dcrat | bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125

Analysis

max time kernel
121s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23-01-2025 04:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Size

1.9MB
MD5

c8ce6fc2028745f5eaf01a412d06acaa
SHA1

4be17e69614ea35c4cd9939f84034e0e1e43a9a0
SHA256

bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125
SHA512

6d9f45afdab9e5a062f7c0e89372f4c2c6f897acb76a0523d6b1620b0ccf0e827c8b5643650ee290f14fb9015c084e3866f01b9a1978104718b261a7b1523f05
SSDEEP

49152:bh8kL1nBcnwCcW2UUNUeZahEj6g3Kn7hRef6:bhMwFS+Ulz1nNRe

Score

10^/10

dcrat discovery execution infostealer persistence rat spyware stealer

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OSPPSVC.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OSPPSVC.exe\", \"C:\\Users\\All Users\\Desktop\\lsass.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\Cursors\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\", \"C:\\Program Files\\Windows Mail\\wininit.exe\", \"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\", \"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OSPPSVC.exe\", \"C:\\Users\\All Users\\Desktop\\lsass.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2660	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2660	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
932	powershell.exe
820	powershell.exe
760	powershell.exe
800	powershell.exe
1636	powershell.exe
2512	powershell.exe

Executes dropped EXE 1 IoCs

pid	Process
2772	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Desktop\\lsass.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass = "\"C:\\Users\\All Users\\Desktop\\lsass.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125 = "\"C:\\Windows\\Cursors\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Mail\\wininit.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\wininit = "\"C:\\Program Files\\Windows Mail\\wininit.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125 = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125 = "\"C:\\Recovery\\1a287102-69f6-11ef-b2ff-62cb582c238c\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OSPPSVC.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\OSPPSVC = "\"C:\\Program Files (x86)\\Microsoft.NET\\RedistList\\OSPPSVC.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125 = "\"C:\\Windows\\Cursors\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe\""	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io
12	ipinfo.io
13	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC9B1B65518F4D48AAA1858FCBBAA18A6A.TMP	csc.exe
File created	\??\c:\Windows\System32\3kmwe8.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\1610b97d3ab4a7	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
File created	C:\Program Files\Windows Mail\wininit.exe	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
File created	C:\Program Files\Windows Mail\56085415360792	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
File created	C:\Windows\Cursors\4e543dff2d1600	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2188	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2188	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2712	schtasks.exe
1008	schtasks.exe
1996	schtasks.exe
1768	schtasks.exe
952	schtasks.exe
2644	schtasks.exe
2392	schtasks.exe
2248	schtasks.exe
916	schtasks.exe
2736	schtasks.exe
2272	schtasks.exe
1484	schtasks.exe
1524	schtasks.exe
1992	schtasks.exe
2912	schtasks.exe
2740	schtasks.exe
1728	schtasks.exe
768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

description	pid	Process
Token: SeDebugPrivilege	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	932	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	800	powershell.exe
Token: SeDebugPrivilege	2772	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 1880 wrote to memory of 2540	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	35
PID 1880 wrote to memory of 2540	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	35
PID 1880 wrote to memory of 2540	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	35
PID 2540 wrote to memory of 2620	2540	csc.exe	37
PID 2540 wrote to memory of 2620	2540	csc.exe	37
PID 2540 wrote to memory of 2620	2540	csc.exe	37
PID 1880 wrote to memory of 800	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	54
PID 1880 wrote to memory of 800	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	54
PID 1880 wrote to memory of 800	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	54
PID 1880 wrote to memory of 760	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	55
PID 1880 wrote to memory of 760	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	55
PID 1880 wrote to memory of 760	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	55
PID 1880 wrote to memory of 820	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	56
PID 1880 wrote to memory of 820	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	56
PID 1880 wrote to memory of 820	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	56
PID 1880 wrote to memory of 1636	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	59
PID 1880 wrote to memory of 1636	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	59
PID 1880 wrote to memory of 1636	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	59
PID 1880 wrote to memory of 2512	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	60
PID 1880 wrote to memory of 2512	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	60
PID 1880 wrote to memory of 2512	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	60
PID 1880 wrote to memory of 932	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	61
PID 1880 wrote to memory of 932	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	61
PID 1880 wrote to memory of 932	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	61
PID 1880 wrote to memory of 684	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	66
PID 1880 wrote to memory of 684	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	66
PID 1880 wrote to memory of 684	1880	bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe	66
PID 684 wrote to memory of 876	684	cmd.exe	68
PID 684 wrote to memory of 876	684	cmd.exe	68
PID 684 wrote to memory of 876	684	cmd.exe	68
PID 684 wrote to memory of 2188	684	cmd.exe	69
PID 684 wrote to memory of 2188	684	cmd.exe	69
PID 684 wrote to memory of 2188	684	cmd.exe	69
PID 684 wrote to memory of 2772	684	cmd.exe	70
PID 684 wrote to memory of 2772	684	cmd.exe	70
PID 684 wrote to memory of 2772	684	cmd.exe	70

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
"C:\Users\Admin\AppData\Local\Temp\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1880
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\pnudtdsh\pnudtdsh.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESEC14.tmp" "c:\Windows\System32\CSC9B1B65518F4D48AAA1858FCBBAA18A6A.TMP"
    3⤵
    PID:2620
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:800
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\wininit.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:820
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\lsass.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:932
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6eniQd0Sv.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:876
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2188
- - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe
    "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125b" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125" /sc ONLOGON /tr "'C:\Windows\Cursors\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125b" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125b" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125b" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125b" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\Local\Temp\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125b" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\D6eniQd0Sv.bat

Filesize
245B

MD5
62235897a2550fe92dcf28f0b8935ce1

SHA1
183d05801c418dd4eeece36756e52656582e9bf7

SHA256
c0a623e530abaed39874deb7564c006bcca76d17f0afbb1f0aa080d4bb9150b9

SHA512
dffd78c4f1ed11283edb79951edc67816fb2cabea0896e9382cd96675e22d74c30f87e58b9fd8e266d382b5794ce880bd8ac1024c62359cffcbce4c4e96494ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESEC14.tmp

Filesize
1KB

MD5
10bc9379da89ae759b4fc5bfcb332316

SHA1
fa38c697a795f3cae1fde5aec7d3495f8d3c0f55

SHA256
cc5f0212c4c501940e5c40d0664cd8e682bfd64ec530b3cdb10c9a5ee71dc245

SHA512
c2c45aa345b5115e01b0c741ca3d25e2fc805eaee7af546cdc6036a0ec5f66d74b2637e2cabb067a5b0039b9ea02c5765b4292de5a881c23a747860ed3d7fbf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2490a10f340b39ef435e5187b8ac1ca9

SHA1
95f27c574c6728c1332316b62c97348203a8e44e

SHA256
8f30abb432db1f4806bcc9dbddb1dc301e839ce9b8d35a45ae3c860dd06c62f8

SHA512
bf0656594b0065464ca1e93c60ca0601956359a7679f119f2bc9deb8cde826e6db1759e1e471cb53e47423c5c32c97c3d4cb2e3a9b9b187165a961c22f888e62

Download Submit
C:\Windows\Cursors\bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125.exe

Filesize
1.9MB

MD5
c8ce6fc2028745f5eaf01a412d06acaa

SHA1
4be17e69614ea35c4cd9939f84034e0e1e43a9a0

SHA256
bd068366ec33c420f480a1085cf661ae74ab13ac83bda6ccc9997d5495bed125

SHA512
6d9f45afdab9e5a062f7c0e89372f4c2c6f897acb76a0523d6b1620b0ccf0e827c8b5643650ee290f14fb9015c084e3866f01b9a1978104718b261a7b1523f05

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pnudtdsh\pnudtdsh.0.cs

Filesize
419B

MD5
5fdf9de984a08abe2edca75b8c15474a

SHA1
76cc1a90ce9cd0b31e25752d215142b40a56879c

SHA256
94df007963d2e28654bc6facf95b9e58b1cb18eb460cf0cb37f466324057bd31

SHA512
8728694f3956e6455f96e5edc621b8af520c5a7bcfee3d33ebda7da39d5f8c60a756a190c47434e7049a062ca5336bfd553ff96a31a3ac1bc510018434e38020

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\pnudtdsh\pnudtdsh.cmdline

Filesize
235B

MD5
7093f38329e3dd28cc2ef14ab9b78f82

SHA1
879356c4c0e1d2c694c92b574e27f4e015cac8ba

SHA256
af4505626d5981f4efa27586a7e00adf8881832c28f4e3e57c1a69edc3d390f1

SHA512
c9452cc8d42b2ca2b9746563e8ab65586723ac5205361f64bdb70dc242a3297dca3931f168ca85d33a71677db911c3b5ff6e4353681970d63873bcea1d09eb60

Download Submit
\??\c:\Windows\System32\CSC9B1B65518F4D48AAA1858FCBBAA18A6A.TMP

Filesize
1KB

MD5
8c85ef91c6071d33745325a8fa351c3e

SHA1
e3311ceef28823eec99699cc35be27c94eca52d2

SHA256
8db3e3a5515da1933036688a9b1918cfc3339fc687008c5325461271904b2d41

SHA512
2bb89b07fe46b1c406ed6a560e88cb2b8402b1d61bb71e10887bad661751f64f1e5317fd6c1b301ea4766785b915da31b64e0475cfe36c1f950b32915b5dab7d

Download Submit
memory/760-81-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/820-82-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1880-10-0x0000000000500000-0x0000000000518000-memory.dmp

Filesize
96KB

Download
memory/1880-0-0x000007FEF55E3000-0x000007FEF55E4000-memory.dmp

Filesize
4KB

Download
memory/1880-17-0x00000000004D0000-0x00000000004D8000-memory.dmp

Filesize
32KB

Download
memory/1880-18-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-19-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-21-0x0000000000520000-0x000000000052C000-memory.dmp

Filesize
48KB

Download
memory/1880-25-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-12-0x00000000004A0000-0x00000000004AC000-memory.dmp

Filesize
48KB

Download
memory/1880-34-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-35-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-13-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-15-0x00000000004C0000-0x00000000004CE000-memory.dmp

Filesize
56KB

Download
memory/1880-8-0x00000000004E0000-0x00000000004FC000-memory.dmp

Filesize
112KB

Download
memory/1880-6-0x0000000000490000-0x000000000049E000-memory.dmp

Filesize
56KB

Download
memory/1880-48-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-4-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-3-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-80-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-2-0x000007FEF55E0000-0x000007FEF5FCC000-memory.dmp

Filesize
9.9MB

Download
memory/1880-1-0x0000000000950000-0x0000000000B40000-memory.dmp

Filesize
1.9MB

Download
memory/2772-85-0x00000000000D0000-0x00000000002C0000-memory.dmp

Filesize
1.9MB

Download