dcrat | e0b7deb5306d43671d3800515bdf5b31455b483a06862be563813eabea3e181d

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20250207-en
resource tags

arch:x64arch:x86image:win7-20250207-enlocale:en-usos:windows7-x64system
submitted
22/03/2025, 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Size

1.9MB
MD5

edcab28f5aae28489cb2ca6933a2f2be
SHA1

8226e84872a864d71d6f23a6927d1b603c53a0b7
SHA256

c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4
SHA512

240cedf9b820b28c66ce25d8e6591155906302dec4b234c5a697bbd3bdd6eec39874b09110be01883dac74cba494e46be356cd445a1cc16a3b269e720b1cff6a
SSDEEP

49152:lD4qFYryHb84s5guM/UpXR/+7SjWnjb8Ydp1:lDC4si4bGmjWnkYdf

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\smss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\smss.exe\", \"C:\\Users\\Admin\\Links\\dwm.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\", \"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\smss.exe\", \"C:\\Users\\Admin\\Links\\dwm.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\winlogon.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\", \"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\winlogon.exe\", \"C:\\Program Files\\Windows Portable Devices\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2768	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2768	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
444	powershell.exe
872	powershell.exe
2120	powershell.exe
844	powershell.exe
2036	powershell.exe
2336	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2244	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
2620	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
1864	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
2900	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
892	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
2472	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
2984	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
1968	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
2272	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
2284	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
2012	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
1704	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
872	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
1208	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\winlogon.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files (x86)\\Windows Sidebar\\Gadgets\\winlogon.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4 = "\"C:\\Program Files\\Windows Portable Devices\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\smss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\smss = "\"C:\\Program Files (x86)\\Windows Photo Viewer\\de-DE\\smss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-677481364-2238709445-1347953534-1000\Software\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Links\\dwm.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\MSOCache\\All Users\\{90140000-00BA-0409-0000-0000000FF1CE}-C\\csrss.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4 = "\"C:\\Program Files\\Windows Portable Devices\\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dwm = "\"C:\\Users\\Admin\\Links\\dwm.exe\""	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ipinfo.io
5	ipinfo.io

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSCF050ED883044FBAAC2FF01058261915.TMP	csc.exe
File created	\??\c:\Windows\System32\c5rs-l.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Program Files\Windows Portable Devices\f7fa276b799260	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\winlogon.exe	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\cc11b995f2a76d	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\69ddcba757bf72	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2524	PING.EXE
1008	PING.EXE
2844	PING.EXE
2036	PING.EXE
1580	PING.EXE
3008	PING.EXE

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
3008	PING.EXE
2524	PING.EXE
1008	PING.EXE
2844	PING.EXE
2036	PING.EXE
1580	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
536	schtasks.exe
2692	schtasks.exe
3056	schtasks.exe
1952	schtasks.exe
2624	schtasks.exe
1828	schtasks.exe
1408	schtasks.exe
1608	schtasks.exe
484	schtasks.exe
2256	schtasks.exe
2932	schtasks.exe
2952	schtasks.exe
3008	schtasks.exe
2988	schtasks.exe
1660	schtasks.exe
2964	schtasks.exe
2812	schtasks.exe
1572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2244	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2620	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	1864	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2900	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	892	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2472	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2984	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	1968	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2272	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2284	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	2012	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	1704	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
Token: SeDebugPrivilege	872	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 884 wrote to memory of 2892	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	35
PID 884 wrote to memory of 2892	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	35
PID 884 wrote to memory of 2892	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	35
PID 2892 wrote to memory of 2616	2892	csc.exe	37
PID 2892 wrote to memory of 2616	2892	csc.exe	37
PID 2892 wrote to memory of 2616	2892	csc.exe	37
PID 884 wrote to memory of 844	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	53
PID 884 wrote to memory of 844	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	53
PID 884 wrote to memory of 844	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	53
PID 884 wrote to memory of 2120	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	54
PID 884 wrote to memory of 2120	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	54
PID 884 wrote to memory of 2120	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	54
PID 884 wrote to memory of 872	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	55
PID 884 wrote to memory of 872	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	55
PID 884 wrote to memory of 872	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	55
PID 884 wrote to memory of 444	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	56
PID 884 wrote to memory of 444	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	56
PID 884 wrote to memory of 444	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	56
PID 884 wrote to memory of 2336	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	58
PID 884 wrote to memory of 2336	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	58
PID 884 wrote to memory of 2336	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	58
PID 884 wrote to memory of 2036	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	103
PID 884 wrote to memory of 2036	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	103
PID 884 wrote to memory of 2036	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	103
PID 884 wrote to memory of 2008	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	104
PID 884 wrote to memory of 2008	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	104
PID 884 wrote to memory of 2008	884	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	104
PID 2008 wrote to memory of 1268	2008	cmd.exe	67
PID 2008 wrote to memory of 1268	2008	cmd.exe	67
PID 2008 wrote to memory of 1268	2008	cmd.exe	67
PID 2008 wrote to memory of 1844	2008	cmd.exe	68
PID 2008 wrote to memory of 1844	2008	cmd.exe	68
PID 2008 wrote to memory of 1844	2008	cmd.exe	68
PID 2008 wrote to memory of 2244	2008	cmd.exe	69
PID 2008 wrote to memory of 2244	2008	cmd.exe	69
PID 2008 wrote to memory of 2244	2008	cmd.exe	69
PID 2244 wrote to memory of 2452	2244	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	70
PID 2244 wrote to memory of 2452	2244	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	70
PID 2244 wrote to memory of 2452	2244	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	70
PID 2452 wrote to memory of 2988	2452	cmd.exe	72
PID 2452 wrote to memory of 2988	2452	cmd.exe	72
PID 2452 wrote to memory of 2988	2452	cmd.exe	72
PID 2452 wrote to memory of 2644	2452	cmd.exe	73
PID 2452 wrote to memory of 2644	2452	cmd.exe	73
PID 2452 wrote to memory of 2644	2452	cmd.exe	73
PID 2452 wrote to memory of 2620	2452	cmd.exe	74
PID 2452 wrote to memory of 2620	2452	cmd.exe	74
PID 2452 wrote to memory of 2620	2452	cmd.exe	74
PID 2620 wrote to memory of 1828	2620	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	75
PID 2620 wrote to memory of 1828	2620	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	75
PID 2620 wrote to memory of 1828	2620	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	75
PID 1828 wrote to memory of 2064	1828	cmd.exe	77
PID 1828 wrote to memory of 2064	1828	cmd.exe	77
PID 1828 wrote to memory of 2064	1828	cmd.exe	77
PID 1828 wrote to memory of 1692	1828	cmd.exe	78
PID 1828 wrote to memory of 1692	1828	cmd.exe	78
PID 1828 wrote to memory of 1692	1828	cmd.exe	78
PID 1828 wrote to memory of 1864	1828	cmd.exe	79
PID 1828 wrote to memory of 1864	1828	cmd.exe	79
PID 1828 wrote to memory of 1864	1828	cmd.exe	79
PID 1864 wrote to memory of 2928	1864	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	80
PID 1864 wrote to memory of 2928	1864	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	80
PID 1864 wrote to memory of 2928	1864	c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe	80
PID 2928 wrote to memory of 1696	2928	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
"C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\yetmxi0q\yetmxi0q.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2892
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESF4EA.tmp" "c:\Windows\System32\CSCF050ED883044FBAAC2FF01058261915.TMP"
    3⤵
    PID:2616
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:844
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2120
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:872
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\dwm.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2336
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2036
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U9XOKYZLAF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2008
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:1268
- - C:\Windows\system32\w32tm.exe
    w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
    3⤵
    PID:1844
- - C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
    "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2244
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nBqbaEi3SG.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2452
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2988
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:2644
    - - C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2620
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DoC45cXmCX.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1692
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BSGjULhCAT.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2236
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VTvBzponnF.bat"
        10⤵
        
        PID:2044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2976
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7zpOYzElC.bat"
        12⤵
        
        PID:1708
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2844
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat"
        14⤵
        
        PID:1644
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1652
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e6v3dq4CIc.bat"
        16⤵
        
        PID:696
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:884
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2036
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat"
        18⤵
        
        PID:2820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2652
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0KEJuvYQ32.bat"
        20⤵
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:2468
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1580
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat"
        22⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3008
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sxRqhXCXyo.bat"
        24⤵
        
        PID:2976
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\taR4nW1a6P.bat"
        26⤵
        
        PID:2884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1008
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MCv5EqkMBH.bat"
        28⤵
        
        PID:1504
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:444
        
        C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe
        
        "C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe"
        29⤵
        Executes dropped EXE
        
        PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4c" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4c" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Links\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\Links\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4c" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4c" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Local\Temp\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\wbem\wmiprvse.exe
C:\Windows\system32\wbem\wmiprvse.exe -Embedding
1⤵
PID:2008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\csrss.exe

Filesize
1.9MB

MD5
edcab28f5aae28489cb2ca6933a2f2be

SHA1
8226e84872a864d71d6f23a6927d1b603c53a0b7

SHA256
c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4

SHA512
240cedf9b820b28c66ce25d8e6591155906302dec4b234c5a697bbd3bdd6eec39874b09110be01883dac74cba494e46be356cd445a1cc16a3b269e720b1cff6a

Download Submit
C:\Program Files\Windows Portable Devices\c094e156e6d4756e275d2c8a03c7b955d4c45dc77a3d35f9b8bbe54eb11023d4.exe

Filesize
1.6MB

MD5
dc57d10dd141ec2bccc875e4a9f6cdc3

SHA1
822ca830a47761eb2dde5a708c9d7280f74ad1f2

SHA256
527edd2f8994d543563aebe4c5132104352d6ac4404c7763d4b166e9be863a1e

SHA512
6e58b94074cd6295b79c6f96bdd32099bd326374f93297eff5990ce770bd6e9899db64f130b32d495de5402d2d1c7f00dd34da81ee3eb820cb81461507a25ac3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0KEJuvYQ32.bat

Filesize
238B

MD5
2047e0ed5f6aaf756c3f1a0f8a1fa146

SHA1
8dbe63ea5adce3bafb548e03951fa073c5da60ee

SHA256
a271d284678717372213e32387071a8cbdc2e2205fbaa469879e76447de806d7

SHA512
5bbfa01f29ddacd78dcb7c3347a05fdb17e7a39d41faa56a5d12960c1a1f79bb903ca0cc7bd3da9d6042f1a2bdc2baaa47273ca504301e9f70d8f52b71c9497b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1mWG9ArXwW.bat

Filesize
286B

MD5
6fbff8d0ba140c6ade6d13c7e9d57650

SHA1
a1036494577d2159a33f6d2cc955727648c7de20

SHA256
ba1e57b4c4eda073b040ba80867dc475065eeb2e528c0a2e615401f21f4828d0

SHA512
a40959b4b4aef47f899effa15b7b26bea1c152254cebac332a9527a9a2abf603888fcb520c4c68b6d0bea89b007183908c79fd236cad3189afad757c3b83cb33

Download Submit
C:\Users\Admin\AppData\Local\Temp\BSGjULhCAT.bat

Filesize
286B

MD5
e48773c8b7ef1c63a5e5a333585fd55f

SHA1
5d281314dfb01111700e869de8dc0b422edf337f

SHA256
bf54d1877d95e424787b08e52a35b80c54575ee0c6eb0c8b1ac788980696350a

SHA512
15a1665d877ccc27c7e90bfd013223ed662d802955cb25b7869ee4f36df4ddc05f72c482a68634386f852ec134179cef5161a1b7312e02b2f263866e1ad3f05a

Download Submit
C:\Users\Admin\AppData\Local\Temp\DoC45cXmCX.bat

Filesize
286B

MD5
1d0b4c0ec26c2d1418945902a0dd6609

SHA1
28df92ada958d32b731fc10f5632f98afbbd8b3d

SHA256
ed54a23359b706c435be7e7834330e689d1b9dfa94bf573d29bd340977593c42

SHA512
dfe70dc3459bd63b5d6d03ae81d0d8c1c497e10751962c2a4680ee8dda9d624def4d17655cee261f8c3e41f66e309394e640b281453b7babab14302ed81c1943

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat

Filesize
238B

MD5
4562740ccd723c5698eceb4023cd8df8

SHA1
e81e7831009d758c4534f670c5fd985067182b66

SHA256
45b966ce5e948bf2a5199af8e183816665fe1a2b918ed901c0a5dcce4d87107d

SHA512
950e73c46ff2cbd80dccba028bab4cee6d51bc2cdc5f745bccb89b4230105f6b29a168d1d0e487a3dfcc57fdad93b9ce1b8d9702a8da16e2bedcd82df01de841

Download Submit
C:\Users\Admin\AppData\Local\Temp\MCv5EqkMBH.bat

Filesize
286B

MD5
1d899aba4d35c284da910ce9224282df

SHA1
94286191456c14ae860503253c5c25408cac9fa5

SHA256
c135817680e5acaf08725b7eccfae2ac5a16b27126154ce4006077d9955b991d

SHA512
31d737568baadc154d651ba2827d1f0ec6ec8df1ca1f304384935eb18eb274556e026a5d97c2f6f091adae6516e00de2862cffe337ee1ad422f22f456f497efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PTUnOlLS5m.bat

Filesize
286B

MD5
4a8beb1989ce9b72e49d0eb9b22a89de

SHA1
e55c3d15e9300dbdd787c08c3a34f8035d78d4d4

SHA256
ad5887026d27e5f48a885c2ab08a6345b5c294448ff32452e49c42ec1131828a

SHA512
fa250411f057070f94b3364e6a26fde9992f0c50bed05535bc222a8858496482c7a23d4a353fe68149b2854b2e8237a0852f3519c498ed5995632e2e5dc28d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESF4EA.tmp

Filesize
1KB

MD5
bcc9cc0d463e315f58972c84dbbece83

SHA1
dc763032ddbd0baf1b880364736b45f916b4cca2

SHA256
223f439c67602b7573d9a495aba0b765f6a59937dfd54567b0310cdfb27c23ef

SHA512
ad4d5b63d744603e6c3dab1af2ce31a6b44b5894a15f0b795a1c60cbbe570a4011fbb95d1aea48b0208a6801398b3d6f4c857cd557ccd2142fd0fcbc7272809f

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7zpOYzElC.bat

Filesize
238B

MD5
1f547cce989d07e441545b6f0b138c29

SHA1
c2fa571383254ec0431b5d6e8f7ebb867489a566

SHA256
4e3c06ca65d2802085ff8dabe69a07708ee342b7595f6bca966e5c956f360e82

SHA512
dea7883d5c017967de304678f28a047554348a81b8cf6ff4e4faa294258f3361da85c163fadb30e93ec2e288cc8074546ec9604c708ab24b1e8b6e8b3dce0d6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\U9XOKYZLAF.bat

Filesize
286B

MD5
4a5a63d3ee604399e14308bb7009ef6a

SHA1
003caf87282b5dc1509cec021fcf54544796ff39

SHA256
c36b1f5deb87601dfa8eddd4807cfec96b811aef867eb81fe1d52667d149ca50

SHA512
13ac8c15b7ff65c52c349be3ef3be9cfd5a037eafd47dfaa346a7ac219b1859e28bde5b585cedbbcda0a6aff1cd30034089817119da7299607ed01e304485231

Download Submit
C:\Users\Admin\AppData\Local\Temp\VTvBzponnF.bat

Filesize
286B

MD5
b5e3aad882acdae01b80b99b6ef7de7b

SHA1
94e2f23e19d9399d056b61b4932f2d2960729332

SHA256
16b205c463fc680216d29bd325f3819ee8031b7de065889a6f2f2fe328c5fc4e

SHA512
80ff13c09ed96b03585a8f1740d3bcc7bb338b5be6d01f2558cba05688c36db05462bd4ec73e548673e0a80e4bdc5cd64d4d2771b90e32dd5ded133036d4af0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\e6v3dq4CIc.bat

Filesize
238B

MD5
1fbea256bbd9eb7b0dbc955cdc7dcf88

SHA1
6d1cce861e01e6a996fd57dfe5f81f80a4cb77ac

SHA256
d577d5646a609d8c90cda112874080d58665dceedb9834a5587e85ecbf6f4cba

SHA512
2987b19bc97b2c793bfa288d763accaa1816f8d03ad00535a1c111495fcf1ae756cb15443cc15655b7770ac86baaa9ea9c1f8335f702a5917837cca2d2a74fc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\nBqbaEi3SG.bat

Filesize
286B

MD5
115145052a1db82d8623fab95fde23d5

SHA1
7b1dbd266561036f6d5b648862b541a9428fe171

SHA256
38244a9e69fc5b0515e22d1044d124730ca894b6e081335ba4f809fbbc77c867

SHA512
70fe57701a58e29a77461a53b19a5a3cb9cdd770cbedb801703f56ad85b6add51ba108d5f36d9654ab0d8d8cf04ee32f882a20693b8b60d58c0f4d5fe11c0051

Download Submit
C:\Users\Admin\AppData\Local\Temp\sxRqhXCXyo.bat

Filesize
238B

MD5
aba257599141ae91c3ad9d503ef8a0f0

SHA1
898248bbed0fcfbcd733040aa0b142c7ada5f056

SHA256
770162863ea09591747b052d6b07b5be9d72c39f73d69cc6dd672c15c383b82a

SHA512
c84ca3ada6c0e0992f73e0386c31413363967391115f1d24c97dc8dd93ccaab7d1b4f44cf01feba13231282489f111a00a26d9f5edbe3df0702e6fa29c458fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\taR4nW1a6P.bat

Filesize
238B

MD5
90100af93eb148b2b9a5b92ec870de96

SHA1
07f05663a5fe262e847274106027a66eb11b897d

SHA256
5f65bf2c98cccdb4f97dedbd81c33abdc64249975955708456c92f49a6f3842d

SHA512
ee54cb2ebc59485d67fa2bd7bd915e05825684439d89c34072f8429f8dd98ecbaec49d7b9ff0aea2c3e5da3d7c7dfe7bb9ab652adca9ad679c4cd214044e0cff

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d844b63a77088d550460b56ccd38817d

SHA1
910de6aa41e0c987ea7fe0e3a1b5264a2103f5a5

SHA256
22eba9d48baa29a102f2c7de91cfdc7241641bdcd4c6313bac200a3d0ef855a1

SHA512
fbbcc229d7d87f5c43497fe96e2445df9fcdaddea5024132d3406dd37eaeefe4018c3337ba2b13aae14ad9d3e6a3498d2635355390f15c72ea1a2eb352468374

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yetmxi0q\yetmxi0q.0.cs

Filesize
404B

MD5
d7ae4ee18de1651ee594d2dab93e001f

SHA1
e937a18701f4a0612366ac2963b5f68b3990d0a1

SHA256
6f1b417b15c699c563bc3b147a502fbbc2114fe9e244b8e09f37a3866bb31195

SHA512
5512174930b94db7897574b8ed1bc8f47804a33ce442e265e0642cf6e96f4aa3629a665a7f5452a8ab503c207a957b80d461352773bbb2dc32fb878cb4edfe5a

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\yetmxi0q\yetmxi0q.cmdline

Filesize
235B

MD5
4573c6d222d7c2bd01342065a109f9a2

SHA1
95ba4633f0d2be361f12ae5e71cd802692cc741c

SHA256
53c4269df24d79de1e3eea182de492d700f86cfead2e93267b859080c11ecf7f

SHA512
2eb2f927320603845ebcd765f938c400bfb5dd7abeeb72857d0c80cec9c979b8ae46147cacaa169875e5e568e168352d426b9df3050a037aaee460dbecdc5db9

Download Submit
\??\c:\Windows\System32\CSCF050ED883044FBAAC2FF01058261915.TMP

Filesize
1KB

MD5
8ca96d092a7a1e7970d04f7098276874

SHA1
5b628da2d1b2eedeef27d1bc3767477d4f50feaa

SHA256
1dbee17e9ea7448639f45c7870f4ebcbb1dede459ae964419fc7b31d614c5171

SHA512
c0ef96ee39bbde5e675ac8189bfe2ca7f7dd52fa80d7cdbefe0800bc5df4cb30654abad3254f18e21b79bf67fd679f165b376045aba805eb1e850d09cf5e5012

Download Submit
memory/444-59-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/444-62-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/872-239-0x00000000010F0000-0x00000000012D6000-memory.dmp

Filesize
1.9MB

Download
memory/884-17-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-4-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-0-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

Filesize
4KB

Download
memory/884-20-0x00000000002C0000-0x00000000002CC000-memory.dmp

Filesize
48KB

Download
memory/884-21-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-86-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-48-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-1-0x0000000000EF0000-0x00000000010D6000-memory.dmp

Filesize
1.9MB

Download
memory/884-23-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-2-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-18-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-16-0x00000000002B0000-0x00000000002B8000-memory.dmp

Filesize
32KB

Download
memory/884-26-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-10-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-49-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-47-0x000007FEF5C43000-0x000007FEF5C44000-memory.dmp

Filesize
4KB

Download
memory/884-14-0x00000000002A0000-0x00000000002AC000-memory.dmp

Filesize
48KB

Download
memory/884-3-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-9-0x000007FEF5C40000-0x000007FEF662C000-memory.dmp

Filesize
9.9MB

Download
memory/884-12-0x0000000000700000-0x0000000000718000-memory.dmp

Filesize
96KB

Download
memory/884-6-0x0000000000290000-0x000000000029E000-memory.dmp

Filesize
56KB

Download
memory/884-8-0x00000000006E0000-0x00000000006FC000-memory.dmp

Filesize
112KB

Download
memory/1208-252-0x00000000011D0000-0x00000000013B6000-memory.dmp

Filesize
1.9MB

Download
memory/1704-226-0x0000000000950000-0x0000000000B36000-memory.dmp

Filesize
1.9MB

Download
memory/2012-213-0x0000000000110000-0x00000000002F6000-memory.dmp

Filesize
1.9MB

Download
memory/2244-89-0x0000000000900000-0x0000000000AE6000-memory.dmp

Filesize
1.9MB

Download
memory/2272-187-0x00000000001D0000-0x00000000003B6000-memory.dmp

Filesize
1.9MB

Download
memory/2284-200-0x00000000001B0000-0x0000000000396000-memory.dmp

Filesize
1.9MB

Download
memory/2620-102-0x00000000013B0000-0x0000000001596000-memory.dmp

Filesize
1.9MB

Download