6f986a92fb58c2f0e9e5bcbc04a063a8d079dc0798ddb838de62141085a163edeeb4aeab4ed999039fa68e78018fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\YuP7FABH7o.bat

Filesize
159B

MD5
982934d322f2f5de39635af4a9c48349

SHA1
67851694a9835bfcb4776db48ab07ae170796752

SHA256
633068da41760e6fb70c930a19251c4030b43ee9c29ec1b5c955eac77f3ee710

SHA512
c46f983002ae6144e15fbd680c01cf4f1f34b65877b85ee806c930c75d7ed80c1c55e2ed8cd062d30e2cf73c6b55ebf9c076b3bcb7d9cce8654956e6c574001a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_izblmfyn.3zm.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\fPImnfbxm2.bat

Filesize
207B

MD5
98b59e80acc1943020beb6671b93f1d1

SHA1
e181e672f15acafb95219ec5b8f08e6815a690cd

SHA256
b10683f2cfcabb10dfb4a31fee77118b4660f82a3337d807b16c560f466837b1

SHA512
dc92c7d6b092183685e42dda634ef413f6c3ad74ec41a912ebf022a86338561cfac6d47d6f208d8f337dbf0fb811ec57cbb5131a23f1e9853f7a74201c3bc99b

Download Submit
C:\Users\Admin\AppData\Local\Temp\fkvHkpsFQE.bat

Filesize
159B

MD5
c720526f4cb5d00be37c92d3454cb298

SHA1
8ac98d0df43a05965c72706b3ab6192b8cab55c0

SHA256
4c2cbccfac23e2efc631a39fe2ab71a47e431def4771a39fb5b2310e9595c1f9

SHA512
2efd60fa9a510a4f5c3645e09b7274dd421cbc1426eb9ab913931e4bdbc88a20c1f419bd8ccdddd9f9cdadeedc16fba15cfddd12d4525a9d1fe5ffd79c11e5e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\kMcIkiaMXi.bat

Filesize
207B

MD5
4686f76be2fb450d3b63a80293547b5e

SHA1
6b6287ec6ccc9011f36125d6b32bb095096b8730

SHA256
049546ee5c0885917a409f0a282f306441f54097c1676fe4602d50b36715d183

SHA512
dedb916f9568ecef34359fd5697ed6dc91b97bcd5deffaa17be894356342869851c5cbfff26e4d62c8fed4733f7c0c5f5c6bea88ffdf0d8a6f3aad5244ca7afe

Download Submit
C:\Users\Admin\AppData\Local\Temp\sYhU7MQKNp.bat

Filesize
159B

MD5
6bef672cd6bf4d9be1abfaf16518f2e7

SHA1
1f8df6973c72f25f14831a0a5cf4b73d844bc576

SHA256
d3fc62a8b79201b8f4aff1af92e5a6439d1783d36afc5c136686d2ead6724801

SHA512
10f8d1b031f4779d3d09e0db61948eb2e596b7f6b76d7b82e9953d4225ca4e207a135aef0fe717f4b0f24ddfd013f502506cb5490d25dd8b1fd061fe9b4427b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\vGBsZePsxa.bat

Filesize
159B

MD5
6a47046bee797ce2c17e3ee667554bcf

SHA1
9f62c7b48b11d3ddfadb837366a48e5185779ac8

SHA256
8b6a2caa3e3dc1de002894a505bfc57ab6c9be9735b5d5e54609f6f5e6447e51

SHA512
472ed52cafaee60841583cf719d652466bdf66bdd0fce771a164579ba30adf891a010c254323390df6a52c8fdff1e00fd9fa93e8dfd2e366f9258efae10b3d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAOW7F8RUK.bat

Filesize
159B

MD5
d13928b585d74ed1541d9b1f4d997613

SHA1
fbfb230a03698ec0d3011cb7addf2481575ba747

SHA256
5faecd82e0bb995c36725aca84d8cf261b778ac58119498f713e5928c57cbf34

SHA512
f71296f111489a6676d30f9b349815376d1e82e7b35c2b69b0909132c8328c635c5e7eb4c596534183dccc20914c1e5f4e2450192cc6c6b4857e624957a380bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\yPEeb07IgF.bat

Filesize
159B

MD5
8923734f27f85496239c46dd48ac45ee

SHA1
4fe6a773679ef8bd9c27e37b5abf130763959d47

SHA256
5abd5f043fb11415c308bc9f0cbd9a084bf0736b0bda1cc7b6f473d919a3c45a

SHA512
1fc882fb158f50104500dfd494f091a4eef691cc62b649b93d0fb8d4918dd71e41dc6e2d4c1d0a01aee78982b65fd42c7b03d4c38f5db9f8135faea60753aab7

Download Submit
C:\msportComWin\5Jq5kgQebZBPc8KIFjklSaK6KtfwfF1rpT92XeRglY4x6Z5YYulxiLU9VV.bat

Filesize
114B

MD5
ec4930435249e865ec0910b90ce34010

SHA1
e00242ba6b91abe0291ee6c003c7cda9f280a20c

SHA256
aecaccc8288e076efa186171eab1ce946b8c0438e607f00a442b04e1e080dfbb

SHA512
f1bb3a20bd279b62b94349d253b64a4bb9227fa214785e265b5f5457a552bddb141faea48109ed80a6d77f34c8ba68fd2911daa178893daee52259e89a6b80aa

Download Submit
C:\msportComWin\BridgePortsurrogateserverref.exe

Filesize
1.9MB

MD5
5f80a11e82cc7495cf5ad7df3d052721

SHA1
3a20eb31195a97cf5da7d3c20c1b8c4913b95a13

SHA256
851aa5f3636700f9bb71a4c0d040255f19871ba306f87d9f66b39f3b207ec15b

SHA512
7acdd2a4f5170212beabeba86dcb7a6be74c4c83815db3bb328d6541f6a259ec3c6ff469f103eb125163371f103ae3060404e1c34622f2d4d9cb34d2cc7b3c0d

Download Submit
C:\msportComWin\xtUjCOEXV8hvxooNRYyHQv7v29HXxWwl.vbe

Filesize
248B

MD5
528d2d62b3a0a43e28f6c5bc9e59fb49

SHA1
b8347b3f11fdb951bf4c930bef813180c42f98c1

SHA256
9d271ddb2a3de2347db1800f94865bab4758e8f89760f7f0fc6368eb14a9597b

SHA512
a208e41f97a080ab5550632daa10ac7d4d43ca603207406df14e749765662089f38ff52feced3083dbcb08daa2821e9fc6df511fa1a1f18b4b9e8e38f68fa171

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i5ss14zc\i5ss14zc.0.cs

Filesize
397B

MD5
b5e8ed5bdd3674210814fe0791f89428

SHA1
3719061d566040b7f108f1e3aed610a8a8ad5091

SHA256
f1abcb1331717d4dda57f070c70b4a0185728e9be35da1d137777c37795fa347

SHA512
ef3a3d68192bb4770dcb65d86f9554631f7e1ed19629293ebe04a6cd890940a579da57f968bfc428d557e2376d1fae2d8cd152796d60a22159cd9fe55d2731f3

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\i5ss14zc\i5ss14zc.cmdline

Filesize
235B

MD5
2d7991302b5ae71044014bb97b323610

SHA1
653d53599dda037e970033377ce2a425bbdd5234

SHA256
2b05e6876052ba9f16d05ca768f0d4f8b8e834f9bd12ee3bf8e9026a03a5aa40

SHA512
dd5213337a22e56279a003342cab1a58fdfb658fff7a33d7167236438e90a16e4e5cc75a2bfe27dfacf7e9d0415aad1fbe78bf303d7d673c048a7451399dea47

Download Submit
\??\c:\Windows\System32\CSCA3865E8AA54497E9E2A80FAE89269D.TMP

Filesize
1KB

MD5
75e32610d8ef6143201c7c28465fcda9

SHA1
b2bae99fade2dda07aecbe1659d184be0fc4e7a6

SHA256
97ee1cac3965d9cc55a60f20206f384719431f19ac96bdc52b93a98de51a639b

SHA512
b303fb99586efd19a08223ba93472fa6d33fcf9198bbf42fb16ba61001db59e5fd5835ea7696ed34e4004d23fa60697e724e6085d1269d788204bf95dfe46abc

Download Submit
memory/1212-24-0x0000000003070000-0x000000000307E000-memory.dmp

Filesize
56KB

Download
memory/1212-12-0x00007FF857033000-0x00007FF857035000-memory.dmp

Filesize
8KB

Download
memory/1212-13-0x0000000000C50000-0x0000000000E40000-memory.dmp

Filesize
1.9MB

Download
memory/1212-15-0x0000000001720000-0x000000000172E000-memory.dmp

Filesize
56KB

Download
memory/1212-17-0x0000000003080000-0x000000000309C000-memory.dmp

Filesize
112KB

Download
memory/1212-18-0x000000001BE20000-0x000000001BE70000-memory.dmp

Filesize
320KB

Download
memory/1212-20-0x000000001BA80000-0x000000001BA98000-memory.dmp

Filesize
96KB

Download
memory/1212-22-0x0000000003060000-0x000000000306E000-memory.dmp

Filesize
56KB

Download
memory/1212-26-0x000000001BAA0000-0x000000001BAAC000-memory.dmp

Filesize
48KB

Download
memory/1900-69-0x000002C526B10000-0x000002C526B32000-memory.dmp

Filesize
136KB

Download