dcrat | 4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 16:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe
Size

1.3MB
MD5

68b34064a71f8a193b4bfd2e9ff3e603
SHA1

ea2d6af1ad55b8cc91582d0fb2c6ed9cfdee9541
SHA256

4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49
SHA512

16e6d120bc7a5cdb84d1e7868d339bfe99c65b31a6ff2204dc67ee2d71c4e3ac28e6be476c843d8f3d9232174b1bb0fb1ba30c3abdc227a0b52d11510496f83f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3084	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4900	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3872	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4884	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4392	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3540	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	4704	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	4704	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0031000000023b5c-10.dat	dcrat
behavioral2/memory/388-13-0x0000000000500000-0x0000000000610000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1740	powershell.exe
2292	powershell.exe
4756	powershell.exe
3100	powershell.exe
1512	powershell.exe
4984	powershell.exe
1356	powershell.exe
3152	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	csrss.exe

Executes dropped EXE 14 IoCs

pid	Process
388	DllCommonsvc.exe
4964	csrss.exe
1488	csrss.exe
228	csrss.exe
5008	csrss.exe
860	csrss.exe
3280	csrss.exe
3744	csrss.exe
4372	csrss.exe
3876	csrss.exe
3840	csrss.exe
2028	csrss.exe
2036	csrss.exe
2796	csrss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
21	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
15	raw.githubusercontent.com
43	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com
56	raw.githubusercontent.com
58	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\ea9f0e6c9e2dcd	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office 15\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\taskhostw.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	csrss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4884	schtasks.exe
3372	schtasks.exe
4300	schtasks.exe
4832	schtasks.exe
2224	schtasks.exe
3872	schtasks.exe
4904	schtasks.exe
5028	schtasks.exe
804	schtasks.exe
1608	schtasks.exe
220	schtasks.exe
4900	schtasks.exe
3164	schtasks.exe
4808	schtasks.exe
1640	schtasks.exe
2336	schtasks.exe
4392	schtasks.exe
2808	schtasks.exe
3084	schtasks.exe
4916	schtasks.exe
3540	schtasks.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

pid	Process
388	DllCommonsvc.exe
388	DllCommonsvc.exe
388	DllCommonsvc.exe
388	DllCommonsvc.exe
388	DllCommonsvc.exe
1740	powershell.exe
4756	powershell.exe
3100	powershell.exe
3100	powershell.exe
3152	powershell.exe
3152	powershell.exe
4984	powershell.exe
4984	powershell.exe
1512	powershell.exe
1512	powershell.exe
1356	powershell.exe
1356	powershell.exe
3100	powershell.exe
2292	powershell.exe
2292	powershell.exe
1740	powershell.exe
1740	powershell.exe
4756	powershell.exe
4756	powershell.exe
3152	powershell.exe
4984	powershell.exe
1512	powershell.exe
1356	powershell.exe
2292	powershell.exe
4964	csrss.exe
1488	csrss.exe
228	csrss.exe
5008	csrss.exe
860	csrss.exe
3280	csrss.exe
3744	csrss.exe
4372	csrss.exe
3876	csrss.exe
3840	csrss.exe
2028	csrss.exe
2036	csrss.exe
2796	csrss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	388	DllCommonsvc.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	4756	powershell.exe
Token: SeDebugPrivilege	3100	powershell.exe
Token: SeDebugPrivilege	3152	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	4964	csrss.exe
Token: SeDebugPrivilege	1488	csrss.exe
Token: SeDebugPrivilege	228	csrss.exe
Token: SeDebugPrivilege	5008	csrss.exe
Token: SeDebugPrivilege	860	csrss.exe
Token: SeDebugPrivilege	3280	csrss.exe
Token: SeDebugPrivilege	3744	csrss.exe
Token: SeDebugPrivilege	4372	csrss.exe
Token: SeDebugPrivilege	3876	csrss.exe
Token: SeDebugPrivilege	3840	csrss.exe
Token: SeDebugPrivilege	2028	csrss.exe
Token: SeDebugPrivilege	2036	csrss.exe
Token: SeDebugPrivilege	2796	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1144 wrote to memory of 2464	1144	4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe	83
PID 1144 wrote to memory of 2464	1144	4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe	83
PID 1144 wrote to memory of 2464	1144	4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe	83
PID 2464 wrote to memory of 4868	2464	WScript.exe	85
PID 2464 wrote to memory of 4868	2464	WScript.exe	85
PID 2464 wrote to memory of 4868	2464	WScript.exe	85
PID 4868 wrote to memory of 388	4868	cmd.exe	87
PID 4868 wrote to memory of 388	4868	cmd.exe	87
PID 388 wrote to memory of 2292	388	DllCommonsvc.exe	111
PID 388 wrote to memory of 2292	388	DllCommonsvc.exe	111
PID 388 wrote to memory of 1740	388	DllCommonsvc.exe	112
PID 388 wrote to memory of 1740	388	DllCommonsvc.exe	112
PID 388 wrote to memory of 4756	388	DllCommonsvc.exe	113
PID 388 wrote to memory of 4756	388	DllCommonsvc.exe	113
PID 388 wrote to memory of 3152	388	DllCommonsvc.exe	114
PID 388 wrote to memory of 3152	388	DllCommonsvc.exe	114
PID 388 wrote to memory of 1356	388	DllCommonsvc.exe	115
PID 388 wrote to memory of 1356	388	DllCommonsvc.exe	115
PID 388 wrote to memory of 4984	388	DllCommonsvc.exe	116
PID 388 wrote to memory of 4984	388	DllCommonsvc.exe	116
PID 388 wrote to memory of 1512	388	DllCommonsvc.exe	117
PID 388 wrote to memory of 1512	388	DllCommonsvc.exe	117
PID 388 wrote to memory of 3100	388	DllCommonsvc.exe	118
PID 388 wrote to memory of 3100	388	DllCommonsvc.exe	118
PID 388 wrote to memory of 2840	388	DllCommonsvc.exe	127
PID 388 wrote to memory of 2840	388	DllCommonsvc.exe	127
PID 2840 wrote to memory of 2184	2840	cmd.exe	129
PID 2840 wrote to memory of 2184	2840	cmd.exe	129
PID 2840 wrote to memory of 4964	2840	cmd.exe	130
PID 2840 wrote to memory of 4964	2840	cmd.exe	130
PID 4964 wrote to memory of 1508	4964	csrss.exe	132
PID 4964 wrote to memory of 1508	4964	csrss.exe	132
PID 1508 wrote to memory of 220	1508	cmd.exe	134
PID 1508 wrote to memory of 220	1508	cmd.exe	134
PID 1508 wrote to memory of 1488	1508	cmd.exe	136
PID 1508 wrote to memory of 1488	1508	cmd.exe	136
PID 1488 wrote to memory of 4560	1488	csrss.exe	143
PID 1488 wrote to memory of 4560	1488	csrss.exe	143
PID 4560 wrote to memory of 4400	4560	cmd.exe	145
PID 4560 wrote to memory of 4400	4560	cmd.exe	145
PID 4560 wrote to memory of 228	4560	cmd.exe	154
PID 4560 wrote to memory of 228	4560	cmd.exe	154
PID 228 wrote to memory of 4948	228	csrss.exe	157
PID 228 wrote to memory of 4948	228	csrss.exe	157
PID 4948 wrote to memory of 1672	4948	cmd.exe	159
PID 4948 wrote to memory of 1672	4948	cmd.exe	159
PID 4948 wrote to memory of 5008	4948	cmd.exe	161
PID 4948 wrote to memory of 5008	4948	cmd.exe	161
PID 5008 wrote to memory of 804	5008	csrss.exe	163
PID 5008 wrote to memory of 804	5008	csrss.exe	163
PID 804 wrote to memory of 4520	804	cmd.exe	165
PID 804 wrote to memory of 4520	804	cmd.exe	165
PID 804 wrote to memory of 860	804	cmd.exe	167
PID 804 wrote to memory of 860	804	cmd.exe	167
PID 860 wrote to memory of 1824	860	csrss.exe	169
PID 860 wrote to memory of 1824	860	csrss.exe	169
PID 1824 wrote to memory of 2152	1824	cmd.exe	171
PID 1824 wrote to memory of 2152	1824	cmd.exe	171
PID 1824 wrote to memory of 3280	1824	cmd.exe	174
PID 1824 wrote to memory of 3280	1824	cmd.exe	174
PID 3280 wrote to memory of 4652	3280	csrss.exe	176
PID 3280 wrote to memory of 4652	3280	csrss.exe	176
PID 4652 wrote to memory of 2704	4652	cmd.exe	178
PID 4652 wrote to memory of 2704	4652	cmd.exe	178

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe
"C:\Users\Admin\AppData\Local\Temp\4c30e9d648579aa65b9ef36bfa72baa131269c3c5c32fb841108a43d29b26f49.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2464
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Music\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft OneDrive\setup\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\taskhostw.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\MsEdgeCrashpad\reports\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3100
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9RjawjygKK.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2184
      - C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:220
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4400
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1672
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4520
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2152
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2704
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
        19⤵
        
        PID:3160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:436
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
        21⤵
        
        PID:3424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4760
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        23⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:804
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        25⤵
        
        PID:1408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4868
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
        27⤵
        
        PID:4720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2288
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"
        29⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3448
        
        C:\Recovery\WindowsRE\csrss.exe
        
        "C:\Recovery\WindowsRE\csrss.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        31⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office 15\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Music\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Microsoft OneDrive\setup\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 9 /tr "'C:\Program Files\MSBuild\taskhostw.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\Program Files\MSBuild\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\taskhostw.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Windows\Temp\MsEdgeCrashpad\reports\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\csrss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

Filesize
196B

MD5
05b30945adfa78eb2ebbe81202c43c6d

SHA1
9f28885cbe0f1e0b66d4bdecea453eec7462617c

SHA256
6a14a0a8a3f2a1392f0650a024f578f8840b1e1876ba15b1f417dfd5cf019415

SHA512
ccbe1c9d5aa0f89128c0f5e2436c0d00a72fefafe63a64634513f5f3bb90e396134f864f85e1b0ec7b2cc8542dc283b0e13ce4305318947b6912101e3262a99c

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat

Filesize
196B

MD5
d1a1c8e347ef429bda13d48063e79369

SHA1
c3e88832ee139dd0436223a2c7c3a84c54ecd27d

SHA256
1adbaadb4ce148c4edbb1604e4fffb9e5b65d70627f4475bffbdf92ac5f3db4b

SHA512
89202f88da32dc445a171dec66df1f0aabb860ec9469d17d59c169e4c67f043c6a70190d57cb5ca295225630d21164398efc636d995cce22db0d989a369d783e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9RjawjygKK.bat

Filesize
196B

MD5
1e8962cee42eb25098d9652f845a66c4

SHA1
be629880218077afe93040f5f486127d03cb6e50

SHA256
548f45750190844b05d4ef965b5ca6a30f7711cc5f1c6240fec19f369e49717c

SHA512
d7c6d2e87046fddddac21eb8ca744c84b39f2fc3ebba42081a9397cc0e40a78641e07be12e531d7718135580114ebd209ba2a7d25864b7bdd86fb88a1dae56cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

Filesize
196B

MD5
ca635c2ec96cd806145c84083c7b794a

SHA1
6a845d9d905d379063d02dc605844978b3e90a85

SHA256
9d9e6ef1717987bd20961ccffca94e74b73ee64da6d82478ea0c0ae8f10220b1

SHA512
b77732c4fd574798364f5b459da16316769242417ed4aedf65b6806611b664918b0ae533dd56aba097c2a51ab051e48ec497d9779251888f92f53348843c2139

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
196B

MD5
9e65de3f7d0009c017df80c56b3b2dea

SHA1
78c16203d0b48f55ff2c17aa19462dc991ac7422

SHA256
bde8d7818adee1c2a20a1d3079fa33c7d85c534fa9bab9ca53cf5ce32705029a

SHA512
e7a38c9365299695a43b6ad71ef71dfcf2e26a4be4c5db4063ad6b9fc64002a9bfb72e176a6e9a42390ecbfbed08ea2cddb62754efa97a4c1f86840c330d068b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
196B

MD5
bff71111a988810c825d796b222fba6d

SHA1
10fc5964c75c7d03f1bf15e86eaaddf9caba6b91

SHA256
495d46d4f3594b8e35a151f9bc8ff343c6af3aea51561104c631a586e34ed759

SHA512
08dd13ee45ba3af3eeff2772925f96013722ec641369cbee0649a9ba051373033c37d1b5e96b766ccc2a1658c6d3aa5072089cad747e22eb9736de7b3f986950

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

Filesize
196B

MD5
cac4353a362efa8773f08419d81cc113

SHA1
60dbf43b67d744c87d3abd6b808d6769b9fba65b

SHA256
e7ea3b52f435fa8d2ab43af0ed7fefecebe3ddee24650e61a3350b1c344d0c58

SHA512
e88abb194feb05900155c6d73900a8d23303d65ca9d6566933414ae5bd5788b1492ec8a05acad9a0680f8fa84ba81ececdd198870889fb2356a2299a39f23d1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat

Filesize
196B

MD5
b71b7602cafb86f92cef9b2d83c32329

SHA1
af59681b30192376ebfa29467c00e48cd07dbdfe

SHA256
7e96317668fa6e3615a18251c1c134ee90cca87fefb5a1e506d4bd18f9ccf1b6

SHA512
c7fff8b9fb11078d2fb03549aadd5b77261ed5486931b71a0a685f1e64c2b0708a356f27eff2ce511c1dbba7362fe2639d68f988ff5385d2f98cc4f27ce3c6ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
196B

MD5
53930e720b747a2b19bc5704fceda570

SHA1
237e5406ea0eb23f17234d8b7b548894386dd3d8

SHA256
cd8b172db80b1239707b0be428c5a7da0a254cb91fa52f72bdda5a0fe64455c7

SHA512
04b86c68e79e2ebd87053af1067a03d0d78c5c648553e6d6d92b7e47540036b3f535fb194204464daabfbb8629b8a180ca24d3ac19bd13e9fbe326b2419685c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_00hljp54.c0t.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

Filesize
196B

MD5
0a468985211b836f7876c166bee738f7

SHA1
02c9679be8d1c604007d07233216f097391956ff

SHA256
eb645ecd1a59ca5d900e4bf9eef3b470921bcd0d3e9ed7ceeb0171189812227c

SHA512
246a4dc519d13ea735a1b3f3d8511ba25275616b7903e2eb6284426efb829afe827a523d6ae812d1db63e357da2cb7806e9e855df51c37909b4786e272b6da82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
196B

MD5
7d16eecde61bc642b1e089d784f99a73

SHA1
5909cfb39f47acd59bb707c4e95aa3a240e76cb7

SHA256
4c46b0e3210e8846fee31edcfda413b7e791b2868e1e0cadf44996ddcb192f23

SHA512
5d3921e1611b5b86b1771a99bb59f05941a40b8e30fc4f1e03e548b4ad7624df83d60a59de49a2eb59a0310c7e11237f15df570086444ecf93206c04e02f3b87

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
196B

MD5
6672df7b661761c18fe4c017057a8fb1

SHA1
66d23b152bdb07fa500058761c5622ebf0e7b7e6

SHA256
283123b3b2d9d43d058f7809797e2a7add49a90af08d0bd66a996d9d277fc7e0

SHA512
1f2153681f1b3e92025e6195e66f9f13a6c9c71bf444f4d52815eef62592eca6c18d38ef4232748df967682c67b45e1a62d8fc3011dc4676e71237c7b2a96b83

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
196B

MD5
b552d5c6fee13df6b1314804e581d1e0

SHA1
0fe8f73e90fdfeca92d6c12fca23d6ddc045538c

SHA256
870a8dee504145bd328524615e4a25be81f5f79c66d4d335b9ca729957046789

SHA512
a037312b6317ef582b46ad397a0e784e0b40cac256d280e9737442d805e4710774f3c3be3797f65ff9a077abe3302b540caec926ce1fc8275720c34fd039c4f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
196B

MD5
d9b2a132bf898b04cb4061f68edc936e

SHA1
f7688d1202db45759bda411233f78910b8491a9d

SHA256
0c06cb55128283d0b698c76ac1783bf7a8d36b7db58d7572a80d2db2f8acedec

SHA512
d97977e97d2e15923732a5055981f8f2b2e32ad00bc5a26a4ab41ea5ae7d826bcc29fb08e0c6c38ab513cf0595995b8d256621173aeba9dba6e5c84730c9c9e2

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/228-153-0x000000001D9F0000-0x000000001DA91000-memory.dmp

Filesize
644KB

Download
memory/228-152-0x000000001D880000-0x000000001D9EA000-memory.dmp

Filesize
1.4MB

Download
memory/388-17-0x0000000002760000-0x000000000276C000-memory.dmp

Filesize
48KB

Download
memory/388-12-0x00007FF9DE003000-0x00007FF9DE005000-memory.dmp

Filesize
8KB

Download
memory/388-13-0x0000000000500000-0x0000000000610000-memory.dmp

Filesize
1.1MB

Download
memory/388-14-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/388-15-0x0000000002740000-0x000000000274C000-memory.dmp

Filesize
48KB

Download
memory/388-16-0x0000000002750000-0x000000000275C000-memory.dmp

Filesize
48KB

Download
memory/860-169-0x000000001DD40000-0x000000001DEAA000-memory.dmp

Filesize
1.4MB

Download
memory/860-170-0x000000001DEB0000-0x000000001DF51000-memory.dmp

Filesize
644KB

Download
memory/1488-145-0x000000001D600000-0x000000001D702000-memory.dmp

Filesize
1.0MB

Download
memory/3280-177-0x000000001D740000-0x000000001D8AA000-memory.dmp

Filesize
1.4MB

Download
memory/3280-178-0x000000001D8B0000-0x000000001D951000-memory.dmp

Filesize
644KB

Download
memory/3744-186-0x000000001D5B0000-0x000000001D651000-memory.dmp

Filesize
644KB

Download
memory/3744-185-0x000000001D440000-0x000000001D5AA000-memory.dmp

Filesize
1.4MB

Download
memory/4756-55-0x000001DF101D0000-0x000001DF101F2000-memory.dmp

Filesize
136KB

Download
memory/4964-131-0x000000001AFE0000-0x000000001AFF2000-memory.dmp

Filesize
72KB

Download
memory/4964-137-0x000000001CF00000-0x000000001D002000-memory.dmp

Filesize
1.0MB

Download
memory/5008-161-0x000000001D940000-0x000000001DAAA000-memory.dmp

Filesize
1.4MB

Download
memory/5008-162-0x000000001DAB0000-0x000000001DB51000-memory.dmp

Filesize
644KB

Download
memory/5008-156-0x000000001B7F0000-0x000000001B802000-memory.dmp

Filesize
72KB

Download