dcrat | b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64

Analysis

max time kernel
112s
max time network
113s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
05-02-2025 06:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Size

1.9MB
MD5

5a1d8a0bc5a402a2fbc17c1dd6bc62a0
SHA1

bba1b92394a84353f709cc01de16a04fde3a10be
SHA256

b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64
SHA512

8cc6795c169536276e9ea7a027eb643beffa414a60e380d9debffeaa76ee349707a24e5c5af50ea968d8808c55a32a147201e0998e5dd655db8881722674c3a5
SSDEEP

49152:0F87R2Jr74nDifdT8jWq4Da46sFtndKbbh:0FVcnLjhtOtnYx

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Templates\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\spoolsv.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Templates\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\spoolsv.exe\", \"C:\\Windows\\SystemApps\\csrss.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Templates\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\", \"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\spoolsv.exe\", \"C:\\Windows\\SystemApps\\csrss.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Templates\\RuntimeBroker.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Templates\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\SearchApp.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Default\\Templates\\RuntimeBroker.exe\", \"C:\\Users\\All Users\\SearchApp.exe\", \"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3216	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3920	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5052	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4092	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	964	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3460	964	schtasks.exe	86

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4256	powershell.exe
684	powershell.exe
2900	powershell.exe
2424	powershell.exe
3436	powershell.exe
5032	powershell.exe
2668	powershell.exe
3608	powershell.exe
4756	powershell.exe
2988	powershell.exe
1276	powershell.exe
1272	powershell.exe
1548	powershell.exe
4656	powershell.exe
4052	powershell.exe
408	powershell.exe
3484	powershell.exe

Checks computer location settings 2 TTPs 12 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\Control Panel\International\Geo\Nation	spoolsv.exe

Executes dropped EXE 11 IoCs

pid	Process
3884	spoolsv.exe
5656	spoolsv.exe
1536	spoolsv.exe
3856	spoolsv.exe
5588	spoolsv.exe
2352	spoolsv.exe
3980	spoolsv.exe
6088	spoolsv.exe
316	spoolsv.exe
3448	spoolsv.exe
4220	spoolsv.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\spoolsv.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Templates\\RuntimeBroker.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\SearchApp.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SearchApp = "\"C:\\Users\\All Users\\SearchApp.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SystemApps\\csrss.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Users\\Default\\Templates\\RuntimeBroker.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Program Files (x86)\\Windows NT\\Accessories\\en-US\\SppExtComObj.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\spoolsv = "\"C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\spoolsv.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Windows\\SystemApps\\csrss.exe\""	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC15CE9FF244D54F928616576A6DAE34BD.TMP	csc.exe
File created	\??\c:\Windows\System32\hpabal.exe	csc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\e1ef82546f0b02	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
File created	C:\Program Files (x86)\Common Files\Microsoft Shared\f3b6ecef712a24	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\csrss.exe	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
File opened for modification	C:\Windows\SystemApps\csrss.exe	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
File created	C:\Windows\SystemApps\886983d96e3d3e	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
1460	PING.EXE
6056	PING.EXE
3844	PING.EXE
1064	PING.EXE
116	PING.EXE
3432	PING.EXE

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Key created	\REGISTRY\USER\S-1-5-21-2211717155-842865201-3404093980-1000_Classes\Local Settings	spoolsv.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
116	PING.EXE
3432	PING.EXE
1460	PING.EXE
6056	PING.EXE
3844	PING.EXE
1064	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2432	schtasks.exe
2820	schtasks.exe
3076	schtasks.exe
3152	schtasks.exe
3216	schtasks.exe
4560	schtasks.exe
536	schtasks.exe
3920	schtasks.exe
5004	schtasks.exe
4832	schtasks.exe
2172	schtasks.exe
2848	schtasks.exe
2072	schtasks.exe
4092	schtasks.exe
1052	schtasks.exe
5052	schtasks.exe
2856	schtasks.exe
3460	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe

Suspicious use of AdjustPrivilegeToken 29 IoCs

description	pid	Process
Token: SeDebugPrivilege	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
Token: SeDebugPrivilege	4256	powershell.exe
Token: SeDebugPrivilege	3608	powershell.exe
Token: SeDebugPrivilege	4052	powershell.exe
Token: SeDebugPrivilege	2668	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	5032	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	3484	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	1272	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	2900	powershell.exe
Token: SeDebugPrivilege	3884	spoolsv.exe
Token: SeDebugPrivilege	5656	spoolsv.exe
Token: SeDebugPrivilege	1536	spoolsv.exe
Token: SeDebugPrivilege	3856	spoolsv.exe
Token: SeDebugPrivilege	5588	spoolsv.exe
Token: SeDebugPrivilege	2352	spoolsv.exe
Token: SeDebugPrivilege	3980	spoolsv.exe
Token: SeDebugPrivilege	6088	spoolsv.exe
Token: SeDebugPrivilege	316	spoolsv.exe
Token: SeDebugPrivilege	3448	spoolsv.exe
Token: SeDebugPrivilege	4220	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3312	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	90
PID 2176 wrote to memory of 3312	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	90
PID 3312 wrote to memory of 1648	3312	csc.exe	92
PID 3312 wrote to memory of 1648	3312	csc.exe	92
PID 2176 wrote to memory of 4656	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	108
PID 2176 wrote to memory of 4656	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	108
PID 2176 wrote to memory of 2668	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	109
PID 2176 wrote to memory of 2668	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	109
PID 2176 wrote to memory of 408	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	110
PID 2176 wrote to memory of 408	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	110
PID 2176 wrote to memory of 4756	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	111
PID 2176 wrote to memory of 4756	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	111
PID 2176 wrote to memory of 3608	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	112
PID 2176 wrote to memory of 3608	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	112
PID 2176 wrote to memory of 4052	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	113
PID 2176 wrote to memory of 4052	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	113
PID 2176 wrote to memory of 1276	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	114
PID 2176 wrote to memory of 1276	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	114
PID 2176 wrote to memory of 1272	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	115
PID 2176 wrote to memory of 1272	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	115
PID 2176 wrote to memory of 4256	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	121
PID 2176 wrote to memory of 4256	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	121
PID 2176 wrote to memory of 2988	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	123
PID 2176 wrote to memory of 2988	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	123
PID 2176 wrote to memory of 684	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	125
PID 2176 wrote to memory of 684	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	125
PID 2176 wrote to memory of 5032	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	127
PID 2176 wrote to memory of 5032	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	127
PID 2176 wrote to memory of 3436	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	128
PID 2176 wrote to memory of 3436	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	128
PID 2176 wrote to memory of 1548	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	129
PID 2176 wrote to memory of 1548	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	129
PID 2176 wrote to memory of 2424	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	131
PID 2176 wrote to memory of 2424	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	131
PID 2176 wrote to memory of 3484	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	134
PID 2176 wrote to memory of 3484	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	134
PID 2176 wrote to memory of 2900	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	135
PID 2176 wrote to memory of 2900	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	135
PID 2176 wrote to memory of 4840	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	142
PID 2176 wrote to memory of 4840	2176	b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe	142
PID 4840 wrote to memory of 5620	4840	cmd.exe	144
PID 4840 wrote to memory of 5620	4840	cmd.exe	144
PID 4840 wrote to memory of 6056	4840	cmd.exe	145
PID 4840 wrote to memory of 6056	4840	cmd.exe	145
PID 4840 wrote to memory of 3884	4840	cmd.exe	149
PID 4840 wrote to memory of 3884	4840	cmd.exe	149
PID 3884 wrote to memory of 5464	3884	spoolsv.exe	151
PID 3884 wrote to memory of 5464	3884	spoolsv.exe	151
PID 5464 wrote to memory of 5532	5464	cmd.exe	153
PID 5464 wrote to memory of 5532	5464	cmd.exe	153
PID 5464 wrote to memory of 5552	5464	cmd.exe	154
PID 5464 wrote to memory of 5552	5464	cmd.exe	154
PID 5464 wrote to memory of 5656	5464	cmd.exe	156
PID 5464 wrote to memory of 5656	5464	cmd.exe	156
PID 5656 wrote to memory of 5960	5656	spoolsv.exe	159
PID 5656 wrote to memory of 5960	5656	spoolsv.exe	159
PID 5960 wrote to memory of 2308	5960	cmd.exe	161
PID 5960 wrote to memory of 2308	5960	cmd.exe	161
PID 5960 wrote to memory of 5104	5960	cmd.exe	162
PID 5960 wrote to memory of 5104	5960	cmd.exe	162
PID 5960 wrote to memory of 1536	5960	cmd.exe	166
PID 5960 wrote to memory of 1536	5960	cmd.exe	166
PID 1536 wrote to memory of 2184	1536	spoolsv.exe	168
PID 1536 wrote to memory of 2184	1536	spoolsv.exe	168

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe
"C:\Users\Admin\AppData\Local\Temp\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3wmwdqpy\3wmwdqpy.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:3312
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB323.tmp" "c:\Windows\System32\CSC15CE9FF244D54F928616576A6DAE34BD.TMP"
    3⤵
    PID:1648
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4656
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2668
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:408
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4756
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3608
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4052
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1272
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4256
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:684
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5032
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\SearchApp.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2424
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3484
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2900
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4FZB9tDDxK.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4840
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:5620
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:6056
- - C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
    "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3884
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIYAWWKYBo.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5464
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5532
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5552
    - - C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5656
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtA3LkY0CV.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:5104
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat"
        8⤵
        
        PID:2184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:4352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5752
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QjhCqOFzVv.bat"
        10⤵
        
        PID:5204
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1872
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3844
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wr1mxRbh1u.bat"
        12⤵
        
        PID:4008
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:4612
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1064
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g08gBSmlqM.bat"
        14⤵
        
        PID:3564
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:808
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:116
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TCMSovEgtl.bat"
        16⤵
        
        PID:5612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:5564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:5512
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:6088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PUr4LdF8J0.bat"
        18⤵
        
        PID:1912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3432
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat"
        20⤵
        
        PID:5772
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:5748
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtA3LkY0CV.bat"
        22⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:6120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:5548
        
        C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe
        
        "C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat"
        24⤵
        
        PID:4868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:6052
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Templates\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows NT\Accessories\en-US\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\Microsoft Shared\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\SystemApps\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\SystemApps\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\SystemApps\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64Nb" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64Nb" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64N.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\spoolsv.exe.log

Filesize
1KB

MD5
935ecb30a8e13f625a9a89e3b0fcbf8f

SHA1
41cb046b7b5f89955fd53949efad8e9f3971d731

SHA256
2a7b829afe6a140bb37d24cc7711749c20cdaaf9cc7c4a182ff081180b4d99e9

SHA512
1210281612b0101ce63555a1a7855589ff68e1eac5b8a2461e10808c5b92c5dd111be72406c2923a94e10b687ceda43dc24d8c22a49dab40a4af793ee6b740aa

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
a8e8360d573a4ff072dcc6f09d992c88

SHA1
3446774433ceaf0b400073914facab11b98b6807

SHA256
bf5e284e8f95122bf75ead61c7e2b40f55c96742b05330b5b1cb7915991df13b

SHA512
4ee5167643d82082f57c42616007ef9be57f43f9731921bdf7bca611a914724ad94072d3c8f5b130fa54129e5328ccdebf37ba74339c37deb53e79df5cdf0dbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\4FZB9tDDxK.bat

Filesize
192B

MD5
67d04d5ab993c6a5388c580014d2e8a9

SHA1
b31dbedc59eb5ed714406ce79a196ac99d296f09

SHA256
362b48502ba60f9cb7c3a4655877f9b91def2c5d3d23c50a7b3b10eb7b500d1b

SHA512
26be42e615fbc440ea4ee43351b930ffe7436e8b5dcb416e94934c83beadde63472598c91edb75c15351176e9173f96d4118d44aece3cd754b7b4c50561d7dbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4wM4wqHWVF.bat

Filesize
192B

MD5
d7eab53bca56237344b238ce562ceeb7

SHA1
d4fbdab831bb6e8a85b139ad79c82427794c2369

SHA256
21fac41124b08e050ab0d2296ebca586b6b546bb177408ac1c68aaedaebb9f24

SHA512
94f898d6653f238eae71bd6d4fc7ce2e8a52718ef333896048d75f890f97258a1bd18d95942c5b8e7c732664e0cc0d0ba4271e07b3e98912f8fa836e255c8d2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\8JExSyzmRo.bat

Filesize
240B

MD5
6b0c6bb108e6385ae653544703afa944

SHA1
0cbc091eef9cb78fc62d78e74b4791b285742877

SHA256
62cb3003e38ab1ce863ea8cdc6edb8f476a0f35fd09c601fd79ed738571830c4

SHA512
4ec792875feaec77c82c8916189d674674ae98ce59068a1b71ef007e5ea9eab1ec89581310cad6048d41c67e6acdbee04458b61a5257523fe6494add03b9d388

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtA3LkY0CV.bat

Filesize
240B

MD5
42b3c55e5a7953b009002d4ef87e1dbb

SHA1
cc30b070fc63024655056ca86da142065b239ade

SHA256
cfdae5bc76c181c2990f328a43fc8263d6438c6c3d82cafc57b3f2181f0900b8

SHA512
1140d6cc20393b9204b5c8b70bf9dc2957b16d8291da326cfaf02705f7b90fed4f3e98b78113937ba4c00bfb01d64667b14442bdc5747c61db2c80a9b8b9ccd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\PUr4LdF8J0.bat

Filesize
192B

MD5
f20d4e2acb798045567ea1ec9d8ed949

SHA1
7243c425bd3d5ff6374993e998aa740e2243cfa7

SHA256
4a589a6a40b7b3ba0632d57d268678ea5b45ac5b24b5bc09fd7ba21753ea86b9

SHA512
877f7a010e65bf28a67895a8e0c7e46a74796676d2b71955d8c32aff6a7308a34a56f4a88bfce1efd1d107aac7f7598a0b2d5e597e8d13c16d94d876a186102c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QjhCqOFzVv.bat

Filesize
192B

MD5
1eb4cede5cb7f10b2cc4aef52a4752e4

SHA1
235073ac899470aa0220e842958a7d85dc4ec4fc

SHA256
06f6661ef76ffb3c0eb19ad03271b4027ac771d7a67adde0b8dd572db3cf2f77

SHA512
b01557b18cb303424fe5c7cbdc207529aa3dccbd8b4483ea37f1e280e3d5252598307e110a7fe6934904da49dd0c6659413c03b0248e997a6cc710816654b432

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB323.tmp

Filesize
1KB

MD5
4ebab82c1dfeaaf3848eb2dac7a5634a

SHA1
2daf08306b9161e8d44572ad67dde3132823eda7

SHA256
f826571219b675d8a84f6c00a01199f702721ee8701a5dcd76ec86b357bf4941

SHA512
9c9e00e773ea3600e555d4db3668fb8f1338d857e89965af1a8f8bc92aafbd2c0a08372ef06d687bb7ae3d27ce0ecbf20e1d88d8b66d485ffdf5fd27eeef1d31

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCMSovEgtl.bat

Filesize
240B

MD5
64bea794f83b26cec20fc1747d498aaf

SHA1
93c4d77b9c802d53f2cb8a86a2fda7064efccec0

SHA256
b3e6904dc4a639791cded95dea9e627d557a21ffb9ed8c60e184c8fcf958b0db

SHA512
75e8e55f70a7c751cb8c76d11e5aece0d8fc680159a3868d1aa16279484b7a7edbcad45ce359ea4ce1a968aa770c78bc06ceb91e6b66741be2889de9fdd01bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_awj1jbeq.yon.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\g08gBSmlqM.bat

Filesize
192B

MD5
5e709c9e35cf876202420e1b20d0f224

SHA1
38dec53caba4c284c7013e7894c7830bb6391bbe

SHA256
6434da8300d26b6e6ca3078e63b6fc1abc2a975dac07ca22ccce06eb52dee75f

SHA512
d203878cfa8140d1f032c5d6f76432ef4647442c06c7f2a3aa24faad477c7b7e222aba46d65d642780dc805400ba78766e2d1cb314afc145acf1c0938c353e15

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIYAWWKYBo.bat

Filesize
240B

MD5
711afef097ad2061fa83e40a553754e0

SHA1
57dcbdcb18c0f4aca1647a80a74f60b69ddd6778

SHA256
f69e073a6830c05eff75a98f23b8fc49d8617fc36bc9472aa4b4bdc0ef122afd

SHA512
4256b276c1702bbf2d7452ae38040307fd16e2ef793ec04d739d7786c359a629047a43bf6d83214473d7c591cb163fa8351bd2d2c695289bcc8380c1ebddda48

Download Submit
C:\Users\Admin\AppData\Local\Temp\wr1mxRbh1u.bat

Filesize
192B

MD5
c4f809b87315a399056151bd2f36e643

SHA1
51fa56f349b55ee44de8a906bf29fa57c029140a

SHA256
8a306b72a5f71543611157a5d343c2c5c54d689a638f8feaa587b4be0fc52033

SHA512
e94d9180c4ab837df817db4af1fb1078f9f1a00c2394656a0cd73a167b5fa37ddeda3b0baad5db5ff08dbb5fa11abc7ce8828f1ebde19a23521c6dd0b0e7530a

Download Submit
C:\Users\Default\AppData\Roaming\Microsoft\Windows\Templates\RuntimeBroker.exe

Filesize
1.9MB

MD5
5a1d8a0bc5a402a2fbc17c1dd6bc62a0

SHA1
bba1b92394a84353f709cc01de16a04fde3a10be

SHA256
b95114a8ca94a3a7a191d460a6922b40eacf8a8afe7e217052e6ad97f62d8c64

SHA512
8cc6795c169536276e9ea7a027eb643beffa414a60e380d9debffeaa76ee349707a24e5c5af50ea968d8808c55a32a147201e0998e5dd655db8881722674c3a5

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3wmwdqpy\3wmwdqpy.0.cs

Filesize
376B

MD5
885cd4dc5f977d22b430a54e0719afe9

SHA1
867f3d95dab559a82943f75ff03c223ee2d1e808

SHA256
1ce954547a243ddb80307e952b5b4eb7e6c73b809409e24919e9f70da6b70fc3

SHA512
37b3549e2b4b97ae44243a85d5846088997af79a52239f256173981886bdd4e32c684aca0232055da6f7390ad6e109b330c75605e68fe2d51eeb4cdb339ebe54

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\3wmwdqpy\3wmwdqpy.cmdline

Filesize
235B

MD5
34ddfb930e125b73253e7f4710f28cb9

SHA1
cd6b89ed8e1ddc088ca732b9b0c09dc940254b6d

SHA256
349d68a965528c21fe2410203d0fbab0a3db8c5166e6d4c326a9041bd22ac156

SHA512
b40e18060ff8dbf660fa582ec6cd841335cb10cf36acf47f4356734036a24576cd85d0103969f2e3bad60f8c36a26a77881fde00a7aba4fb5be23c5bcfc03b18

Download Submit
\??\c:\Windows\System32\CSC15CE9FF244D54F928616576A6DAE34BD.TMP

Filesize
1KB

MD5
5feddd0eaa092197cf02f7969473a7d2

SHA1
c58f632235df253f1becdd483ff64920ac2a90f5

SHA256
7e282993b55f2c19683f520a08bc8a14be23638b285577707159e2dffaa54b8f

SHA512
5991dd3ef74801657aca07b9b56e4b567f9ac270fd946d06bfbe1f3b8791a57f621b12435bc08d901c9923bb4f83c027065f6623dcaafefd3a9d6c8b070c2227

Download Submit
memory/2176-17-0x00000000023F0000-0x00000000023FC000-memory.dmp

Filesize
48KB

Download
memory/2176-55-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-15-0x00000000023E0000-0x00000000023EE000-memory.dmp

Filesize
56KB

Download
memory/2176-0-0x00007FF978133000-0x00007FF978135000-memory.dmp

Filesize
8KB

Download
memory/2176-36-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-35-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-30-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-22-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-13-0x0000000002420000-0x0000000002438000-memory.dmp

Filesize
96KB

Download
memory/2176-19-0x0000000002440000-0x000000000244E000-memory.dmp

Filesize
56KB

Download
memory/2176-1-0x00000000000C0000-0x00000000002B8000-memory.dmp

Filesize
2.0MB

Download
memory/2176-37-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-21-0x0000000002450000-0x000000000245C000-memory.dmp

Filesize
48KB

Download
memory/2176-11-0x000000001AE80000-0x000000001AED0000-memory.dmp

Filesize
320KB

Download
memory/2176-10-0x0000000002400000-0x000000000241C000-memory.dmp

Filesize
112KB

Download
memory/2176-8-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-7-0x0000000000AD0000-0x0000000000ADE000-memory.dmp

Filesize
56KB

Download
memory/2176-5-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-4-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-3-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/2176-2-0x00007FF978130000-0x00007FF978BF1000-memory.dmp

Filesize
10.8MB

Download
memory/4256-65-0x00000266E7250000-0x00000266E7272000-memory.dmp

Filesize
136KB

Download