dcrat | d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2024 15:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Size

857KB
MD5

31c3f45b0054b2592dfbe98cc2b2ae6f
SHA1

b3b09b956a490a2558ffd7a5bd75cad36198ad85
SHA256

d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805
SHA512

737face1e81289120aecb19e64073c6c8bb4bd4efcbe4277a6a567e504267c9f82783973b55e08b1c9007521da7256c8494234eb5c57290ed71fba01c6bb5656
SSDEEP

12288:JWTnfLcX02i56n+XomvfJJMA+ApW3Ari4VVyZC0+1cw2jINofMVbmsaxZ6:JWTnZ20XomvhJMA+A3iE0nHp6

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SchCache\\SppExtComObj.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SchCache\\SppExtComObj.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SchCache\\SppExtComObj.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\bin\\winlogon.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\", \"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\", \"C:\\Windows\\SchCache\\SppExtComObj.exe\", \"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\", \"C:\\Program Files\\Java\\jdk-1.8\\bin\\winlogon.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Recovery\\WindowsRE\\services.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3888	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3936	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3628	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	4332	schtasks.exe	84
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	4332	schtasks.exe	84

DCRat payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/3544-1-0x0000000000470000-0x000000000054C000-memory.dmp	family_dcrat_v2
behavioral2/files/0x000a000000023b9a-28.dat	family_dcrat_v2

Command and Scripting Interpreter: PowerShell 1 TTPs 17 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
884	powershell.exe
4392	powershell.exe
1548	powershell.exe
5016	powershell.exe
3328	powershell.exe
644	powershell.exe
1316	powershell.exe
228	powershell.exe
1640	powershell.exe
4600	powershell.exe
2964	powershell.exe
4528	powershell.exe
4240	powershell.exe
2988	powershell.exe
4444	powershell.exe
4728	powershell.exe
2632	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	StartMenuExperienceHost.exe

Executes dropped EXE 14 IoCs

pid	Process
5532	StartMenuExperienceHost.exe
5996	StartMenuExperienceHost.exe
5152	StartMenuExperienceHost.exe
5176	StartMenuExperienceHost.exe
916	StartMenuExperienceHost.exe
2188	StartMenuExperienceHost.exe
5180	StartMenuExperienceHost.exe
888	StartMenuExperienceHost.exe
5840	StartMenuExperienceHost.exe
5836	StartMenuExperienceHost.exe
828	StartMenuExperienceHost.exe
2964	StartMenuExperienceHost.exe
4956	StartMenuExperienceHost.exe
3128	StartMenuExperienceHost.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jdk-1.8\\bin\\winlogon.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\WindowsRE\\services.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winlogon = "\"C:\\Program Files\\Java\\jdk-1.8\\bin\\winlogon.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\csrss = "\"C:\\Program Files\\MSBuild\\Microsoft\\Windows Workflow Foundation\\v3.0\\csrss.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805 = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\StartMenuExperienceHost = "\"C:\\Program Files (x86)\\Adobe\\Acrobat Reader DC\\Reader\\StartMenuExperienceHost.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\SchCache\\SppExtComObj.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\SppExtComObj = "\"C:\\Windows\\SchCache\\SppExtComObj.exe\""	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC7F17B774EE7B43059AC5DEFF7053451.TMP	csc.exe
File created	\??\c:\Windows\System32\s_kgxh.exe	csc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\55b276f4edf653	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Program Files\Java\jdk-1.8\bin\winlogon.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\winlogon.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cc11b995f2a76d	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\886983d96e3d3e	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\SppExtComObj.exe	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
File created	C:\Windows\SchCache\e1ef82546f0b02	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 9 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
4752	PING.EXE
5204	PING.EXE
4108	PING.EXE
1392	PING.EXE
576	PING.EXE
940	PING.EXE
1892	PING.EXE
1952	PING.EXE
5976	PING.EXE

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	StartMenuExperienceHost.exe

Runs ping.exe 1 TTPs 9 IoCs

Remote System Discovery

T1018

pid	Process
1952	PING.EXE
4108	PING.EXE
1892	PING.EXE
4752	PING.EXE
5204	PING.EXE
5976	PING.EXE
1392	PING.EXE
576	PING.EXE
940	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe
2364	schtasks.exe
4824	schtasks.exe
872	schtasks.exe
1416	schtasks.exe
660	schtasks.exe
3052	schtasks.exe
2132	schtasks.exe
2108	schtasks.exe
3888	schtasks.exe
2688	schtasks.exe
4672	schtasks.exe
1572	schtasks.exe
472	schtasks.exe
3092	schtasks.exe
3936	schtasks.exe
3628	schtasks.exe
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1548	powershell.exe
Token: SeDebugPrivilege	4528	powershell.exe
Token: SeDebugPrivilege	644	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	4392	powershell.exe
Token: SeDebugPrivilege	228	powershell.exe
Token: SeDebugPrivilege	4240	powershell.exe
Token: SeDebugPrivilege	4728	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	3328	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	4444	powershell.exe
Token: SeDebugPrivilege	5532	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5996	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5152	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5176	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	916	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2188	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5180	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	888	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5840	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	5836	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	828	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	2964	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	4956	StartMenuExperienceHost.exe
Token: SeDebugPrivilege	3128	StartMenuExperienceHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3544 wrote to memory of 2584	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	88
PID 3544 wrote to memory of 2584	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	88
PID 2584 wrote to memory of 1156	2584	csc.exe	90
PID 2584 wrote to memory of 1156	2584	csc.exe	90
PID 3544 wrote to memory of 4444	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	106
PID 3544 wrote to memory of 4444	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	106
PID 3544 wrote to memory of 2632	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	107
PID 3544 wrote to memory of 2632	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	107
PID 3544 wrote to memory of 1548	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	108
PID 3544 wrote to memory of 1548	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	108
PID 3544 wrote to memory of 4392	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	109
PID 3544 wrote to memory of 4392	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	109
PID 3544 wrote to memory of 884	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	110
PID 3544 wrote to memory of 884	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	110
PID 3544 wrote to memory of 644	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	111
PID 3544 wrote to memory of 644	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	111
PID 3544 wrote to memory of 4528	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	112
PID 3544 wrote to memory of 4528	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	112
PID 3544 wrote to memory of 3328	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	113
PID 3544 wrote to memory of 3328	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	113
PID 3544 wrote to memory of 2988	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	114
PID 3544 wrote to memory of 2988	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	114
PID 3544 wrote to memory of 4240	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	115
PID 3544 wrote to memory of 4240	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	115
PID 3544 wrote to memory of 4600	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	116
PID 3544 wrote to memory of 4600	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	116
PID 3544 wrote to memory of 1640	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	118
PID 3544 wrote to memory of 1640	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	118
PID 3544 wrote to memory of 228	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	119
PID 3544 wrote to memory of 228	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	119
PID 3544 wrote to memory of 5016	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	121
PID 3544 wrote to memory of 5016	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	121
PID 3544 wrote to memory of 1316	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	122
PID 3544 wrote to memory of 1316	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	122
PID 3544 wrote to memory of 2964	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	123
PID 3544 wrote to memory of 2964	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	123
PID 3544 wrote to memory of 4728	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	124
PID 3544 wrote to memory of 4728	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	124
PID 3544 wrote to memory of 968	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	139
PID 3544 wrote to memory of 968	3544	d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe	139
PID 968 wrote to memory of 2132	968	cmd.exe	142
PID 968 wrote to memory of 2132	968	cmd.exe	142
PID 968 wrote to memory of 576	968	cmd.exe	143
PID 968 wrote to memory of 576	968	cmd.exe	143
PID 968 wrote to memory of 5532	968	cmd.exe	148
PID 968 wrote to memory of 5532	968	cmd.exe	148
PID 5532 wrote to memory of 5812	5532	StartMenuExperienceHost.exe	151
PID 5532 wrote to memory of 5812	5532	StartMenuExperienceHost.exe	151
PID 5812 wrote to memory of 5876	5812	cmd.exe	153
PID 5812 wrote to memory of 5876	5812	cmd.exe	153
PID 5812 wrote to memory of 5892	5812	cmd.exe	154
PID 5812 wrote to memory of 5892	5812	cmd.exe	154
PID 5812 wrote to memory of 5996	5812	cmd.exe	155
PID 5812 wrote to memory of 5996	5812	cmd.exe	155
PID 5996 wrote to memory of 880	5996	StartMenuExperienceHost.exe	156
PID 5996 wrote to memory of 880	5996	StartMenuExperienceHost.exe	156
PID 880 wrote to memory of 4840	880	cmd.exe	158
PID 880 wrote to memory of 4840	880	cmd.exe	158
PID 880 wrote to memory of 940	880	cmd.exe	159
PID 880 wrote to memory of 940	880	cmd.exe	159
PID 880 wrote to memory of 5152	880	cmd.exe	161
PID 880 wrote to memory of 5152	880	cmd.exe	161
PID 5152 wrote to memory of 460	5152	StartMenuExperienceHost.exe	163
PID 5152 wrote to memory of 460	5152	StartMenuExperienceHost.exe	163

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe
"C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe"
1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\qe1ekudm\qe1ekudm.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB46B.tmp" "c:\Windows\System32\CSC7F17B774EE7B43059AC5DEFF7053451.TMP"
    3⤵
    PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4444
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/$Recycle.Bin/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2632
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Documents and Settings/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/PerfLogs/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4392
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:884
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Program Files (x86)/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:644
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/ProgramData/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4528
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Recovery/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3328
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/System Volume Information/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2988
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Users/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4240
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:/Windows/'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4600
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1640
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:228
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\SppExtComObj.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1316
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk-1.8\bin\winlogon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2964
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4728
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W3ichfELLJ.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:2132
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:576
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:5532
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5812
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:5876
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:5892
    - - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nSTk4tfYD6.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FlZ1LPsZoY.bat"
        8⤵
        
        PID:460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e1ZPDUpkB4.bat"
        10⤵
        
        PID:4312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:948
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1892
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat"
        12⤵
        
        PID:3052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        13⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1952
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e1ZPDUpkB4.bat"
        14⤵
        
        PID:4280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:5044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        15⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4752
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lRXC83nrKa.bat"
        16⤵
        
        PID:2136
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5204
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s4Al4mMfKa.bat"
        18⤵
        
        PID:4784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:5596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:5608
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WwD8E48ugj.bat"
        20⤵
        
        PID:5380
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:384
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:5976
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:5836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eMBuAd62pF.bat"
        22⤵
        
        PID:6108
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4108
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fa12eP5s1A.bat"
        24⤵
        
        PID:784
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:5124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3940
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vXp13JMNiQ.bat"
        26⤵
        
        PID:612
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:5176
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1392
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NqvJKoZOIs.bat"
        28⤵
        
        PID:4888
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4148
        
        C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe
        
        "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:3128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hUEgB0oRYu.bat"
        30⤵
        
        PID:4588
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        31⤵
        
        PID:5216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk-1.8\bin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk-1.8\bin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk-1.8\bin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805d" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805d" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\AppData\Local\Temp\d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\services.exe

Filesize
857KB

MD5
31c3f45b0054b2592dfbe98cc2b2ae6f

SHA1
b3b09b956a490a2558ffd7a5bd75cad36198ad85

SHA256
d0fd0bf712a82cff8a13381300b480c0f792f94e846f729ea787fa901ffe1805

SHA512
737face1e81289120aecb19e64073c6c8bb4bd4efcbe4277a6a567e504267c9f82783973b55e08b1c9007521da7256c8494234eb5c57290ed71fba01c6bb5656

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\StartMenuExperienceHost.exe.log

Filesize
1KB

MD5
7800fca2323a4130444c572374a030f4

SHA1
40c9b8e0e5e7d72a5293f4010f2ccf21e637b4aa

SHA256
29f5645ac14353ac460858f52c856548f3aeb144b09eef672a6b4849bafe742e

SHA512
c8a7ad930b8c07007c7a67d8c32a2a4a401dcc34ab966e0e80901655fcbe1f5c95b72a195e6381b1de56c2c987eeab093d8e89891bec9e9684785c5d824b3554

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
5f0ddc7f3691c81ee14d17b419ba220d

SHA1
f0ef5fde8bab9d17c0b47137e014c91be888ee53

SHA256
a31805264b8b13ce4145f272cb2830728c186c46e314b48514d636866217add5

SHA512
2ce7c2a0833f581297c13dd88ccfcd36bf129d2b5d7718c52b1d67c97cbd8fc93abc085a040229a0fd712e880c690de7f6b996b0b47c46a091fabb7931be58d3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e243a38635ff9a06c87c2a61a2200656

SHA1
ecd95ed5bf1a9fbe96a8448fc2814a0210fa2afc

SHA256
af5782703f3f2d5a29fb313dae6680a64134db26064d4a321a3f23b75f6ca00f

SHA512
4418957a1b10eee44cf270c81816ae707352411c4f5ac14b6b61ab537c91480e24e0a0a2c276a6291081b4984c123cf673a45dcedb0ceeef682054ba0fc19cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\FlZ1LPsZoY.bat

Filesize
257B

MD5
3f8e051756ca2b7a8ba1677c35de0390

SHA1
b86cd312730665e32a357b7e8185c60fb5df7c41

SHA256
eaadac760f37e2fc66a057877c9cbd956d607915b37db2a31c024beb2c58fe57

SHA512
289d50d07e8e5129de2276c94c5f09891b11095961b9ae17efc24827c90c503a7678542c121fbaf35dcf299c963f9848a20817fc52430004fc3db1351b9df4cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\NVJoNfH6eh.bat

Filesize
209B

MD5
8d2a24d28ca3bb9768a0c4ca10aaff9e

SHA1
7f7cab3cf233594971671c718c58cd0e213a2ac1

SHA256
be11f2581a58cfdb04f4112d1575f06cad6b8cd99aea69842551bd221b04536c

SHA512
37608e79744745fb99b22ae38c2d66a2df190f2360b58c777b468dc6813ae979cfcaa1bb9b2f62f8145f7cf43b5de8fc13d4322164a9a8790bf79f1e44555289

Download Submit
C:\Users\Admin\AppData\Local\Temp\NqvJKoZOIs.bat

Filesize
257B

MD5
64d8bfc397922cc71b9e8228b6ffd175

SHA1
c743ef79bc266d4c798e8b2c189a068b269d4173

SHA256
4c18aa6d6f89b3e32457e5ceabc6d99f8461a2d691f73e91f017081eb9dbe499

SHA512
065ae87ff9866d287d67f8b22df0287eebcf5bada9195d29f7f52bc131fdbd3c1bb0e351ce804f17e4f481bff087b35d912a168f1d2acb437b92db489860abd3

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESB46B.tmp

Filesize
1KB

MD5
486e1d284371ae7e93a356b165622137

SHA1
6b534635584c072f815b9ede2521cfbb2dd065f7

SHA256
99ded23d966b2ebf977a6f310f7efd0f67d2edaae48ee36b9fcc44dacc441c3e

SHA512
6d4fa0426b6934987fb296fe95eb5e03d119896c49b0ef18a4fcbf87144518c53c5ab594846267e2c94cc78485c6d194b59465634eb55ecbd02988960a560954

Download Submit
C:\Users\Admin\AppData\Local\Temp\W3ichfELLJ.bat

Filesize
209B

MD5
3c97f752193564c2ac9aa8fb18c6545c

SHA1
c49f5114ec20bf4859b4383a4dd5fe5c2115f4b3

SHA256
2a8f13467a795f2deb417cbdd509b3288bd9e692615ec4edbb79d0cb099cd69f

SHA512
c549dbd034e24961a2a92b7b52b26b9f8d225ee189f9c05b950b2d82513d40d222158fd42b803a94bede7e43e33b51b008848762a792bca11f2699019b15bb53

Download Submit
C:\Users\Admin\AppData\Local\Temp\WwD8E48ugj.bat

Filesize
209B

MD5
3903e3b214ac1fecba52ff29be7b5ae7

SHA1
3a64acc5316f3f3ac37bf0270062ed265df4ebdd

SHA256
a0f2f78855654baaf51e9c48adf9509414a30a5ea7c88797dd5f30a3fcecf037

SHA512
c957689d20b34be6332841001dce861c26494191eaa67cb55cfc9a8368596923eaa963a45bef3e588b2299b9747ddafc6e7139146759853a952efb7721561917

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_uh1unsrc.5c0.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat

Filesize
257B

MD5
1a762189e7716efe46623c4230de803c

SHA1
37102e3b567f5e891afb67cbb6733834ccb11ea9

SHA256
a299ac432ebb4182848dd7aab08b95231264f50583e2aee4864b7303c3d06466

SHA512
5f83475b20a2962fddd3fe84b2e651566e612e1adf3320cfbad415c14d51c45560741fe1c6d0c62d5732836794843f1de01875f1db19262a56f54e83c14311f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\e1ZPDUpkB4.bat

Filesize
209B

MD5
99167c087e4fe40a5d2f9180d8ea35c8

SHA1
79ba95e9c3dffbbabb3cf50c9bfcc797be0b8c58

SHA256
64486f916deb63a88749a72fb6e44a2607699fe77d7ef8b257b23e5802dcf5a4

SHA512
14f640cd806f583c65a53478ea164763474f8605112ed271636929e4152838de88e3ad92441e3088dc5efbff3d007f56aa96e46bc733a398fd15eeb89e11c2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\eMBuAd62pF.bat

Filesize
209B

MD5
86dcd9d2f17088632a8d0cb6dea8860e

SHA1
57d5150e6fef6286e4fab275eaf69bb0c95bfdf3

SHA256
92d25163e8228be9aa081549844d678ec2c7663cdb65273a5d3f7b46464175e9

SHA512
621659eb6ee9b12721a9e02e8888b5e1d7e721de2b8998dc9f5124d03a41e8559c3c40a62df8401f4d28f3fe6eb70960735c2e293e8738a61cb4807cbc4cad9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\fa12eP5s1A.bat

Filesize
257B

MD5
2b0ef2a293eb7b71df7c044a250f6bf3

SHA1
d338a8c6389c5a0dece950951a0bd2870f12a705

SHA256
3e4ba2cedcdde988954829290d10b0b5724aa5a5877170b96909538f1bcaa4f3

SHA512
cc99bafc4c018e2acddd721907a786f021a061bf7631af18bcaff7642ded28335e47c3241ec3b682d2dda184bdf244bd09590abfe7b41fe1fbcc13b148508152

Download Submit
C:\Users\Admin\AppData\Local\Temp\hUEgB0oRYu.bat

Filesize
257B

MD5
e230442a12c52cc46fd7822892b7b87b

SHA1
6e8ad603e545635c2ebbdb3db89d22c9dabad5d2

SHA256
3acfb52062beccea1b142a3e31ae2426d30ce0042f82f874e551dca736c5af02

SHA512
4828f453c4d803ee76b1d832df7895fa7c4792877cdb748e7597861d80fb3554fb45f3eb91651f8add81d0eae5a0c97659415c34a09517d20f56bf3201a1b340

Download Submit
C:\Users\Admin\AppData\Local\Temp\lRXC83nrKa.bat

Filesize
209B

MD5
f4d0cd213b82b861d06b78840afd6810

SHA1
acd6d3e0efd375881510c9ac1ad07dd53cd0f013

SHA256
b94f6d262fa2d6834ac7af4c3b8f5516f1716409c8c528db46619d6eeb2729da

SHA512
2288255d5ae50860b52f2fa7163651a4c7ab2d2a80d25aeb10c13acc1b06b8818f42cf7f53da2c8a77753883f64acfbd9c50da7a8a7c5b7cf73662aeb801a625

Download Submit
C:\Users\Admin\AppData\Local\Temp\nSTk4tfYD6.bat

Filesize
209B

MD5
48b067d1573db80ffd2259b818f98119

SHA1
ac915d970c4a25f38ed41c9b961e05c1090e93b9

SHA256
6593aada07df9ab46595f1caa3638ee51de9cd47e2e32ef97cc17139605e01ff

SHA512
1979f971baeaf7916e011983dfd7ffc10737f1a9f97747cd8f6e26f7d4378d88e305dabaa3eff7731af4049831c84ce7e69d3d11b044a318a4809afaf58247e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\s4Al4mMfKa.bat

Filesize
257B

MD5
35b047e4751ff0aa39bd65c5423532ea

SHA1
289449eef054a7f86baa6e555d259a8e7b1478f4

SHA256
ae0d1e30d36b2295c6e96f18defbdc12b7f597c58fe5fb6873d75ba5b91ab000

SHA512
42a3eaeebe2e3810cca9ae2328d53cb8bb193b7ab700ba583e64759ddc35a7bb34780a067f0ebdd4185dad03d58a87a41090fcb42a0b36ae982c6db8e7bc8fd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\vXp13JMNiQ.bat

Filesize
209B

MD5
0792f5918ea962f104d9182f380ea1ab

SHA1
6780f4a76a68cb805d4f906f472dd01364502cd8

SHA256
d018ee7323d2be5a6bc7e45c15b4e3a5a1418d06911b8b0f05c0439f9b381b78

SHA512
2ca294b5a8f6735860b1459e0930d75c109ba32576f1e2d6bd1bbbbb2beded82e403f6e1e0c6f53d5f87f6f060cb0bd246731a2db7df7f7226a934cc871ad71e

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qe1ekudm\qe1ekudm.0.cs

Filesize
366B

MD5
802657d804d75b6e97bb847a07c0da0f

SHA1
938644e45c9d0b48c8c3b962f8702392c0c01869

SHA256
1188d8f41f6a330764e958c8e4d68efbb2650d2599d8218ebafb3493c7e65dd2

SHA512
da8b48902b0b1ccd9b5035e3bae7518c4ac0e8932d909ccae1bec16ab812e97af8e0d8c4989cef628a29791043c71e098698a9fa2c64fc44bf63274a483a69ad

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\qe1ekudm\qe1ekudm.cmdline

Filesize
235B

MD5
212f80531df22ce743b331b36701d319

SHA1
aa3e37f9a0364af4df26fa670f60dafa8bbfd130

SHA256
ede2a4ede47fa24f0e91a7b6155b5875eec4bfc274e5611d2fc9d283b5f047e6

SHA512
a44954c32e786e55878ab6b0672bee9033e2f14096085f7e60df8a6dbc270a0f9f58012504f6b8ec2e098081e19ebd88d2d04b66097a434adecd827a6d32ec72

Download Submit
\??\c:\Windows\System32\CSC7F17B774EE7B43059AC5DEFF7053451.TMP

Filesize
1KB

MD5
634e281a00b7b9f516c3048badfa1530

SHA1
af6369715ce2fe9b99609e470d4f66698880a35a

SHA256
0d990336ae793f3f6903048004c8d707d7a7191927bd7df46b7fe887116506c8

SHA512
1cb35fa0759f5362c9c7eee5546710874121005a3924bcfec2cf33ac90a257a807ce7ec0db7bc84dcb327604d708009449c34f52560ed936b54eeba49be7d27b

Download Submit
memory/916-309-0x000000001BDF0000-0x000000001BF5A000-memory.dmp

Filesize
1.4MB

Download
memory/1316-62-0x000001CDE3F20000-0x000001CDE3F42000-memory.dmp

Filesize
136KB

Download
memory/2188-322-0x000000001C230000-0x000000001C39A000-memory.dmp

Filesize
1.4MB

Download
memory/3544-31-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-30-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-1-0x0000000000470000-0x000000000054C000-memory.dmp

Filesize
880KB

Download
memory/3544-17-0x0000000002730000-0x000000000273C000-memory.dmp

Filesize
48KB

Download
memory/3544-15-0x00000000026E0000-0x00000000026EE000-memory.dmp

Filesize
56KB

Download
memory/3544-2-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-0-0x00007FFE0C913000-0x00007FFE0C915000-memory.dmp

Filesize
8KB

Download
memory/3544-51-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-13-0x00000000026D0000-0x00000000026DE000-memory.dmp

Filesize
56KB

Download
memory/3544-4-0x00000000026C0000-0x00000000026CE000-memory.dmp

Filesize
56KB

Download
memory/3544-11-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-19-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-10-0x0000000002710000-0x0000000002728000-memory.dmp

Filesize
96KB

Download
memory/3544-35-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-8-0x000000001B3A0000-0x000000001B3F0000-memory.dmp

Filesize
320KB

Download
memory/3544-36-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-7-0x00007FFE0C910000-0x00007FFE0D3D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-6-0x00000000026F0000-0x000000000270C000-memory.dmp

Filesize
112KB

Download
memory/5152-283-0x000000001C790000-0x000000001C8FA000-memory.dmp

Filesize
1.4MB

Download
memory/5176-296-0x000000001C1D0000-0x000000001C33A000-memory.dmp

Filesize
1.4MB

Download
memory/5532-256-0x000000001BED0000-0x000000001C079000-memory.dmp

Filesize
1.7MB

Download
memory/5996-270-0x000000001C370000-0x000000001C519000-memory.dmp

Filesize
1.7MB

Download