dcrat | f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 16:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe
Size

1.3MB
MD5

0784bb738f01540d4bcacca9ecd1aef7
SHA1

27fb9af96df65561be5de42b4deb06f64e28cdff
SHA256

f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f
SHA512

bde152bed7eef1f671b654d329e9e3d94023fa6cede45cbdda8196998e77c3873746a1407a992727873a0d9163911835536e88b0e9179d4bb6f8afd6a88d2a6e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5108	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4224	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3716	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2364	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2364	schtasks.exe	92

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b83-10.dat	dcrat
behavioral2/memory/2484-13-0x0000000000810000-0x0000000000920000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3620	powershell.exe
1172	powershell.exe
3460	powershell.exe
2380	powershell.exe
4072	powershell.exe
4348	powershell.exe
5044	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000\Control Panel\International\Geo\Nation	upfc.exe

Executes dropped EXE 14 IoCs

pid	Process
2484	DllCommonsvc.exe
3384	upfc.exe
1636	upfc.exe
1300	upfc.exe
768	upfc.exe
3496	upfc.exe
4428	upfc.exe
3448	upfc.exe
4812	upfc.exe
1512	upfc.exe
4220	upfc.exe
3616	upfc.exe
216	upfc.exe
2304	upfc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
56	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com
24	raw.githubusercontent.com
28	raw.githubusercontent.com
43	raw.githubusercontent.com
44	raw.githubusercontent.com
49	raw.githubusercontent.com
58	raw.githubusercontent.com
23	raw.githubusercontent.com
47	raw.githubusercontent.com
50	raw.githubusercontent.com
62	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\Media Renderer\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\Media Renderer\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Network Sharing\9e8d7a4ca61bd9	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\System\Speech\SearchApp.exe	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\upfc.exe	DllCommonsvc.exe
File created	C:\Windows\SKB\LanguageModels\ea1d8f6d871115	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe
Key created	\REGISTRY\USER\S-1-5-21-2045521122-590294423-3465680274-1000_Classes\Local Settings	upfc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3732	schtasks.exe
2628	schtasks.exe
2932	schtasks.exe
2552	schtasks.exe
5108	schtasks.exe
2372	schtasks.exe
2896	schtasks.exe
2508	schtasks.exe
3864	schtasks.exe
2444	schtasks.exe
2536	schtasks.exe
3716	schtasks.exe
2828	schtasks.exe
2960	schtasks.exe
4224	schtasks.exe
2776	schtasks.exe
2592	schtasks.exe
4680	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
2484	DllCommonsvc.exe
1172	powershell.exe
1172	powershell.exe
3620	powershell.exe
3620	powershell.exe
1172	powershell.exe
4348	powershell.exe
4348	powershell.exe
4072	powershell.exe
4072	powershell.exe
3460	powershell.exe
3460	powershell.exe
2380	powershell.exe
2380	powershell.exe
5044	powershell.exe
5044	powershell.exe
3460	powershell.exe
5044	powershell.exe
3620	powershell.exe
4348	powershell.exe
4072	powershell.exe
2380	powershell.exe
3384	upfc.exe
1636	upfc.exe
1300	upfc.exe
768	upfc.exe
3496	upfc.exe
4428	upfc.exe
3448	upfc.exe
4812	upfc.exe
1512	upfc.exe
4220	upfc.exe
3616	upfc.exe
216	upfc.exe
2304	upfc.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2484	DllCommonsvc.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	3620	powershell.exe
Token: SeDebugPrivilege	4348	powershell.exe
Token: SeDebugPrivilege	4072	powershell.exe
Token: SeDebugPrivilege	3460	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	5044	powershell.exe
Token: SeDebugPrivilege	3384	upfc.exe
Token: SeDebugPrivilege	1636	upfc.exe
Token: SeDebugPrivilege	1300	upfc.exe
Token: SeDebugPrivilege	768	upfc.exe
Token: SeDebugPrivilege	3496	upfc.exe
Token: SeDebugPrivilege	4428	upfc.exe
Token: SeDebugPrivilege	3448	upfc.exe
Token: SeDebugPrivilege	4812	upfc.exe
Token: SeDebugPrivilege	1512	upfc.exe
Token: SeDebugPrivilege	4220	upfc.exe
Token: SeDebugPrivilege	3616	upfc.exe
Token: SeDebugPrivilege	216	upfc.exe
Token: SeDebugPrivilege	2304	upfc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 4692	3028	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe	83
PID 3028 wrote to memory of 4692	3028	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe	83
PID 3028 wrote to memory of 4692	3028	f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe	83
PID 4692 wrote to memory of 5056	4692	WScript.exe	87
PID 4692 wrote to memory of 5056	4692	WScript.exe	87
PID 4692 wrote to memory of 5056	4692	WScript.exe	87
PID 5056 wrote to memory of 2484	5056	cmd.exe	89
PID 5056 wrote to memory of 2484	5056	cmd.exe	89
PID 2484 wrote to memory of 5044	2484	DllCommonsvc.exe	111
PID 2484 wrote to memory of 5044	2484	DllCommonsvc.exe	111
PID 2484 wrote to memory of 3620	2484	DllCommonsvc.exe	112
PID 2484 wrote to memory of 3620	2484	DllCommonsvc.exe	112
PID 2484 wrote to memory of 1172	2484	DllCommonsvc.exe	113
PID 2484 wrote to memory of 1172	2484	DllCommonsvc.exe	113
PID 2484 wrote to memory of 3460	2484	DllCommonsvc.exe	114
PID 2484 wrote to memory of 3460	2484	DllCommonsvc.exe	114
PID 2484 wrote to memory of 2380	2484	DllCommonsvc.exe	115
PID 2484 wrote to memory of 2380	2484	DllCommonsvc.exe	115
PID 2484 wrote to memory of 4072	2484	DllCommonsvc.exe	116
PID 2484 wrote to memory of 4072	2484	DllCommonsvc.exe	116
PID 2484 wrote to memory of 4348	2484	DllCommonsvc.exe	117
PID 2484 wrote to memory of 4348	2484	DllCommonsvc.exe	117
PID 2484 wrote to memory of 2940	2484	DllCommonsvc.exe	124
PID 2484 wrote to memory of 2940	2484	DllCommonsvc.exe	124
PID 2940 wrote to memory of 3136	2940	cmd.exe	127
PID 2940 wrote to memory of 3136	2940	cmd.exe	127
PID 2940 wrote to memory of 3384	2940	cmd.exe	134
PID 2940 wrote to memory of 3384	2940	cmd.exe	134
PID 3384 wrote to memory of 4704	3384	upfc.exe	137
PID 3384 wrote to memory of 4704	3384	upfc.exe	137
PID 4704 wrote to memory of 3752	4704	cmd.exe	139
PID 4704 wrote to memory of 3752	4704	cmd.exe	139
PID 4704 wrote to memory of 1636	4704	cmd.exe	141
PID 4704 wrote to memory of 1636	4704	cmd.exe	141
PID 1636 wrote to memory of 3448	1636	upfc.exe	143
PID 1636 wrote to memory of 3448	1636	upfc.exe	143
PID 3448 wrote to memory of 1044	3448	cmd.exe	145
PID 3448 wrote to memory of 1044	3448	cmd.exe	145
PID 3448 wrote to memory of 1300	3448	cmd.exe	147
PID 3448 wrote to memory of 1300	3448	cmd.exe	147
PID 1300 wrote to memory of 4224	1300	upfc.exe	151
PID 1300 wrote to memory of 4224	1300	upfc.exe	151
PID 4224 wrote to memory of 1368	4224	cmd.exe	153
PID 4224 wrote to memory of 1368	4224	cmd.exe	153
PID 4224 wrote to memory of 768	4224	cmd.exe	156
PID 4224 wrote to memory of 768	4224	cmd.exe	156
PID 768 wrote to memory of 880	768	upfc.exe	158
PID 768 wrote to memory of 880	768	upfc.exe	158
PID 880 wrote to memory of 4340	880	cmd.exe	160
PID 880 wrote to memory of 4340	880	cmd.exe	160
PID 880 wrote to memory of 3496	880	cmd.exe	162
PID 880 wrote to memory of 3496	880	cmd.exe	162
PID 3496 wrote to memory of 3068	3496	upfc.exe	164
PID 3496 wrote to memory of 3068	3496	upfc.exe	164
PID 3068 wrote to memory of 4324	3068	cmd.exe	166
PID 3068 wrote to memory of 4324	3068	cmd.exe	166
PID 3068 wrote to memory of 4428	3068	cmd.exe	168
PID 3068 wrote to memory of 4428	3068	cmd.exe	168
PID 4428 wrote to memory of 3388	4428	upfc.exe	171
PID 4428 wrote to memory of 3388	4428	upfc.exe	171
PID 3388 wrote to memory of 5048	3388	cmd.exe	173
PID 3388 wrote to memory of 5048	3388	cmd.exe	173
PID 3388 wrote to memory of 3448	3388	cmd.exe	175
PID 3388 wrote to memory of 3448	3388	cmd.exe	175

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe
"C:\Users\Admin\AppData\Local\Temp\f68fc7d4f7467404fa80f09b2049d2879502f959ac6c4d96e588c50b6bc21d5f.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4692
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5056
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\ssh\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\Media Renderer\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SKB\LanguageModels\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4348
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6YUdjEhwtU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3136
      - C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3752
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1044
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1368
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4340
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4324
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5048
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        19⤵
        
        PID:3904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:836
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat"
        21⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3556
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        23⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4676
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        25⤵
        
        PID:4080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3400
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
        27⤵
        
        PID:3640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4904
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"
        29⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1716
        
        C:\Users\All Users\ssh\upfc.exe
        
        "C:\Users\All Users\ssh\upfc.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\Network Sharing\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\ssh\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\All Users\ssh\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\ssh\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\providercommon\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Media Player\Media Renderer\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\Media Renderer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\Media Renderer\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 5 /tr "'C:\Windows\SKB\LanguageModels\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Windows\SKB\LanguageModels\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Windows\SKB\LanguageModels\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
a43e653ffb5ab07940f4bdd9cc8fade4

SHA1
af43d04e3427f111b22dc891c5c7ee8a10ac4123

SHA256
c4c53abb13e99475aebfbe9fec7a8fead81c14c80d9dcc2b81375304f3a683fe

SHA512
62a97e95e1f19a8d4302847110dae44f469877eed6aa8ea22345c6eb25ee220e7d310fa0b7ec5df42356815421c0af7c46a0f1fee8933cc446641800eda6cd1b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\upfc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
496B

MD5
a77de19d3a25008d22b041bd3399a4ef

SHA1
340df9ee1d4040520b797ee54b8c44927fbead19

SHA256
330d20208b424e88ca6469c14459379d6fa0fd02b061ab5e4207bfccdd567a55

SHA512
485db05b3f2dadc745f8c8bee42716503d30a1a519557ba81193caf6bd5266ab51cc170c2e18698282de598b5fd52b49cb5f17405bc1cb8c44e8e298996482f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\00pP7nIBMq.bat

Filesize
196B

MD5
997887849852b012ae22b598ea2e0d45

SHA1
1220fffc3406d3411263fdd4cc4312cd6dd538bb

SHA256
e84a2ff6e391cbc38a467bb8c91404b9284dddfa3567ee420c164f886a5a5f71

SHA512
c92d038448ed345c1a891b12e8bb1a49d0df5b12eb5c874e6d46da6de07e17ad7ff4f9a924c00fcdc37466d45fda0a0345d67d865244cb159bcf618f9c7b995b

Download Submit
C:\Users\Admin\AppData\Local\Temp\38MS6cfT7h.bat

Filesize
196B

MD5
1e305e69dbee6a5cbb912627d5ce4a3a

SHA1
4368d23965dbc74f95279d6f7348d0fecf975f0c

SHA256
e2c6291f685d22f5a4a0855f0d4893244dbdc82c4702800f96871569f56b65a4

SHA512
f52c2d947d90271ea1a96a70a9915170b5f2130445a276c34a0187a7ee280e8bbed8451522aa1af668a922c5b6918e40705d6287b3880f65585e2d1de366086e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6YUdjEhwtU.bat

Filesize
196B

MD5
1e2223d7fc694abe9fa4fa19a4577f37

SHA1
80c9a883a8d35b64116935579ebf3d62dd614ec0

SHA256
74156a3974bae6e80f115299207af29e5e760bd0d8d4a86e900ceb5a72b0ab49

SHA512
eeb5d842aae900aaaecad125306184c1da75f95c948120827ef187c0ef03fe5ac016456790c55b655e34763ddb260ad16b1416f09df8a1f39172dcd555c2a984

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat

Filesize
196B

MD5
9816c3cf237f73b96fb84846a817401a

SHA1
48510a049a6a01795048290ff120eae3feecdab9

SHA256
f895629920afd8581fcbd3323a6f3b384f0f5fdf904389f23e63cd5c396f1932

SHA512
c5a50033a2c2b6b42173cd26964172b669b725ec19bed263c6f040b881961bf9f5ea196dcad2c69e18fc627e6d60ac267023cbd748e1a9d365456e394c097681

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
196B

MD5
6e1113e9d07858731f219230b12084bb

SHA1
0d4b330bc07f2eb058cb151799587473d1c254ce

SHA256
a971fee5b870455b7bcc9877630bea06782a19ea1d6f1b81f3004ba100d9e339

SHA512
92675251f1318fb11d1226dcad351b3acad7bbd7bd013f4c43508ebd7d141ac5c067048441a97924528d9ce3436f81b136d4162f61a2ab8de42b016260cf0000

Download Submit
C:\Users\Admin\AppData\Local\Temp\FnVhX1xwia.bat

Filesize
196B

MD5
5b05545fd2b1aff965ecf5d20ce56f15

SHA1
39a84c2fa4457d4de8a46fea50c1920f20cd7da8

SHA256
ebdb70f6493e093e90d3df3f1d2755fc27792b7590de0c28978c548038b9969c

SHA512
10166391fe1e3a2ad1da1a56a350d36e1803b7c97b1916ff1bd2526bd472785c9303d8d6c7fc5bc99eb1d861789a5c77dd3917daf9834f079c97346105928750

Download Submit
C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

Filesize
196B

MD5
00ad981ce1112ff41842c62e5ab98c04

SHA1
5fd416c5f1856c734cf119446ebf36e256d60333

SHA256
ed88cb6b8fed31f24dc66f90d57df0a7bf694e81e20141ad530130fb478ae6d2

SHA512
8aa8d140cbcad144103385b6f979950b118f52bf2ff515f9feb2600a2c45c94acd97b1af9e68657d5130bdf31e644489d8e6ca88fccb2c0360b0c5466719247e

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

Filesize
196B

MD5
803a7521be2a6af008e8662b8229e653

SHA1
9517d87d696f9018ef6fdeee07b6f19598ed19df

SHA256
1df3d439f6347833ede5819ed7d9dabea51ffe87bc49b9d19d739e75a0d29188

SHA512
a2712c5b68a021e304521ccbfdf40b40ddf340b2e68dd92a75baed78f46472964cff0ec068825534e02476bdc623f2416c0555183befc5ea6c18e19bdc6a9c42

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
196B

MD5
0da83a431f1dd19c9de576d338b6a4d4

SHA1
32f640707dd2a45c4c4bbc60554c696215dd7acd

SHA256
fd1e557ac97806c7d6c94a92318cb6f1d6653cbe21e51db8a100c4f0bc62c5dc

SHA512
c0e82aaf948b61c174bf1ef989cd2eededda590c023c1f33271547e9381b64fd664af13c317efa7ba32d1a589e3a52a74038d98bedf39b06626ca881a9a85524

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_22f4v5zz.dbj.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
196B

MD5
7ef513ee391adfb456daeffef945794d

SHA1
46a3d00b9b4570e3ddd188ae234fdd500115d73d

SHA256
09d9cc20144d36c398cb5bb4a772269be9a2d80618e62654663fe752c6347a01

SHA512
3a0bcc56b9cdf2cc85d4c554c66ac17c961c4b611b7bf7400afdf9a3ad562325ad2149768e375f6486c2f25269555e41a8c16d37e9c9fc213aed1e92f96ed633

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat

Filesize
196B

MD5
de49c23037fb5528d57828aba9d93ce2

SHA1
38f397589cc264721fa93e0ec1c032cc340305ef

SHA256
2513c5bf5e3aecaf24b918c20f78e1b43f62fdee20183cfcc3c5cc3326c68c9c

SHA512
b6aef48dce3faa195ba684408705db07c43ea19854235339274b0789522c05c1a4e37c3107467a8e18912fea8eec4087845c04fe70258ad127d5bee2e5ea68f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
196B

MD5
0188cc65d0638acf4cd7c9e0e49b65fa

SHA1
c047ea1dbdcf6f2c13f19c4e0c28c32818c5370b

SHA256
92d7631c8ef857b66fb7af40ec56b0b7c32779d2e6f4f2990758ebfec2aca7a5

SHA512
1f03ab34514791c423b22670c17d043b488729952dd5db6b3851218eadf0fecf0c3e0a655fe556f15c6eeb9558af1597edfe5037629d167c088f90619c2aeb9e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/216-200-0x000000001BE30000-0x000000001BF9A000-memory.dmp

Filesize
1.4MB

Download
memory/1300-139-0x000000001BF10000-0x000000001C07A000-memory.dmp

Filesize
1.4MB

Download
memory/1512-179-0x000000001C420000-0x000000001C58A000-memory.dmp

Filesize
1.4MB

Download
memory/1512-174-0x0000000002AD0000-0x0000000002AE2000-memory.dmp

Filesize
72KB

Download
memory/1636-132-0x000000001C510000-0x000000001C67A000-memory.dmp

Filesize
1.4MB

Download
memory/2484-13-0x0000000000810000-0x0000000000920000-memory.dmp

Filesize
1.1MB

Download
memory/2484-14-0x00000000029F0000-0x0000000002A02000-memory.dmp

Filesize
72KB

Download
memory/2484-15-0x0000000002B80000-0x0000000002B8C000-memory.dmp

Filesize
48KB

Download
memory/2484-12-0x00007FFE63B23000-0x00007FFE63B25000-memory.dmp

Filesize
8KB

Download
memory/2484-16-0x0000000002B60000-0x0000000002B6C000-memory.dmp

Filesize
48KB

Download
memory/2484-17-0x0000000002B70000-0x0000000002B7C000-memory.dmp

Filesize
48KB

Download
memory/3384-124-0x000000001BBC0000-0x000000001BC61000-memory.dmp

Filesize
644KB

Download
memory/3384-118-0x0000000002120000-0x0000000002132000-memory.dmp

Filesize
72KB

Download
memory/3616-194-0x000000001C190000-0x000000001C2FA000-memory.dmp

Filesize
1.4MB

Download
memory/3620-53-0x000001E7ADE60000-0x000001E7ADE82000-memory.dmp

Filesize
136KB

Download
memory/4220-186-0x000000001C0B0000-0x000000001C259000-memory.dmp

Filesize
1.7MB

Download
memory/4428-154-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/4812-171-0x000000001BBF0000-0x000000001BD5A000-memory.dmp

Filesize
1.4MB

Download