dcrat | 3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

Analysis

max time kernel
150s
max time network
146s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
16-12-2024 22:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinPerfcommon.exe
Size

1.9MB
MD5

6b9554367a439d39a00a0dff9a08b123
SHA1

e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
SHA256

3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
SHA512

72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720
SSDEEP

49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SchCache\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SchCache\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\Users\\Public\\Pictures\\Registry.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SchCache\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\Registry.exe\", \"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\", \"C:\\Users\\Public\\Pictures\\Registry.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SchCache\\dllhost.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SchCache\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\RuntimeBroker.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Windows\\SchCache\\dllhost.exe\", \"C:\\Program Files (x86)\\Adobe\\RuntimeBroker.exe\", \"C:\\Program Files\\Uninstall Information\\Registry.exe\""	WinPerfcommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3352	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4188	3120	schtasks.exe	78
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5024	3120	schtasks.exe	78

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4148	powershell.exe
3124	powershell.exe
4608	powershell.exe
1268	powershell.exe
4388	powershell.exe
892	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
864	Registry.exe
4724	Registry.exe
1912	Registry.exe
4272	Registry.exe
4388	Registry.exe
1140	Registry.exe
2100	Registry.exe
896	Registry.exe
408	Registry.exe
4672	Registry.exe
2040	Registry.exe
2316	Registry.exe
4820	Registry.exe
1008	Registry.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Uninstall Information\\Registry.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinPerfcommon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinPerfcommon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SchCache\\dllhost.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\RuntimeBroker.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RuntimeBroker = "\"C:\\Program Files (x86)\\Adobe\\RuntimeBroker.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Program Files\\Uninstall Information\\Registry.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Windows\\SchCache\\dllhost.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Program Files (x86)\\Mozilla Maintenance Service\\logs\\services.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000\Software\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\Pictures\\Registry.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Registry = "\"C:\\Users\\Public\\Pictures\\Registry.exe\""	WinPerfcommon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC8B0CF6F5AAB746D1899877847DA4BCF.TMP	csc.exe
File created	\??\c:\Windows\System32\dfm5rj.exe	csc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	WinPerfcommon.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	WinPerfcommon.exe
File created	C:\Program Files\Uninstall Information\Registry.exe	WinPerfcommon.exe
File created	C:\Program Files\Uninstall Information\ee2ad38f3d4382	WinPerfcommon.exe
File created	C:\Program Files (x86)\Adobe\RuntimeBroker.exe	WinPerfcommon.exe
File created	C:\Program Files (x86)\Adobe\9e8d7a4ca61bd9	WinPerfcommon.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\dllhost.exe	WinPerfcommon.exe
File created	C:\Windows\SchCache\5940a34987c991	WinPerfcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 10 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
480	PING.EXE
1804	PING.EXE
4772	PING.EXE
2284	PING.EXE
4352	PING.EXE
3284	PING.EXE
4840	PING.EXE
4800	PING.EXE
760	PING.EXE
900	PING.EXE

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	WinPerfcommon.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2584844841-1405471295-1760131749-1000_Classes\Local Settings	Registry.exe

Runs ping.exe 1 TTPs 10 IoCs

Remote System Discovery

T1018

pid	Process
900	PING.EXE
4772	PING.EXE
4840	PING.EXE
2284	PING.EXE
4800	PING.EXE
760	PING.EXE
4352	PING.EXE
480	PING.EXE
1804	PING.EXE
3284	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4872	schtasks.exe
1008	schtasks.exe
2652	schtasks.exe
1396	schtasks.exe
4844	schtasks.exe
2436	schtasks.exe
4088	schtasks.exe
4380	schtasks.exe
4724	schtasks.exe
1196	schtasks.exe
3180	schtasks.exe
1068	schtasks.exe
3064	schtasks.exe
5024	schtasks.exe
3352	schtasks.exe
1332	schtasks.exe
1940	schtasks.exe
4188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe
4468	WinPerfcommon.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	4468	WinPerfcommon.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	4388	powershell.exe
Token: SeDebugPrivilege	3124	powershell.exe
Token: SeDebugPrivilege	4148	powershell.exe
Token: SeDebugPrivilege	4608	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	864	Registry.exe
Token: SeDebugPrivilege	4724	Registry.exe
Token: SeDebugPrivilege	1912	Registry.exe
Token: SeDebugPrivilege	4272	Registry.exe
Token: SeDebugPrivilege	4388	Registry.exe
Token: SeDebugPrivilege	1140	Registry.exe
Token: SeDebugPrivilege	2100	Registry.exe
Token: SeDebugPrivilege	896	Registry.exe
Token: SeDebugPrivilege	408	Registry.exe
Token: SeDebugPrivilege	4672	Registry.exe
Token: SeDebugPrivilege	2040	Registry.exe
Token: SeDebugPrivilege	2316	Registry.exe
Token: SeDebugPrivilege	4820	Registry.exe
Token: SeDebugPrivilege	1008	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 4772	4468	WinPerfcommon.exe	82
PID 4468 wrote to memory of 4772	4468	WinPerfcommon.exe	82
PID 4772 wrote to memory of 3164	4772	csc.exe	84
PID 4772 wrote to memory of 3164	4772	csc.exe	84
PID 4468 wrote to memory of 1268	4468	WinPerfcommon.exe	100
PID 4468 wrote to memory of 1268	4468	WinPerfcommon.exe	100
PID 4468 wrote to memory of 4388	4468	WinPerfcommon.exe	101
PID 4468 wrote to memory of 4388	4468	WinPerfcommon.exe	101
PID 4468 wrote to memory of 892	4468	WinPerfcommon.exe	102
PID 4468 wrote to memory of 892	4468	WinPerfcommon.exe	102
PID 4468 wrote to memory of 4148	4468	WinPerfcommon.exe	103
PID 4468 wrote to memory of 4148	4468	WinPerfcommon.exe	103
PID 4468 wrote to memory of 3124	4468	WinPerfcommon.exe	104
PID 4468 wrote to memory of 3124	4468	WinPerfcommon.exe	104
PID 4468 wrote to memory of 4608	4468	WinPerfcommon.exe	105
PID 4468 wrote to memory of 4608	4468	WinPerfcommon.exe	105
PID 4468 wrote to memory of 2820	4468	WinPerfcommon.exe	112
PID 4468 wrote to memory of 2820	4468	WinPerfcommon.exe	112
PID 2820 wrote to memory of 232	2820	cmd.exe	114
PID 2820 wrote to memory of 232	2820	cmd.exe	114
PID 2820 wrote to memory of 4352	2820	cmd.exe	115
PID 2820 wrote to memory of 4352	2820	cmd.exe	115
PID 2820 wrote to memory of 864	2820	cmd.exe	116
PID 2820 wrote to memory of 864	2820	cmd.exe	116
PID 864 wrote to memory of 3832	864	Registry.exe	117
PID 864 wrote to memory of 3832	864	Registry.exe	117
PID 3832 wrote to memory of 2816	3832	cmd.exe	119
PID 3832 wrote to memory of 2816	3832	cmd.exe	119
PID 3832 wrote to memory of 1256	3832	cmd.exe	120
PID 3832 wrote to memory of 1256	3832	cmd.exe	120
PID 3832 wrote to memory of 4724	3832	cmd.exe	121
PID 3832 wrote to memory of 4724	3832	cmd.exe	121
PID 4724 wrote to memory of 404	4724	Registry.exe	122
PID 4724 wrote to memory of 404	4724	Registry.exe	122
PID 404 wrote to memory of 4392	404	cmd.exe	124
PID 404 wrote to memory of 4392	404	cmd.exe	124
PID 404 wrote to memory of 900	404	cmd.exe	125
PID 404 wrote to memory of 900	404	cmd.exe	125
PID 404 wrote to memory of 1912	404	cmd.exe	126
PID 404 wrote to memory of 1912	404	cmd.exe	126
PID 1912 wrote to memory of 3672	1912	Registry.exe	127
PID 1912 wrote to memory of 3672	1912	Registry.exe	127
PID 3672 wrote to memory of 3824	3672	cmd.exe	129
PID 3672 wrote to memory of 3824	3672	cmd.exe	129
PID 3672 wrote to memory of 480	3672	cmd.exe	130
PID 3672 wrote to memory of 480	3672	cmd.exe	130
PID 3672 wrote to memory of 4272	3672	cmd.exe	131
PID 3672 wrote to memory of 4272	3672	cmd.exe	131
PID 4272 wrote to memory of 2376	4272	Registry.exe	132
PID 4272 wrote to memory of 2376	4272	Registry.exe	132
PID 2376 wrote to memory of 2060	2376	cmd.exe	134
PID 2376 wrote to memory of 2060	2376	cmd.exe	134
PID 2376 wrote to memory of 1804	2376	cmd.exe	135
PID 2376 wrote to memory of 1804	2376	cmd.exe	135
PID 2376 wrote to memory of 4388	2376	cmd.exe	136
PID 2376 wrote to memory of 4388	2376	cmd.exe	136
PID 4388 wrote to memory of 3484	4388	Registry.exe	137
PID 4388 wrote to memory of 3484	4388	Registry.exe	137
PID 3484 wrote to memory of 2916	3484	cmd.exe	139
PID 3484 wrote to memory of 2916	3484	cmd.exe	139
PID 3484 wrote to memory of 2088	3484	cmd.exe	140
PID 3484 wrote to memory of 2088	3484	cmd.exe	140
PID 3484 wrote to memory of 1140	3484	cmd.exe	141
PID 3484 wrote to memory of 1140	3484	cmd.exe	141

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe
"C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\zqxtfxcy\zqxtfxcy.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:4772
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC37F.tmp" "c:\Windows\System32\CSC8B0CF6F5AAB746D1899877847DA4BCF.TMP"
    3⤵
    PID:3164
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1268
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4388
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:892
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4148
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Registry.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:3124
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:4608
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y8Ttp6aot2.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:232
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:4352
- - C:\Program Files\Uninstall Information\Registry.exe
    "C:\Program Files\Uninstall Information\Registry.exe"
    3⤵
    - Executes dropped EXE
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:864
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nLkpgeVQrJ.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3832
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2816
    - - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        5⤵
        
        PID:1256
    - - C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        5⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4724
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UgSSpTGNbI.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:4392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        7⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:900
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        7⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m6vhCtVZgO.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:3824
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:480
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        9⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1iyfU6Kdf1.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2060
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1804
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        11⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1NLBXx3L0q.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2088
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        13⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yFJPVaLwHB.bat"
        14⤵
        
        PID:1148
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:3084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:764
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        15⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat"
        16⤵
        
        PID:32
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4772
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        17⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4r0RWT23Og.bat"
        18⤵
        
        PID:1252
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:3836
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        19⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3284
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        19⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MGTgtuIFSm.bat"
        20⤵
        
        PID:4636
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:1048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4840
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        21⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J8RurXaqj7.bat"
        22⤵
        
        PID:1684
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:3916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        23⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2284
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        23⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\r3ED9wUyR4.bat"
        24⤵
        
        PID:800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:1708
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        25⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4800
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        25⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat"
        26⤵
        
        PID:460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        27⤵
        
        PID:3908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        27⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:760
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        27⤵
        Executes dropped EXE
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat"
        28⤵
        
        PID:5088
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        29⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:32
        
        C:\Program Files\Uninstall Information\Registry.exe
        
        "C:\Program Files\Uninstall Information\Registry.exe"
        29⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommon" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
359935db871159762e2a3017f3f50ec9

SHA1
b4254bf3225828dd1a451b34ea8a58a547ae0cc3

SHA256
12df2cde2b31dfa49d395d03085db7efe59d1c9f46b64aac887c915a344e83e7

SHA512
6d436137553c38f99fae9aef4ba19766fdf8155df2e101541a3b483c176da17f09332cb9aba6e50adb094f723c427b319d297a6dadbc4077514006bcf17484d7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
627073ee3ca9676911bee35548eff2b8

SHA1
4c4b68c65e2cab9864b51167d710aa29ebdcff2e

SHA256
85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

SHA512
3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e8eb51096d6f6781456fef7df731d97

SHA1
ec2aaf851a618fb43c3d040a13a71997c25bda43

SHA256
96bfd9dd5883329927fe8c08b8956355a1a6ceb30ceeb5d4252b346df32bc864

SHA512
0a73dc9a49f92d9dd556c2ca2e36761890b3538f355ee1f013e7cf648d8c4d065f28046cd4a167db3dea304d1fbcbcea68d11ce6e12a3f20f8b6c018a60422d2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
e3840d9bcedfe7017e49ee5d05bd1c46

SHA1
272620fb2605bd196df471d62db4b2d280a363c6

SHA256
3ac83e70415b9701ee71a4560232d7998e00c3db020fde669eb01b8821d2746f

SHA512
76adc88ab3930acc6b8b7668e2de797b8c00edcfc41660ee4485259c72a8adf162db62c2621ead5a9950f12bfe8a76ccab79d02fda11860afb0e217812cac376

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
408641808e457ab6e23d62e59b767753

SHA1
4205cfa0dfdfee6be08e8c0041d951dcec1d3946

SHA256
3921178878eb416764a6993c4ed81a1f371040dda95c295af535563f168b4258

SHA512
e7f3ffc96c7caad3d73c5cec1e60dc6c7d5ed2ced7d265fbd3a402b6f76fed310a087d2d5f0929ab90413615dad1d54fce52875750057cffe36ff010fc6323fb

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d0a4a3b9a52b8fe3b019f6cd0ef3dad6

SHA1
fed70ce7834c3b97edbd078eccda1e5effa527cd

SHA256
21942e513f223fdad778348fbb20617dd29f986bccd87824c0ae7f15649f3f31

SHA512
1a66f837b4e7fb6346d0500aeacb44902fb8a239bce23416271263eba46fddae58a17075e188ae43eb516c841e02c87e32ebd73256c7cc2c0713d00c35f1761b

Download Submit
C:\Users\Admin\AppData\Local\Temp\1NLBXx3L0q.bat

Filesize
227B

MD5
564f204e162dbce7e8274db8e944b347

SHA1
6341a9a6b831e21b86ad7415e57c9d103134e055

SHA256
4677a3654b82d3800ca32a5e00d0adb6c234f4170638e3f3ae28a98a5a6232f5

SHA512
ec6f9ea4a184e0e6aff58a6a5c6a789f92db5128a468e5f9eafadbf180d6f027e0929888f70df8f9c5c6113091aaf85a1ca9c9c248b7635b38f884cc10987c25

Download Submit
C:\Users\Admin\AppData\Local\Temp\1iyfU6Kdf1.bat

Filesize
179B

MD5
e94b39072422af445c107fad6daaba9f

SHA1
8043c30cbcda03de52da4f936882818ffa03be9f

SHA256
791b0b2bd40e8826df0a5b63b2ef2dd616b7f0848ed46e2179be4138db9d02fa

SHA512
152d9ee0d214d775c3ee9d80e32fb36856e41003774771a5889bb9196fc97e2d7ac551c4f00463c10c1dd8048f721f6bb6deb40a5456343609025fc93506a750

Download Submit
C:\Users\Admin\AppData\Local\Temp\4r0RWT23Og.bat

Filesize
179B

MD5
166c83ac7d5486597fb0fabc7fe11493

SHA1
08ab8bc797f55dc00fba5588f85aa7c6869a7a97

SHA256
de7b552c42f3fd6450eacd89f9b112e10719bdf06bdb2e9647eed71d8aae082c

SHA512
9bb5c69f876ac615a8720dcda021bceccb066eb4fa9d6143779c6df2418f8def8c48e1cd87f0a7ce29a9e04ce15732ccf80856b63e68097518ffd9dc929ff842

Download Submit
C:\Users\Admin\AppData\Local\Temp\J8RurXaqj7.bat

Filesize
179B

MD5
214404f262ad68b0ff809c64d720b53d

SHA1
0e70c06583b5bda8fcaef5aa86d2b4ee3d56e733

SHA256
58dae6f9eb4d748621ad3e97202ab26cc8cd4caae75bf69e4756b322ffd4f017

SHA512
e7cb9c105023eee5268db7397941dcffef5bd596340b2cf29e182814d4dbb2cc826fb545f6bacc2cf1c9a161686237a78a33bfba7f3d6f9398f0bbdb344761bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\MGTgtuIFSm.bat

Filesize
179B

MD5
0ac9fdb1f0bc6ce722236d212b748640

SHA1
be955874f924a7394d088409d73f1a6c0d8e435b

SHA256
d0ed252037021790a8d796ccdc5e91625d6c994adb4e8d9dd5a25a0ff3b0c041

SHA512
cad5601f3b9a4328178a0a5b363cbe56613f73e9cae1cd3b876b3341f43eaa255952728dcd212a0b87c95e97df6dc79f0f923ad396a842e690b2d2804da4afba

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESC37F.tmp

Filesize
1KB

MD5
e1b37607670c8a1de475cd42e33771d2

SHA1
a1de5abc137069bf3d8e09f819a178ba29429b70

SHA256
50f0d9db54977f1fa26af4dc739dc908c5dafaae13b097cbf8e536c8c422ed84

SHA512
9b62561a78751e7b2cb27c7aabe08c49a30a8fc97255a17245b00788be0b411ae86656f2efe6102517a13e963160e32e428f68f402934e00d81cb4184c922cc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\UgSSpTGNbI.bat

Filesize
179B

MD5
573075a6cf775acd67828d585ee696e4

SHA1
8d33f95a185c9181429137096a38bb379b55eec6

SHA256
3cde30378016340d872441d91d534da4ee42924ea9eba537dabad249a0340998

SHA512
efc81b86dd8ccb136340468f18bdc4ce1ad1a4e19e2d9c10e0edbab4205eed1dd161e6d4f4c9b48b0049bf6232094854a55722d191675e7d710e95cf00d56acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_feficveh.gvd.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aehWhM7TGU.bat

Filesize
227B

MD5
bc0ecac29350bf737f9c3eb697eb08b3

SHA1
68f4672f3dc7aa0f350932a2b969ca552d00f5d5

SHA256
56c89cd637654a4903526cc22172c66f6e69d6862781753180b3d0ea9530a1a5

SHA512
8bd5d32c02d5975201ccb0710a0833c1e976a2bb4ffda1b7e9ec9c4794462bbe88324356421eaec9afbcafcec08818c1686712680dc612d7a7e2105273c5377c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dmjHjjptz9.bat

Filesize
179B

MD5
9451e6898aaac7277179674ccee5ccb1

SHA1
a1fbca0d41255d29ad7842f46c3077398633a7d1

SHA256
967cd4635dab32db5f372698d1732eac6fc258427585379d19bf51852a1d2853

SHA512
ad037ddb0c89e849a005dc76002c86e64da4fa4581ee53e052f87f85f2336d82a9977798343cb06845a29eabb7479545dcf05b10151daf310eb3e5cceabeefe3

Download Submit
C:\Users\Admin\AppData\Local\Temp\m6vhCtVZgO.bat

Filesize
179B

MD5
fa16b2a8b738803e24de403a548e168c

SHA1
e964aee0f1e30918977cce79a3fef1d95ca70955

SHA256
2f8492fc7431dd9c1bf9f512d35652a429f9d54073bb124dfb9ad34496c59c30

SHA512
1a39776b4220328dfaf9b2d84dcb1916192e708e4cc152a8b7541eb1a5f7cc8ebfdc31d581e9ea703d8366d640b3a7b2b776316460ad092c83f877f6351cfddc

Download Submit
C:\Users\Admin\AppData\Local\Temp\nLkpgeVQrJ.bat

Filesize
227B

MD5
9bea5d6b8b485b900298f5374e83767d

SHA1
71104aa8dc5673efb67421d3a7435f77e09f5c9b

SHA256
a6ba784cbd3903c41e9f4f86006b5abcb148083a35eb6098b5a8a27b4ccea185

SHA512
e54d8483e1ddb4976f3c8ffcc6f991c6e77c170ef522ae2831fbee4c1ebbfa5162b8d61252fc084afea0428c1ddcc340cb6f302f1c337b7d442ee91665ec5f07

Download Submit
C:\Users\Admin\AppData\Local\Temp\r3ED9wUyR4.bat

Filesize
179B

MD5
b84211ce7a72364b6c87a2a0a30f5d62

SHA1
d29da3cfcef783793f6a63baf63bd024f1057416

SHA256
af9ce24282146c6c5273338f8799cac22cedced6bb7df1eee66a7bc752e95701

SHA512
bbc9f2230a4cb456867e9b86f9abd8486b343dace4476cee64164492f8bb2112407eff9c4809f82ace4a818861511b9fd0280f466c38d17a520a06cb43836fa5

Download Submit
C:\Users\Admin\AppData\Local\Temp\y8Ttp6aot2.bat

Filesize
179B

MD5
d24548e367669f1a7baf59c664aa21da

SHA1
23f046e7e6057ff583196a98a3ce2b252e22d66d

SHA256
2f3e036a56b6c96793b97bfd6e22ea6030ae8da69ce931f28353d9a7f0d74a48

SHA512
c969b4994f677ccb7dc30a1cc8634a1b72f9808465f810f127ac7abdbac1e62bbf2301aa932dc77ab36fc3219dc331fd25badc248a16bce2fe81de63dd08b209

Download Submit
C:\Users\Admin\AppData\Local\Temp\yFJPVaLwHB.bat

Filesize
227B

MD5
5161b9f06f8b3e9e33255710dd8b5fe2

SHA1
a05d83229a4cd3974a413c1972dece13f563f71d

SHA256
e43eb7272d268d5e70d8f1af85915260c26d9f6efb02ffd1227f6ca0b57b17e9

SHA512
46274dfc9ff4af04bcd87d6e80b7f71493170c975096e9c5d18878b5e07fb593b7aab2b3228af093b8bc3ecaa59b63c6d9bf9c2be65dd4f87523471d602d4912

Download Submit
C:\Windows\SchCache\dllhost.exe

Filesize
1.9MB

MD5
6b9554367a439d39a00a0dff9a08b123

SHA1
e1d22cde90c297c10f4fcba5b3980e5d551eb0b3

SHA256
3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

SHA512
72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqxtfxcy\zqxtfxcy.0.cs

Filesize
363B

MD5
8ae315ee1f2848c63d20535b5d13611f

SHA1
fb152f61f7b08d1211bf47df3712d2c94118c540

SHA256
d1da40333add85d3482d0ea9a362310c6b9e76a9faf3c11d07f8bfb67c452655

SHA512
8430dbf1e11ae8b821502bfd65930d48005e243ce96ef050fa06ba3ff322a2f5e8665a1abb59a588fc3e43455387f3b78c1f306569006f363d9d9b0c6e234628

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\zqxtfxcy\zqxtfxcy.cmdline

Filesize
235B

MD5
bdf42b9debd24f658b925d680e9632a3

SHA1
de56663b00414fef277555bc3ecbdf095afb83dc

SHA256
0b66a56cb99b9faf482106b60c8b6909fa4756d25b3ab3831d95d6f905f18ebc

SHA512
a58c0c39fb4f264fe5dd0841eade9ded207e4e7a0f0f658fb050c5ded9613a19da4ef734eafd03748d976080ebc7d55e3f148a44126e176e4f3d07d98694f03a

Download Submit
\??\c:\Windows\System32\CSC8B0CF6F5AAB746D1899877847DA4BCF.TMP

Filesize
1KB

MD5
d89c8eda5ccd9b9600f2962d9a95e453

SHA1
e5d9f7603b9bc8339c9bc451e8ad7c67b1916d95

SHA256
9b274ee8615f4208df254a0fc6abb2b0d8be71defecba04292fcc69cef64387b

SHA512
9c4f365e362069a6256c8d7691f217e1ae01a3af2218cdc400f77d7dc9af9d3634b234338b9cc562fd146ebcc8034dfd313cd9d3aa2df2e20876e6641c6d9055

Download Submit
memory/1268-59-0x0000019FC7B20000-0x0000019FC7B42000-memory.dmp

Filesize
136KB

Download
memory/4468-63-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-0-0x00007FFC667A3000-0x00007FFC667A5000-memory.dmp

Filesize
8KB

Download
memory/4468-36-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-35-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-34-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-21-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-33-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-18-0x000000001CA10000-0x000000001CA1E000-memory.dmp

Filesize
56KB

Download
memory/4468-20-0x000000001CA20000-0x000000001CA2C000-memory.dmp

Filesize
48KB

Download
memory/4468-16-0x000000001BD40000-0x000000001BD4C000-memory.dmp

Filesize
48KB

Download
memory/4468-14-0x0000000003350000-0x000000000335C000-memory.dmp

Filesize
48KB

Download
memory/4468-11-0x000000001CA50000-0x000000001CA68000-memory.dmp

Filesize
96KB

Download
memory/4468-12-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-9-0x000000001CAA0000-0x000000001CAF0000-memory.dmp

Filesize
320KB

Download
memory/4468-8-0x000000001CA30000-0x000000001CA4C000-memory.dmp

Filesize
112KB

Download
memory/4468-6-0x0000000001940000-0x000000000194E000-memory.dmp

Filesize
56KB

Download
memory/4468-4-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-3-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-2-0x00007FFC667A0000-0x00007FFC67262000-memory.dmp

Filesize
10.8MB

Download
memory/4468-1-0x0000000000EB0000-0x00000000010A4000-memory.dmp

Filesize
2.0MB

Download