dcrat | 23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8

Analysis

max time kernel
142s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 01:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe
Size

1.3MB
MD5

5cf1d961618842419c2236ceee53a248
SHA1

358b2edbc9d688ae9168144708e3961f7bbed3e1
SHA256

23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8
SHA512

6bf977f6a0ab9f442c6e0e5edf8aebb5a55a89814cc506d434214b7e6fe48456d090b081c065c5cb76f2cfcf42a3d8339daef96b1a408832531f1bbcf65a6c08
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3856	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	116	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	232	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4548	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3364	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3404	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3368	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4068	2376	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3440	2376	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9b-10.dat	dcrat
behavioral2/memory/3192-13-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4960	powershell.exe
2896	powershell.exe
2248	powershell.exe
3400	powershell.exe
4220	powershell.exe
4008	powershell.exe
4996	powershell.exe
5048	powershell.exe
4488	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	winlogon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe

Executes dropped EXE 15 IoCs

pid	Process
3192	DllCommonsvc.exe
1720	winlogon.exe
1632	winlogon.exe
3968	winlogon.exe
452	winlogon.exe
116	winlogon.exe
2036	winlogon.exe
1828	winlogon.exe
1100	winlogon.exe
4048	winlogon.exe
3144	winlogon.exe
1052	winlogon.exe
3916	winlogon.exe
972	winlogon.exe
5004	winlogon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
52	raw.githubusercontent.com
54	raw.githubusercontent.com
43	raw.githubusercontent.com
45	raw.githubusercontent.com
39	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
17	raw.githubusercontent.com
37	raw.githubusercontent.com
53	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\WindowsPowerShell\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\ModifiableWindowsApps\conhost.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\LiveKernelReports\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\es-ES\RuntimeBroker.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	winlogon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2296	schtasks.exe
1820	schtasks.exe
3368	schtasks.exe
4544	schtasks.exe
3404	schtasks.exe
4548	schtasks.exe
3364	schtasks.exe
4428	schtasks.exe
1140	schtasks.exe
3856	schtasks.exe
4176	schtasks.exe
1908	schtasks.exe
4068	schtasks.exe
1084	schtasks.exe
1884	schtasks.exe
232	schtasks.exe
1936	schtasks.exe
1132	schtasks.exe
1620	schtasks.exe
2828	schtasks.exe
2308	schtasks.exe
772	schtasks.exe
116	schtasks.exe
3440	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
3192	DllCommonsvc.exe
3192	DllCommonsvc.exe
3192	DllCommonsvc.exe
3192	DllCommonsvc.exe
3192	DllCommonsvc.exe
3192	DllCommonsvc.exe
3192	DllCommonsvc.exe
5048	powershell.exe
4220	powershell.exe
4008	powershell.exe
4008	powershell.exe
4488	powershell.exe
4488	powershell.exe
3400	powershell.exe
3400	powershell.exe
2248	powershell.exe
2248	powershell.exe
4960	powershell.exe
4960	powershell.exe
2896	powershell.exe
2896	powershell.exe
4996	powershell.exe
4996	powershell.exe
1720	winlogon.exe
1720	winlogon.exe
4220	powershell.exe
4220	powershell.exe
2896	powershell.exe
4008	powershell.exe
5048	powershell.exe
5048	powershell.exe
4488	powershell.exe
4960	powershell.exe
2248	powershell.exe
3400	powershell.exe
4996	powershell.exe
1632	winlogon.exe
3968	winlogon.exe
452	winlogon.exe
116	winlogon.exe
2036	winlogon.exe
1828	winlogon.exe
1100	winlogon.exe
4048	winlogon.exe
3144	winlogon.exe
1052	winlogon.exe
3916	winlogon.exe
972	winlogon.exe
5004	winlogon.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	3192	DllCommonsvc.exe
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeDebugPrivilege	4220	powershell.exe
Token: SeDebugPrivilege	1720	winlogon.exe
Token: SeDebugPrivilege	4008	powershell.exe
Token: SeDebugPrivilege	4960	powershell.exe
Token: SeDebugPrivilege	4488	powershell.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3400	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	4996	powershell.exe
Token: SeDebugPrivilege	1632	winlogon.exe
Token: SeDebugPrivilege	3968	winlogon.exe
Token: SeDebugPrivilege	452	winlogon.exe
Token: SeDebugPrivilege	116	winlogon.exe
Token: SeDebugPrivilege	2036	winlogon.exe
Token: SeDebugPrivilege	1828	winlogon.exe
Token: SeDebugPrivilege	1100	winlogon.exe
Token: SeDebugPrivilege	4048	winlogon.exe
Token: SeDebugPrivilege	3144	winlogon.exe
Token: SeDebugPrivilege	1052	winlogon.exe
Token: SeDebugPrivilege	3916	winlogon.exe
Token: SeDebugPrivilege	972	winlogon.exe
Token: SeDebugPrivilege	5004	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4144 wrote to memory of 3008	4144	JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe	82
PID 4144 wrote to memory of 3008	4144	JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe	82
PID 4144 wrote to memory of 3008	4144	JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe	82
PID 3008 wrote to memory of 1852	3008	WScript.exe	83
PID 3008 wrote to memory of 1852	3008	WScript.exe	83
PID 3008 wrote to memory of 1852	3008	WScript.exe	83
PID 1852 wrote to memory of 3192	1852	cmd.exe	85
PID 1852 wrote to memory of 3192	1852	cmd.exe	85
PID 3192 wrote to memory of 4996	3192	DllCommonsvc.exe	111
PID 3192 wrote to memory of 4996	3192	DllCommonsvc.exe	111
PID 3192 wrote to memory of 5048	3192	DllCommonsvc.exe	112
PID 3192 wrote to memory of 5048	3192	DllCommonsvc.exe	112
PID 3192 wrote to memory of 2248	3192	DllCommonsvc.exe	113
PID 3192 wrote to memory of 2248	3192	DllCommonsvc.exe	113
PID 3192 wrote to memory of 4008	3192	DllCommonsvc.exe	114
PID 3192 wrote to memory of 4008	3192	DllCommonsvc.exe	114
PID 3192 wrote to memory of 4220	3192	DllCommonsvc.exe	115
PID 3192 wrote to memory of 4220	3192	DllCommonsvc.exe	115
PID 3192 wrote to memory of 3400	3192	DllCommonsvc.exe	116
PID 3192 wrote to memory of 3400	3192	DllCommonsvc.exe	116
PID 3192 wrote to memory of 4488	3192	DllCommonsvc.exe	117
PID 3192 wrote to memory of 4488	3192	DllCommonsvc.exe	117
PID 3192 wrote to memory of 2896	3192	DllCommonsvc.exe	118
PID 3192 wrote to memory of 2896	3192	DllCommonsvc.exe	118
PID 3192 wrote to memory of 4960	3192	DllCommonsvc.exe	119
PID 3192 wrote to memory of 4960	3192	DllCommonsvc.exe	119
PID 3192 wrote to memory of 1720	3192	DllCommonsvc.exe	128
PID 3192 wrote to memory of 1720	3192	DllCommonsvc.exe	128
PID 1720 wrote to memory of 2180	1720	winlogon.exe	134
PID 1720 wrote to memory of 2180	1720	winlogon.exe	134
PID 2180 wrote to memory of 4352	2180	cmd.exe	136
PID 2180 wrote to memory of 4352	2180	cmd.exe	136
PID 2180 wrote to memory of 1632	2180	cmd.exe	140
PID 2180 wrote to memory of 1632	2180	cmd.exe	140
PID 1632 wrote to memory of 4328	1632	winlogon.exe	141
PID 1632 wrote to memory of 4328	1632	winlogon.exe	141
PID 4328 wrote to memory of 4336	4328	cmd.exe	143
PID 4328 wrote to memory of 4336	4328	cmd.exe	143
PID 4328 wrote to memory of 3968	4328	cmd.exe	144
PID 4328 wrote to memory of 3968	4328	cmd.exe	144
PID 3968 wrote to memory of 456	3968	winlogon.exe	147
PID 3968 wrote to memory of 456	3968	winlogon.exe	147
PID 456 wrote to memory of 4220	456	cmd.exe	149
PID 456 wrote to memory of 4220	456	cmd.exe	149
PID 456 wrote to memory of 452	456	cmd.exe	150
PID 456 wrote to memory of 452	456	cmd.exe	150
PID 452 wrote to memory of 2028	452	winlogon.exe	151
PID 452 wrote to memory of 2028	452	winlogon.exe	151
PID 2028 wrote to memory of 1080	2028	cmd.exe	153
PID 2028 wrote to memory of 1080	2028	cmd.exe	153
PID 2028 wrote to memory of 116	2028	cmd.exe	154
PID 2028 wrote to memory of 116	2028	cmd.exe	154
PID 116 wrote to memory of 392	116	winlogon.exe	155
PID 116 wrote to memory of 392	116	winlogon.exe	155
PID 392 wrote to memory of 876	392	cmd.exe	157
PID 392 wrote to memory of 876	392	cmd.exe	157
PID 392 wrote to memory of 2036	392	cmd.exe	158
PID 392 wrote to memory of 2036	392	cmd.exe	158
PID 2036 wrote to memory of 3364	2036	winlogon.exe	159
PID 2036 wrote to memory of 3364	2036	winlogon.exe	159
PID 3364 wrote to memory of 3440	3364	cmd.exe	161
PID 3364 wrote to memory of 3440	3364	cmd.exe	161
PID 3364 wrote to memory of 1828	3364	cmd.exe	162
PID 3364 wrote to memory of 1828	3364	cmd.exe	162

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23939697a7d40eacbd4d2befed9ccbd80103f23a527ff256f3c05026cb3e23a8.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4144
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1852
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4960
    - - C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1720
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4352
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4336
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4220
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1080
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:876
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:3364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3440
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        18⤵
        
        PID:4352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4852
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        20⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4540
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        22⤵
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4908
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"
        24⤵
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1616
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        26⤵
        
        PID:1080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2116
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        28⤵
        
        PID:3484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3404
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        30⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2940
        
        C:\Recovery\WindowsRE\winlogon.exe
        
        "C:\Recovery\WindowsRE\winlogon.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\WindowsPowerShell\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\WindowsPowerShell\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\winlogon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
199B

MD5
64fe38efd65bffa54a93340c6f1c3e91

SHA1
24d4c1c02fef692c3abc68da1868ecd32c10be62

SHA256
401266688638690e14d526cc15137ec223516d6df6abfcd27b69ad66967e9e4f

SHA512
930436fe8f9d9b6b60f233f53fe93a78bfcbf671b554964f11b8119bea3bd5b0c9fd7f3da9b2cadc41d79c1bda3ae10f8be886d16878a05da550aa67811c7d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
199B

MD5
7e83f06016a21292f08152486b6cfc43

SHA1
7eb41de29ff0e03c41a36c236c1af40ca04b5e94

SHA256
9f7cf9fd04cd58a4ac76e8fa6432f0753ba32d527a7c6edab87ddfa934c83ca8

SHA512
d0dc2eb2f588d0892d03506f5dbe8d370baba0e8098449a9178c0c9d230074892c9db802f6189df8bf018051b393437325249f478ef32757c8629bd7153a9bec

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
199B

MD5
d4c816825a8e350e7f7b0885293e721b

SHA1
bae0f78875f4e4cc40b987fbf3135940cfc3fdd1

SHA256
9d4cc104bb15c9947643b99741ad80d64bd5e72bf99193164d5a1d138c5e8e79

SHA512
24a045a5a4dbe97b47782b5eb1d4c81343e597a8649c122eb3a58c5c0007174787b23ea7844eeef67a8a6b9cedec69f4aaa191d6c4e3e6b80d72112773d7a8f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
199B

MD5
2908df38d8caf2df118aa6eee19ccdac

SHA1
d9cbd0b96f69c210df8b9c0ca4baec4734b641a8

SHA256
c6366a833c53c1fc566abb3245ba810aa546fb28bdfb020d8ac6a2c77e5f0eff

SHA512
8aada1cae77172e4b0299ffc6da4c28aec5c4c51158650a41305048513166fe61f3052b0d0e8a2bcc90c090918d29ab0f18a6d5bd30886f8e91a668d379e4dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
199B

MD5
3fb4a7efae98c635ae7ba9f45aa03f0f

SHA1
a905d5c64452af7dac77971cf2e0fedc69e7edce

SHA256
3a272e020d9418587ab544b9bc8cbf9866013f865e3d313d2f0f9cb04410b775

SHA512
df8a190db464f3a12d0af1076a9602f58380fd6073f29737773db0fe4309fbb20d134b0aa427b6afd0caf6d51ca6df385cd27a85023985e425d37b2f495717a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
199B

MD5
b7f9fa9bd33ef080e34765a95a88ccd1

SHA1
d5700f4e7acea60bd495c1736c2d63d3dd35fc08

SHA256
f90b1b35a02e97d3981982476c948a220802249ccc96b0bc51fe0d5d229469e1

SHA512
1bbc34870164f1b3223e8184c86ea7ec83ae7083fe996d0d65b7a8825f069bd2ae226110d2e167e12bf8d84fd7a02c755cdd0bc79bfa73d575ce83907bce1afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pp0ggjfl.nru.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aMI81VmL1g.bat

Filesize
199B

MD5
7dc372f2d0b3fd4aac5e1d437731b532

SHA1
5eb86af23f1eb51a4e55db071bf9f1afd6b74b82

SHA256
ba7c01c525f091c9e6d0da83d65339a300499b630bbc0c9f7929c91206152c12

SHA512
f8f3707a4abb27ffb5237652fa6df2332e50527d15c35bacb6ae5e0ca4a24bf87caf18b41f0a6c4941b4dc4c1680a32c2385b12b711c40bbc7ce77673ba53c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat

Filesize
199B

MD5
45ce7d0f1ef078c3e4d1bfc376813508

SHA1
d4e2068854a6c9c4162f3071c159656bae1cec9c

SHA256
80a09b335d7b7b6bc77a54bcf8fffe8580d6d12608c129a33f43d11d2bb525db

SHA512
0c6096fefc1122555a959674edf071c66029b37150af9be95327dede7da7e16814807008a15d142621b16726b12d81af3188b62c4610708b05fe5796a924130d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
199B

MD5
5920c82020774718ae270864ed59c335

SHA1
120befd8b572ec64a11071205a605040f4c8b8d1

SHA256
413aa87e2703d1a0a54905ae1708b72ce6197382080cfa0b61fbe1d3d435b003

SHA512
09526ea54776d7d8ca0ecaca65f7a7de4ecc2e1b83d3b3481854def87ae9b64e819ecf9a3695c313c1be886b840b3f4520b566ff0528fcc15c4b3b0d690aa7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
199B

MD5
c389572a25e095073339a076d94f32a1

SHA1
b5fc8c82822c6ba7d86f09e0f8c692c39d7da9e9

SHA256
77806938477494b85bd07a0c0393179e4800fde64ced3cc6d744ed48b568a4a9

SHA512
798c4a70675d3e18fd821b3ef824b50d69bc7c0cfcf8c9b979ce3a2b50493584f6c5d4766ac0a6e72c30848514bcb6d711ff2ac0e0af7f82e1d0967f34a10515

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat

Filesize
199B

MD5
eb79821d98b2d301bc2ff128e52fddab

SHA1
39df251a5b347257ad8d8786bd4debb7b63a612b

SHA256
3eb1e8c2cc22018d5ca7136e81040af51dd43bae34eabc9e5c6787a1d848516d

SHA512
339ebe71c8d0461df2469e4de2e9b4e0a1d6a75656f73b2aa0f76bcde80291d0caf3a067892fc72b76edfb9d60aae3812ea3081570eafb1482fa1853964bad33

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/116-171-0x00000000024F0000-0x0000000002502000-memory.dmp

Filesize
72KB

Download
memory/972-223-0x0000000000C40000-0x0000000000C52000-memory.dmp

Filesize
72KB

Download
memory/1720-150-0x000000001BE90000-0x000000001BFFA000-memory.dmp

Filesize
1.4MB

Download
memory/2036-178-0x0000000001940000-0x0000000001952000-memory.dmp

Filesize
72KB

Download
memory/3144-204-0x000000001B080000-0x000000001B092000-memory.dmp

Filesize
72KB

Download
memory/3192-17-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/3192-16-0x0000000002D30000-0x0000000002D3C000-memory.dmp

Filesize
48KB

Download
memory/3192-15-0x0000000002D20000-0x0000000002D2C000-memory.dmp

Filesize
48KB

Download
memory/3192-14-0x0000000002D10000-0x0000000002D22000-memory.dmp

Filesize
72KB

Download
memory/3192-13-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/3192-12-0x00007FFB334E3000-0x00007FFB334E5000-memory.dmp

Filesize
8KB

Download
memory/4048-197-0x0000000000E70000-0x0000000000E82000-memory.dmp

Filesize
72KB

Download
memory/5048-63-0x0000014DDE1C0000-0x0000014DDE1E2000-memory.dmp

Filesize
136KB

Download