dcrat | 033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
21-12-2024 20:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe
Size

1.3MB
MD5

e7631eb93c75e8ff8907259a2821ea5e
SHA1

30439da50753ccf287e386f6e2c80c28fe82c5bd
SHA256

033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf
SHA512

4d2759aa5ed9fcf788b850b6afea30eff47616b6382cfe1ad4d133d34af3af8b53077f3223d118c20ebee132f23654721b62c458c24070eac70f187114cf01e4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3796	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	328	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	428	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	3880	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3432	3880	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b89-10.dat	dcrat
behavioral2/memory/2780-13-0x0000000000610000-0x0000000000720000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4020	powershell.exe
3504	powershell.exe
4896	powershell.exe
5016	powershell.exe
4844	powershell.exe
4344	powershell.exe
4056	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	TextInputHost.exe

Executes dropped EXE 14 IoCs

pid	Process
2780	DllCommonsvc.exe
1772	TextInputHost.exe
4032	TextInputHost.exe
3248	TextInputHost.exe
4716	TextInputHost.exe
4612	TextInputHost.exe
1596	TextInputHost.exe
3692	TextInputHost.exe
2480	TextInputHost.exe
3676	TextInputHost.exe
1112	TextInputHost.exe
1144	TextInputHost.exe
4264	TextInputHost.exe
3520	TextInputHost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
53	raw.githubusercontent.com
55	raw.githubusercontent.com
25	raw.githubusercontent.com
45	raw.githubusercontent.com
51	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
41	raw.githubusercontent.com
46	raw.githubusercontent.com
56	raw.githubusercontent.com
40	raw.githubusercontent.com
52	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Mail\upfc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ea1d8f6d871115	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\addins\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\addins\TextInputHost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\addins\TextInputHost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	TextInputHost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2532	schtasks.exe
3796	schtasks.exe
2500	schtasks.exe
2844	schtasks.exe
2256	schtasks.exe
1720	schtasks.exe
328	schtasks.exe
3004	schtasks.exe
1928	schtasks.exe
1428	schtasks.exe
3432	schtasks.exe
2712	schtasks.exe
1936	schtasks.exe
2788	schtasks.exe
1880	schtasks.exe
428	schtasks.exe
2028	schtasks.exe
1200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 39 IoCs

pid	Process
2780	DllCommonsvc.exe
2780	DllCommonsvc.exe
2780	DllCommonsvc.exe
2780	DllCommonsvc.exe
2780	DllCommonsvc.exe
4020	powershell.exe
4844	powershell.exe
4344	powershell.exe
4344	powershell.exe
4896	powershell.exe
4896	powershell.exe
4056	powershell.exe
4056	powershell.exe
3504	powershell.exe
3504	powershell.exe
5016	powershell.exe
5016	powershell.exe
3504	powershell.exe
4056	powershell.exe
4344	powershell.exe
4844	powershell.exe
4844	powershell.exe
5016	powershell.exe
4896	powershell.exe
4020	powershell.exe
4020	powershell.exe
1772	TextInputHost.exe
4032	TextInputHost.exe
3248	TextInputHost.exe
4716	TextInputHost.exe
4612	TextInputHost.exe
1596	TextInputHost.exe
3692	TextInputHost.exe
2480	TextInputHost.exe
3676	TextInputHost.exe
1112	TextInputHost.exe
1144	TextInputHost.exe
4264	TextInputHost.exe
3520	TextInputHost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2780	DllCommonsvc.exe
Token: SeDebugPrivilege	4020	powershell.exe
Token: SeDebugPrivilege	4844	powershell.exe
Token: SeDebugPrivilege	4344	powershell.exe
Token: SeDebugPrivilege	4896	powershell.exe
Token: SeDebugPrivilege	4056	powershell.exe
Token: SeDebugPrivilege	3504	powershell.exe
Token: SeDebugPrivilege	5016	powershell.exe
Token: SeDebugPrivilege	1772	TextInputHost.exe
Token: SeDebugPrivilege	4032	TextInputHost.exe
Token: SeDebugPrivilege	3248	TextInputHost.exe
Token: SeDebugPrivilege	4716	TextInputHost.exe
Token: SeDebugPrivilege	4612	TextInputHost.exe
Token: SeDebugPrivilege	1596	TextInputHost.exe
Token: SeDebugPrivilege	3692	TextInputHost.exe
Token: SeDebugPrivilege	2480	TextInputHost.exe
Token: SeDebugPrivilege	3676	TextInputHost.exe
Token: SeDebugPrivilege	1112	TextInputHost.exe
Token: SeDebugPrivilege	1144	TextInputHost.exe
Token: SeDebugPrivilege	4264	TextInputHost.exe
Token: SeDebugPrivilege	3520	TextInputHost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 552 wrote to memory of 2664	552	JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe	82
PID 552 wrote to memory of 2664	552	JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe	82
PID 552 wrote to memory of 2664	552	JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe	82
PID 2664 wrote to memory of 3680	2664	WScript.exe	83
PID 2664 wrote to memory of 3680	2664	WScript.exe	83
PID 2664 wrote to memory of 3680	2664	WScript.exe	83
PID 3680 wrote to memory of 2780	3680	cmd.exe	85
PID 3680 wrote to memory of 2780	3680	cmd.exe	85
PID 2780 wrote to memory of 4020	2780	DllCommonsvc.exe	105
PID 2780 wrote to memory of 4020	2780	DllCommonsvc.exe	105
PID 2780 wrote to memory of 3504	2780	DllCommonsvc.exe	106
PID 2780 wrote to memory of 3504	2780	DllCommonsvc.exe	106
PID 2780 wrote to memory of 4896	2780	DllCommonsvc.exe	107
PID 2780 wrote to memory of 4896	2780	DllCommonsvc.exe	107
PID 2780 wrote to memory of 5016	2780	DllCommonsvc.exe	108
PID 2780 wrote to memory of 5016	2780	DllCommonsvc.exe	108
PID 2780 wrote to memory of 4844	2780	DllCommonsvc.exe	109
PID 2780 wrote to memory of 4844	2780	DllCommonsvc.exe	109
PID 2780 wrote to memory of 4344	2780	DllCommonsvc.exe	110
PID 2780 wrote to memory of 4344	2780	DllCommonsvc.exe	110
PID 2780 wrote to memory of 4056	2780	DllCommonsvc.exe	111
PID 2780 wrote to memory of 4056	2780	DllCommonsvc.exe	111
PID 2780 wrote to memory of 4408	2780	DllCommonsvc.exe	119
PID 2780 wrote to memory of 4408	2780	DllCommonsvc.exe	119
PID 4408 wrote to memory of 340	4408	cmd.exe	121
PID 4408 wrote to memory of 340	4408	cmd.exe	121
PID 4408 wrote to memory of 1772	4408	cmd.exe	122
PID 4408 wrote to memory of 1772	4408	cmd.exe	122
PID 1772 wrote to memory of 3460	1772	TextInputHost.exe	126
PID 1772 wrote to memory of 3460	1772	TextInputHost.exe	126
PID 3460 wrote to memory of 2460	3460	cmd.exe	128
PID 3460 wrote to memory of 2460	3460	cmd.exe	128
PID 3460 wrote to memory of 4032	3460	cmd.exe	132
PID 3460 wrote to memory of 4032	3460	cmd.exe	132
PID 4032 wrote to memory of 2964	4032	TextInputHost.exe	133
PID 4032 wrote to memory of 2964	4032	TextInputHost.exe	133
PID 2964 wrote to memory of 1628	2964	cmd.exe	135
PID 2964 wrote to memory of 1628	2964	cmd.exe	135
PID 2964 wrote to memory of 3248	2964	cmd.exe	136
PID 2964 wrote to memory of 3248	2964	cmd.exe	136
PID 3248 wrote to memory of 4768	3248	TextInputHost.exe	138
PID 3248 wrote to memory of 4768	3248	TextInputHost.exe	138
PID 4768 wrote to memory of 4556	4768	cmd.exe	140
PID 4768 wrote to memory of 4556	4768	cmd.exe	140
PID 4768 wrote to memory of 4716	4768	cmd.exe	142
PID 4768 wrote to memory of 4716	4768	cmd.exe	142
PID 4716 wrote to memory of 4800	4716	TextInputHost.exe	143
PID 4716 wrote to memory of 4800	4716	TextInputHost.exe	143
PID 4800 wrote to memory of 2244	4800	cmd.exe	145
PID 4800 wrote to memory of 2244	4800	cmd.exe	145
PID 4800 wrote to memory of 4612	4800	cmd.exe	146
PID 4800 wrote to memory of 4612	4800	cmd.exe	146
PID 4612 wrote to memory of 2080	4612	TextInputHost.exe	147
PID 4612 wrote to memory of 2080	4612	TextInputHost.exe	147
PID 2080 wrote to memory of 4968	2080	cmd.exe	149
PID 2080 wrote to memory of 4968	2080	cmd.exe	149
PID 2080 wrote to memory of 1596	2080	cmd.exe	150
PID 2080 wrote to memory of 1596	2080	cmd.exe	150
PID 1596 wrote to memory of 1680	1596	TextInputHost.exe	151
PID 1596 wrote to memory of 1680	1596	TextInputHost.exe	151
PID 1680 wrote to memory of 5080	1680	cmd.exe	153
PID 1680 wrote to memory of 5080	1680	cmd.exe	153
PID 1680 wrote to memory of 3692	1680	cmd.exe	154
PID 1680 wrote to memory of 3692	1680	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_033b4f489ff522b074811a43a9d41dfa941a080b4b7c89012e486fe0427a47bf.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:552
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2664
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3680
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i41dRvkC7P.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4408
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:340
      - C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2460
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1628
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4556
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2244
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4968
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:5080
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
        19⤵
        
        PID:4568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1832
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        21⤵
        
        PID:1280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2528
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
        23⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2084
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        25⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2216
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        27⤵
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4092
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat"
        29⤵
        
        PID:4064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4868
        
        C:\Windows\addins\TextInputHost.exe
        
        "C:\Windows\addins\TextInputHost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat"
        31⤵
        
        PID:2644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\addins\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Windows\addins\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Mail\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\root\Templates\1033\ONENOTE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\TextInputHost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CWxqMEPA9M.bat

Filesize
200B

MD5
b580e5cb24f2b91781ff7f8b2ddf60e7

SHA1
e32a496e1c944fbe9771fa1aad1770fb7dc10bba

SHA256
7f91681bb190ecb898e31b5974dcac7af5de8726e653d1d78c0743df8637416d

SHA512
0e072dff802bc31aeafd1deb3675e7a95fb1adb900cc12cca488cd1c87670fee6d75b4137ad0dd021e58d7e7a03f991f1fd51a35e2d3c792d46a6ecad60ec3a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
200B

MD5
cf19c77ab9bf7aa9a0d53eca5357dfc3

SHA1
a9f862a70bd5e7585f772e3d9a699b175e9069b0

SHA256
09024724eb879c947709113c2c566e7df2bca9fcc4fd404113fe62943da8e8c0

SHA512
b10cbfb365b3ce9f15b786b358bd97e6c9877970a6c5be4f49125d67912bafbbf2b1833e4cd4cf3763b9f30c8e0c63784d2f442fcdbd72c21692350d6ddb0134

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

Filesize
200B

MD5
86435233505797d139a233af091ef6ed

SHA1
8e47ff55a152ddeea8d418407d36285b2944191a

SHA256
82def9f370a280e94dae21d7910358e0cdaf6fbbd53214e841bff49d08b3d020

SHA512
571554e20305ac6690f388c6e827c811efe5039d6c728210d9fb80ccee107cbf57181cba0eafe4c69323aabc76068239414deea166bb0a58d7ccb3359bb8b376

Download Submit
C:\Users\Admin\AppData\Local\Temp\MXvuXcjR4o.bat

Filesize
200B

MD5
c4517745ee58ab09b32067d0dc3d5898

SHA1
da1e200c366210e9c8f5e9d955f56445069da640

SHA256
386d5311e7431ae7daed87f91cc589fa3313074551d260cd653cec202fe827b2

SHA512
dcf18c51dfcacf9d8f9aed320d2f0e6288104cff398b42d400818cade2bd5a97a1535e1e5f2a66ca47a2d82cdce1750cda8dcc67e298393b30cc229d4d6c5f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
200B

MD5
002cebd4badfb320c72c50f18b69f4cb

SHA1
50b415bf04af48dba79f5793cea2f1977897cd99

SHA256
39146dfef66a6d0cddb98fe394a343d306ec9735bbd3defe39106837d3135ee5

SHA512
c06a55f69f47c124c8f24aab494af0ca362c92d60d379b4b097d714e952b272bf4e0fcc83c5233d76cc865d9859e682cd4e6ce2f16057a75858c4d391a0f353e

Download Submit
C:\Users\Admin\AppData\Local\Temp\QOz0umrEhM.bat

Filesize
200B

MD5
c8002cba4c26f46cbc3dd579859d9527

SHA1
5f0fe028d33cb258dc39c425867eca1c5b3a9dc6

SHA256
890e6dc906d4481a4cc5a97f091ea08abc602f49157ad993162c48b63f018d01

SHA512
b44714c95d0a80361886bb924117ab9407825cbc479316509ea9b8ddb9be9fe6f1abd7ebb916cd562db73ed2f71bbe7c3319939ac88fd8f2a05944abf15febcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
200B

MD5
16865b0afb8cc617d14178cacdb6e8d3

SHA1
fabfef51ba8cba7bb98fea040d9c91c1a2577a70

SHA256
fa764a2607d705854e0f46016dbbaa26006c98d73b1369967874f4dc8cee849d

SHA512
1d859d6b3413a7932f2e865f71bf8d5c6995bca0832ee271db2bc741400372a0b15bc6a2d77b27525f7c6b4b31273517b1a0e0ad7f2bfeccf8ff3d1640cab9b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
200B

MD5
bdd554a2d4af105dc2ae4be0b1ee6bd9

SHA1
3ffc31ed5f4e99d76e6c1ae2a2d076356d05630a

SHA256
31ba161159c82d5e3cee0139905e968f17434dff9f62fc3efe50b0cfb5f6bcf5

SHA512
ef2961456cab9fd8384e6d52322207ba993deb85e3f17ca44e9f2954325dbc5057f556e8bc79c9f82579d4b600fe94de6d44ad45d0001653b3123e58afdd14c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\XC59y11ueh.bat

Filesize
200B

MD5
521a3f9042bb485c504a77a2871e3c26

SHA1
e8939e01d119aba1878f25361cedcc937412c6a7

SHA256
aa12349444c014ac0313d4c86a936da57b84d1f9ab225eff7f5448591402f7f9

SHA512
d5356928912ba43f006b223709f8970e9149d17258a1463a500e503b8de8d18b7d57dc68d91c6068b1229038294655fe8273cdf9d9ea042438e65479bb90721e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_mi31cg0d.zdg.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGpPWS23Hw.bat

Filesize
200B

MD5
43c324cbef87182a83ea18b836fb982f

SHA1
3d956b32452660cbf0c591e347390230d506aba6

SHA256
4d655992e91d0a46206608585e1ca524f2e3d6286db3be3f94726ea7471ad2f9

SHA512
51a71c2bb3ef9dc96fc08112a405166c2188b8bceaf28ac9d7e5505d6c2aff0168785438fcf7df45950bb1187cf1498121e4cf47e6deecdeeee56d8d77b3c1e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\i41dRvkC7P.bat

Filesize
200B

MD5
af85c8966d5f794782da50f65d0067f8

SHA1
3928f40f63a8fb89bb62c61da5b5212d81b46855

SHA256
06eac4956d2e5f1c27bd0bc5d506607a845a1ba04620144394af97f4f6b95947

SHA512
6a89d16ac16ceb07b5d0ee1b51bbf312da1e98be0cf664a5e471c2316978e2501ab8f7d1313dce40331cb025a97e993369f5826be7aa34bbd1743da78cc7d71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
200B

MD5
c006bc7a1675727684b400372fa575a4

SHA1
0245fd691e8df99f626cd7e0ead7313a1d45dbaf

SHA256
26e61e9882ac33f9a442216fc2710bfb5b5ff0d85961ed3d271abb538c7f3821

SHA512
31ac14606d20df92477882b2d64a4f34bb0fbd5643ea96d93941bd3812f1914bc7ff07997e682359c8cb356842206b0a2fc8781df371cb267d9262d2f73821fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\x4tck5X09i.bat

Filesize
200B

MD5
7e13905bd03a8ae818d0c51e7654befc

SHA1
b29019a58e61e3d5f1c0a99cd1738bbc77304376

SHA256
e32afac5ba04e79208052c69435314a9acb44a149d8db24762c911acbdda892c

SHA512
aadcb4a3f1d06410bd81485859a01a005f8fe2706965d1ac1bda230b514685d352d68b1faea594a74d225e8e5269e8c3cb16427b07022fb02e01b1a908853c51

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1112-184-0x000000001C2C0000-0x000000001C469000-memory.dmp

Filesize
1.7MB

Download
memory/1112-179-0x0000000001090000-0x00000000010A2000-memory.dmp

Filesize
72KB

Download
memory/1144-191-0x000000001BE00000-0x000000001BFA9000-memory.dmp

Filesize
1.7MB

Download
memory/1596-151-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/2480-164-0x0000000000C90000-0x0000000000CA2000-memory.dmp

Filesize
72KB

Download
memory/2480-169-0x000000001C030000-0x000000001C1D9000-memory.dmp

Filesize
1.7MB

Download
memory/2780-14-0x0000000000F50000-0x0000000000F62000-memory.dmp

Filesize
72KB

Download
memory/2780-13-0x0000000000610000-0x0000000000720000-memory.dmp

Filesize
1.1MB

Download
memory/2780-15-0x0000000000F60000-0x0000000000F6C000-memory.dmp

Filesize
48KB

Download
memory/2780-17-0x0000000002870000-0x000000000287C000-memory.dmp

Filesize
48KB

Download
memory/2780-16-0x0000000000F70000-0x0000000000F7C000-memory.dmp

Filesize
48KB

Download
memory/2780-12-0x00007FFAEE633000-0x00007FFAEE635000-memory.dmp

Filesize
8KB

Download
memory/3520-201-0x0000000001220000-0x0000000001232000-memory.dmp

Filesize
72KB

Download
memory/3676-176-0x000000001C7D0000-0x000000001C979000-memory.dmp

Filesize
1.7MB

Download
memory/4032-126-0x00000000017C0000-0x00000000017D2000-memory.dmp

Filesize
72KB

Download
memory/4264-198-0x000000001C450000-0x000000001C5F9000-memory.dmp

Filesize
1.7MB

Download
memory/4344-46-0x000001B1ABD20000-0x000001B1ABD42000-memory.dmp

Filesize
136KB

Download