dcrat | b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-01-2025 03:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
Size

3.2MB
MD5

a7040b85fc683f088f4c6e5b44052c43
SHA1

7e3d644d1a1fb7b9bcccb6406d2e7fbd062eae66
SHA256

b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d
SHA512

e225f6f7e114690aad25e9c67460e50f5b84cc8ca87a69ba94ff63ab42415df176a3ed6c3456cddb849927604a4888b17e5e781ac97d2ba0197f9687bbb2c301
SSDEEP

98304:hb5Nf/dq7yqKM1TcGZ6gtq1/Lko4uVa8Nb:FMyqKM1TogtqT44NNb

Score

10^/10

dcrat discovery infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\winlogon.exe\", \"C:\\Program Files\\MSBuild\\dllhost.exe\", \"C:\\Users\\Default\\dwm.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\lsm.exe\", \"C:\\Users\\Admin\\Pictures\\lsm.exe\", \"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\winlogon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\winlogon.exe\", \"C:\\Program Files\\MSBuild\\dllhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\winlogon.exe\", \"C:\\Program Files\\MSBuild\\dllhost.exe\", \"C:\\Users\\Default\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\winlogon.exe\", \"C:\\Program Files\\MSBuild\\dllhost.exe\", \"C:\\Users\\Default\\dwm.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\lsm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\winlogon.exe\", \"C:\\Program Files\\MSBuild\\dllhost.exe\", \"C:\\Users\\Default\\dwm.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\lsm.exe\", \"C:\\Users\\Admin\\Pictures\\lsm.exe\""	containerReview.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2756	schtasks.exe	34

Executes dropped EXE 12 IoCs

pid	Process
2732	containerReview.exe
2132	lsm.exe
3064	lsm.exe
2308	lsm.exe
1036	lsm.exe
2944	lsm.exe
776	lsm.exe
2052	lsm.exe
2816	lsm.exe
1592	lsm.exe
3048	lsm.exe
1556	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	cmd.exe
2184	cmd.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\lsm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\lsm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Admin\\Pictures\\lsm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\winlogon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\ink\\da-DK\\winlogon.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\MSBuild\\dllhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\containerReview = "\"C:\\blockcomSession\\containerReview.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\MSBuild\\dllhost.exe\""	containerReview.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Default\\dwm.exe\""	containerReview.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsm = "\"C:\\Users\\Admin\\Pictures\\lsm.exe\""	containerReview.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCABD8D3CB6AF74FB688E5A5FD2667D65.TMP	csc.exe
File created	\??\c:\Windows\System32\8wawgv.exe	csc.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

pid	Process
1452	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\5940a34987c991	containerReview.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\winlogon.exe	containerReview.exe
File created	C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\cc11b995f2a76d	containerReview.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe	containerReview.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\101b941d020240	containerReview.exe
File created	C:\Program Files\MSBuild\dllhost.exe	containerReview.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
444	PING.EXE
1712	PING.EXE
2800	PING.EXE
1992	PING.EXE
2972	PING.EXE
2920	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
2920	PING.EXE
444	PING.EXE
1712	PING.EXE
2800	PING.EXE
1992	PING.EXE
2972	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2340	schtasks.exe
320	schtasks.exe
1584	schtasks.exe
608	schtasks.exe
2144	schtasks.exe
644	schtasks.exe
1812	schtasks.exe
2600	schtasks.exe
2680	schtasks.exe
3036	schtasks.exe
2224	schtasks.exe
2688	schtasks.exe
1268	schtasks.exe
2668	schtasks.exe
2204	schtasks.exe
2976	schtasks.exe
2868	schtasks.exe
1912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1452	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe
2732	containerReview.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2732	containerReview.exe
Token: SeDebugPrivilege	2132	lsm.exe
Token: SeDebugPrivilege	3064	lsm.exe
Token: SeDebugPrivilege	2308	lsm.exe
Token: SeDebugPrivilege	1036	lsm.exe
Token: SeDebugPrivilege	2944	lsm.exe
Token: SeDebugPrivilege	776	lsm.exe
Token: SeDebugPrivilege	2052	lsm.exe
Token: SeDebugPrivilege	2816	lsm.exe
Token: SeDebugPrivilege	1592	lsm.exe
Token: SeDebugPrivilege	3048	lsm.exe
Token: SeDebugPrivilege	1556	lsm.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1452	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1452 wrote to memory of 2400	1452	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe	30
PID 1452 wrote to memory of 2400	1452	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe	30
PID 1452 wrote to memory of 2400	1452	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe	30
PID 1452 wrote to memory of 2400	1452	b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe	30
PID 2400 wrote to memory of 2184	2400	WScript.exe	31
PID 2400 wrote to memory of 2184	2400	WScript.exe	31
PID 2400 wrote to memory of 2184	2400	WScript.exe	31
PID 2400 wrote to memory of 2184	2400	WScript.exe	31
PID 2184 wrote to memory of 2732	2184	cmd.exe	33
PID 2184 wrote to memory of 2732	2184	cmd.exe	33
PID 2184 wrote to memory of 2732	2184	cmd.exe	33
PID 2184 wrote to memory of 2732	2184	cmd.exe	33
PID 2732 wrote to memory of 2164	2732	containerReview.exe	38
PID 2732 wrote to memory of 2164	2732	containerReview.exe	38
PID 2732 wrote to memory of 2164	2732	containerReview.exe	38
PID 2164 wrote to memory of 484	2164	csc.exe	40
PID 2164 wrote to memory of 484	2164	csc.exe	40
PID 2164 wrote to memory of 484	2164	csc.exe	40
PID 2732 wrote to memory of 2452	2732	containerReview.exe	56
PID 2732 wrote to memory of 2452	2732	containerReview.exe	56
PID 2732 wrote to memory of 2452	2732	containerReview.exe	56
PID 2452 wrote to memory of 3024	2452	cmd.exe	58
PID 2452 wrote to memory of 3024	2452	cmd.exe	58
PID 2452 wrote to memory of 3024	2452	cmd.exe	58
PID 2452 wrote to memory of 1664	2452	cmd.exe	59
PID 2452 wrote to memory of 1664	2452	cmd.exe	59
PID 2452 wrote to memory of 1664	2452	cmd.exe	59
PID 2452 wrote to memory of 2132	2452	cmd.exe	61
PID 2452 wrote to memory of 2132	2452	cmd.exe	61
PID 2452 wrote to memory of 2132	2452	cmd.exe	61
PID 2132 wrote to memory of 1644	2132	lsm.exe	62
PID 2132 wrote to memory of 1644	2132	lsm.exe	62
PID 2132 wrote to memory of 1644	2132	lsm.exe	62
PID 1644 wrote to memory of 2312	1644	cmd.exe	64
PID 1644 wrote to memory of 2312	1644	cmd.exe	64
PID 1644 wrote to memory of 2312	1644	cmd.exe	64
PID 1644 wrote to memory of 1712	1644	cmd.exe	65
PID 1644 wrote to memory of 1712	1644	cmd.exe	65
PID 1644 wrote to memory of 1712	1644	cmd.exe	65
PID 1644 wrote to memory of 3064	1644	cmd.exe	66
PID 1644 wrote to memory of 3064	1644	cmd.exe	66
PID 1644 wrote to memory of 3064	1644	cmd.exe	66
PID 3064 wrote to memory of 1372	3064	lsm.exe	67
PID 3064 wrote to memory of 1372	3064	lsm.exe	67
PID 3064 wrote to memory of 1372	3064	lsm.exe	67
PID 1372 wrote to memory of 2860	1372	cmd.exe	69
PID 1372 wrote to memory of 2860	1372	cmd.exe	69
PID 1372 wrote to memory of 2860	1372	cmd.exe	69
PID 1372 wrote to memory of 2800	1372	cmd.exe	70
PID 1372 wrote to memory of 2800	1372	cmd.exe	70
PID 1372 wrote to memory of 2800	1372	cmd.exe	70
PID 1372 wrote to memory of 2308	1372	cmd.exe	71
PID 1372 wrote to memory of 2308	1372	cmd.exe	71
PID 1372 wrote to memory of 2308	1372	cmd.exe	71
PID 2308 wrote to memory of 2932	2308	lsm.exe	72
PID 2308 wrote to memory of 2932	2308	lsm.exe	72
PID 2308 wrote to memory of 2932	2308	lsm.exe	72
PID 2932 wrote to memory of 2840	2932	cmd.exe	74
PID 2932 wrote to memory of 2840	2932	cmd.exe	74
PID 2932 wrote to memory of 2840	2932	cmd.exe	74
PID 2932 wrote to memory of 1992	2932	cmd.exe	75
PID 2932 wrote to memory of 1992	2932	cmd.exe	75
PID 2932 wrote to memory of 1992	2932	cmd.exe	75
PID 2932 wrote to memory of 1036	2932	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe
"C:\Users\Admin\AppData\Local\Temp\b786f31f1c89c71d0510bbd32510595d9891c67db516f968261b02594a423a8d.exe"
1⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1452
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\blockcomSession\containerReview.exe
      "C:\blockcomSession/containerReview.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2732
    - - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
        
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\5y3ohj0i\5y3ohj0i.cmdline"
        5⤵
        Drops file in System32 directory
        Suspicious use of WriteProcessMemory
        
        PID:2164
      - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESCB6A.tmp" "c:\Windows\System32\CSCABD8D3CB6AF74FB688E5A5FD2667D65.TMP"
        6⤵
        
        PID:484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8ADg0k5Zmu.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2452
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3024
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1664
      - C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1712
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:2860
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2800
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\utpnwKYKap.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1992
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OHqycByqx8.bat"
        13⤵
        
        PID:2124
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2848
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2972
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat"
        15⤵
        
        PID:2452
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2484
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q18N4Nt25o.bat"
        17⤵
        
        PID:1500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1712
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y6Uf3masa9.bat"
        19⤵
        
        PID:2780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2804
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\diBg3fIzhe.bat"
        21⤵
        
        PID:2204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:2940
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2920
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2oGrqKSnf6.bat"
        23⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2848
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6C8kMSA4ag.bat"
        25⤵
        
        PID:2956
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1668
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:444
        
        C:\Users\Admin\Pictures\lsm.exe
        
        "C:\Users\Admin\Pictures\lsm.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqzjdZvm8E.bat"
        27⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\ink\da-DK\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\MSBuild\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Default\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Pictures\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 14 /tr "'C:\blockcomSession\containerReview.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReview" /sc ONLOGON /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "containerReviewc" /sc MINUTE /mo 10 /tr "'C:\blockcomSession\containerReview.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2oGrqKSnf6.bat

Filesize
207B

MD5
21a99195b01cb13a26a1ea7dbfc6fc36

SHA1
e656a82166c595c7ea344d22b7f6ec9d6bfbab2b

SHA256
c68acc3e43fa21e2bf3960f7e38d18fb841add7d1f3036560a61910e435318d2

SHA512
9d2b6a5b1f1b9f95cd778569ea28ba972fd837a11a005a467f1271f1b6b99f82b18a49798ca88a323848433388d30eddd912d4f44731ba531ba83983530eb3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6C8kMSA4ag.bat

Filesize
159B

MD5
bfb1fb65cc9f384788f55e8eb77dc17f

SHA1
ae2e38665c076f9aca6d0139ebbedc4a92c921b1

SHA256
d5282e9eec2578dcf22d70ad4cf1ad19f234ed72e121be7b3a02eb884ef90d8c

SHA512
8b981ed88fe7deae52832f662f6d89ebceb065f9b649aa7f875f23d0e25ef0ee6a6ac11176596346a560948aeefe1ae2aec7fb4557f91e7d8fcee3a57662b117

Download Submit
C:\Users\Admin\AppData\Local\Temp\8ADg0k5Zmu.bat

Filesize
207B

MD5
11fb41721649cc5e71a2ab5e597c4628

SHA1
0fa6fee2e2e72a1a08d7a71cf908c0a4d6abd9d2

SHA256
4cb4c81dd4463a3c86adebf5c8e97db207599004642f1228ea06a5a25ec955a6

SHA512
f04952cc8f124304acee273785f206277a38fe71afdcfbc0bc36d054bde0c80a58f0c5df1e5c8819d2ab2a7c61e0fc0e2afc021c42363f494e91d580d589d392

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqzjdZvm8E.bat

Filesize
207B

MD5
5790f04d17ce1b878e3b63787c50902f

SHA1
d969a61abad4a7ba94af12e56890c467c716b629

SHA256
8fe143337975380e5632386110f906867586111ae5240ac47caaaad6e207a6f7

SHA512
f1887293f5880b0b6d9d1e73641e9966bc6a93ed7c024093d2afe2a969161145fbede645816b835c1920d98dd7c61277ded0b16eafc368c77de2d22aac33ed34

Download Submit
C:\Users\Admin\AppData\Local\Temp\OHqycByqx8.bat

Filesize
159B

MD5
a49b91d4c533d9c2b12145f1b06613bb

SHA1
e025acc91220d5ddd3372d04fbd1f13a9859a69e

SHA256
db9838cbe32384c3fd7581b2294c0d82d1c73d07f7005219f549721f21d53835

SHA512
654c8ec01bfb572101a42a7cb15cbc8d6381420d6bae9db4e8a86e2f6e60206083076131d16763123d6e81c43ea31cefa260ed30cacd1d34b2bda0a9dfb570dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q18N4Nt25o.bat

Filesize
207B

MD5
a82cb1d7efded059a821ee8fd3a15e19

SHA1
a010224f27e42ae99a50fba511a79a08cff345ea

SHA256
a8e610374ac0259fcdbeadc55779a3ad7682d70503b56d50499977da03794cd9

SHA512
83fc74aca2d92d47356c2734b4e3ba365e7d278dd403ac4a71f5958d5c2a7bae96bab3359cfca65276f273b02677f9dad8d4329547ff7fb696bddae177fd145e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESCB6A.tmp

Filesize
1KB

MD5
e356a1e508ef964edec457715ec56977

SHA1
6cfd5b837c0c960d4f66fcb9db45c6a4788607cd

SHA256
cdced17d30aea2c33901a3a64876598e3472d5777c0a5ce41e1b58b35940aa69

SHA512
97c3df19f7c9ea6e60f60b9be184cddf99029918d63d1da06cd4e2ad2208e674d06591998bec9806dd9772da7c441d5cabccd26f7c42c9f2bebef3a0dae2a627

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y6Uf3masa9.bat

Filesize
207B

MD5
e5bc02deecc5f9be578f617b2229c28c

SHA1
35e852bdf309bb7561db1777de7451aa627faade

SHA256
26a8c4a420a2629e16652d81faa3c81c8e251d789138d01b3923a24bd2c34baf

SHA512
567ba61760f5d4b752b53c33429941ccabe2ccd78d3922443a168df88597be68a13cbdc8c0ac40fa0c1b6bf052614cfb5a008df764f65b960347f22eec781194

Download Submit
C:\Users\Admin\AppData\Local\Temp\c209FVriWl.bat

Filesize
159B

MD5
7b8436cc43476a950289192cec4e883d

SHA1
3d4ae461a96aaf865bd3de162cdaa0811e5fa070

SHA256
bd5899bffed79eba2471c18ca5731805043d7a93b13f1a0699cfc70c4422b8c6

SHA512
839e6425d26dbb4b94b201549339c8025a5d5f6ae4bae7a624a4205b912449c3670a5c9c9134a917b93840298e25654795698110a701469f2ef1dc05af5cf9df

Download Submit
C:\Users\Admin\AppData\Local\Temp\diBg3fIzhe.bat

Filesize
159B

MD5
938257c33177d6896121484ef9459964

SHA1
5e3f09862c57a72aa7cd1b3098a859b8d04769ef

SHA256
a66252119234f36d6d70b9cfc33dcf1599256c204a1a685c1d9700519e50568c

SHA512
8a57675a778227c6d4924c8c1ee1a0d379f8e7057608b521e50989a7ecd6f9899382a4f348f82401b76d9757b51ffe78e922afb6064cfd43afcfe42283754207

Download Submit
C:\Users\Admin\AppData\Local\Temp\hFxofDmc2H.bat

Filesize
159B

MD5
6f6cfc5ad4cf53e54f41d76384a88516

SHA1
bad798c2e206737724e2f6bb21efb82706074e8d

SHA256
08ec39992d9531bcdcd454f275bab36f8f49e3737296a5845e131b2d555bf483

SHA512
eba6a4d5ea026dd9183a3f1651c48f4ed54e1f87aaa834623065c9cc55ba3baafd65ca6dd3de0b9a18e61b37d9f5e2adcdb09c64b37543b3fb2670508f3af957

Download Submit
C:\Users\Admin\AppData\Local\Temp\rC9RFMHLq8.bat

Filesize
207B

MD5
2361bec2efd06040e1a07cb1b02254c8

SHA1
82f547271884654b1c8e9764782d2347e367cf59

SHA256
2c9017b954a2ad8549a2f8b668a32d396ec0cd24c6472fea13c628013e3cf5e5

SHA512
43fee267e1eef08177b1361076c6d3c0a2b679d79d5477e0356951d209dc6eb744924e915a39200dfff7d0f7c0cd8920397ddb6e2260b36b8adb2a4a932e6b4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\utpnwKYKap.bat

Filesize
159B

MD5
c5f97a57a49467b1ac2e9187544c1db2

SHA1
682210324ced17d0e140a96c374d608fd5f641d9

SHA256
446d8be218bdfd50540804b6643c81b2e3b899e83b6352caa0ac71283fc785bb

SHA512
9152027d4980b231e70c9839a87f400d0b8333af3e0e15ed76ab44b00d7e187e968ca6abb36adbbb1c23ea1b5b12e219b309d816a323a0f1a8790b3ad472ae09

Download Submit
C:\blockcomSession\R3z0peym99fhJdrKbUwEGrQMoM2HpnSPGrE0X0k2hc.bat

Filesize
89B

MD5
de5b4fde5bc10d0f76a55eb9d249ab56

SHA1
751938b6ab03340842b429805fd2da1aa0d8c964

SHA256
009aa3f866391c87bd840efb9b6b4eb33fc4dcb625cd23e436d0c9383e033f0f

SHA512
58f02657db363b742c6aee66ccd5a6b279280e2dd09d7394b7b9907ca2cd005cd67ee88ca98d533605e30608fc61abc6f51f7d3be4a3813d7414d280b6f16a1f

Download Submit
C:\blockcomSession\RezYUes00TmmVGwINjr2qWMSbF3Etb9Bt2Ra62zGWDtewTBc.vbe

Filesize
236B

MD5
d2dd350044ce1fe408a44a036a7e6a0d

SHA1
3597e45deb69f4aa4749855e9ed452a39a9c7d42

SHA256
487bfe07abff347481f10c648717aab8008c7606c026b920358544f85c25e1b2

SHA512
81147d83dc5ffd1adb10add8486f6dac65df0e7c579f8244ef8f3d6f646ced97fad3f55a178ced9b60f5f23bb77a0e29bccb22651280a9eae135976af71c366a

Download Submit
C:\blockcomSession\containerReview.exe

Filesize
1.9MB

MD5
f568e43bc473cd8ceb2553c58194df61

SHA1
14c0fff25edfd186dab91ee6bcc94450c9bed84d

SHA256
c91375814e8a5bb71736ce61fa429bc7b98a2b7b2a254b9967c51f3fccfacd52

SHA512
47cf66ce90fecd147077c72dc3f06db2199b9bc96e887915d6b0d4bfea7577d60a7345da6e5bc59967d02528fbdf6c8bf86233261338f782b9185c890fbc400e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5y3ohj0i\5y3ohj0i.0.cs

Filesize
401B

MD5
a339b2b47e9a2d4885227ebd73b2767a

SHA1
55c5c652c979cddf3d9dd4e0a1436526d9ea8d63

SHA256
a5f5b1c58a5e7f189b264b53d48228eb0917fe1b3b4d71f60f6c7ac2775eaa98

SHA512
793050cb93c12351aeeae0e6dc1a9089c07c95095f5d72c22f735c12ccda842479db60c89545eb4f39659147fa1bbdcfcdf31fa3a6417c9d14271d71d372172d

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\5y3ohj0i\5y3ohj0i.cmdline

Filesize
235B

MD5
f5dc8ae531327de184e5ae6cc59d9055

SHA1
011d68d6157bcdd1409f2be01bb44dfd3a0ca633

SHA256
813d6ebbc03f657d5536e322a916e4fd81897f53dfa63c9db3c94b7cd5a379d8

SHA512
bf82376f86a879c988af0cc8b667a9a31ffdb4e7ff909e7af1f366817a8a2462ad60d432215bc05f6229360da852256a7ade2cd248c39192570dedbc8dc120cd

Download Submit
\??\c:\Windows\System32\CSCABD8D3CB6AF74FB688E5A5FD2667D65.TMP

Filesize
1KB

MD5
028d4cd290ab6fe13d6fecce144a32cc

SHA1
e1d9531cb2e6bc9cab285b1f19e5d627257a3394

SHA256
3f42f68eb3df49cf836fbb0019b8206af735e22f3d528e7b122fa9b2541fdde3

SHA512
2f99d37a56444831298f8efaef425e5dadec938ac459bfc0cdaf3708ef8662f12bd8d687a58fc1dd6bbdac6c806214b65a21489a24d3160c1e8575968e3caa6e

Download Submit
memory/1452-0-0x00000000002A0000-0x0000000000681000-memory.dmp

Filesize
3.9MB

Download
memory/1452-8-0x00000000002A0000-0x0000000000681000-memory.dmp

Filesize
3.9MB

Download
memory/1556-184-0x0000000001120000-0x0000000001310000-memory.dmp

Filesize
1.9MB

Download
memory/1592-159-0x0000000001100000-0x00000000012F0000-memory.dmp

Filesize
1.9MB

Download
memory/2132-58-0x0000000000840000-0x0000000000A30000-memory.dmp

Filesize
1.9MB

Download
memory/2308-84-0x00000000010B0000-0x00000000012A0000-memory.dmp

Filesize
1.9MB

Download
memory/2732-15-0x0000000000EE0000-0x00000000010D0000-memory.dmp

Filesize
1.9MB

Download
memory/2732-21-0x0000000000460000-0x0000000000478000-memory.dmp

Filesize
96KB

Download
memory/2732-23-0x0000000000420000-0x000000000042E000-memory.dmp

Filesize
56KB

Download
memory/2732-25-0x0000000000430000-0x000000000043E000-memory.dmp

Filesize
56KB

Download
memory/2732-27-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2732-19-0x0000000000440000-0x000000000045C000-memory.dmp

Filesize
112KB

Download
memory/2732-17-0x0000000000410000-0x000000000041E000-memory.dmp

Filesize
56KB

Download
memory/2816-146-0x00000000002C0000-0x00000000004B0000-memory.dmp

Filesize
1.9MB

Download
memory/3064-71-0x0000000000130000-0x0000000000320000-memory.dmp

Filesize
1.9MB

Download