dcrat | bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069

Analysis

max time kernel
150s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 02:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
Size

1.3MB
MD5

eac7aabe3275c27dd1d139d9ee9bd879
SHA1

bc6f2466ca6c9d1b80a47d047f1bc881fe9553ca
SHA256

bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069
SHA512

0ec074e5d3d346bb7ace25c1370d1237521eff6d748ba11b8be8ac14abc123713a3bcf77f56dd38c72ed29150077ef355f096aca258ed4cad11a1f77c131192a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3480	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4064	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4424	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3128	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4176	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3564	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4752	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	1576	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	1576	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b82-10.dat	dcrat
behavioral2/memory/3788-13-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4600	powershell.exe
2056	powershell.exe
1124	powershell.exe
3596	powershell.exe
1528	powershell.exe
1052	powershell.exe
452	powershell.exe
1872	powershell.exe
1032	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	Idle.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe

Executes dropped EXE 13 IoCs

pid	Process
3788	DllCommonsvc.exe
5044	Idle.exe
4656	Idle.exe
4740	Idle.exe
4604	Idle.exe
1440	Idle.exe
4796	Idle.exe
1696	Idle.exe
444	Idle.exe
4672	Idle.exe
4972	Idle.exe
648	Idle.exe
468	Idle.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
37	raw.githubusercontent.com
49	raw.githubusercontent.com
50	raw.githubusercontent.com
48	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
16	raw.githubusercontent.com
36	raw.githubusercontent.com
38	raw.githubusercontent.com
42	raw.githubusercontent.com
45	raw.githubusercontent.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\Registry.exe	DllCommonsvc.exe
File created	C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\ee2ad38f3d4382	DllCommonsvc.exe
File created	C:\Windows\Web\Screen\SearchApp.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Screen\38384e6a620884	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	Idle.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2476	schtasks.exe
4424	schtasks.exe
4176	schtasks.exe
2688	schtasks.exe
1436	schtasks.exe
4360	schtasks.exe
392	schtasks.exe
4252	schtasks.exe
2684	schtasks.exe
3588	schtasks.exe
1748	schtasks.exe
2624	schtasks.exe
4752	schtasks.exe
3004	schtasks.exe
3480	schtasks.exe
4064	schtasks.exe
1164	schtasks.exe
3128	schtasks.exe
2876	schtasks.exe
4796	schtasks.exe
3564	schtasks.exe
4608	schtasks.exe
704	schtasks.exe
4760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 56 IoCs

pid	Process
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
3788	DllCommonsvc.exe
452	powershell.exe
1528	powershell.exe
1528	powershell.exe
3596	powershell.exe
3596	powershell.exe
1872	powershell.exe
1872	powershell.exe
4600	powershell.exe
4600	powershell.exe
1124	powershell.exe
1124	powershell.exe
1052	powershell.exe
1052	powershell.exe
1032	powershell.exe
1032	powershell.exe
2056	powershell.exe
2056	powershell.exe
1052	powershell.exe
452	powershell.exe
452	powershell.exe
1872	powershell.exe
1528	powershell.exe
3596	powershell.exe
1124	powershell.exe
4600	powershell.exe
1032	powershell.exe
2056	powershell.exe
5044	Idle.exe
4656	Idle.exe
4740	Idle.exe
4604	Idle.exe
1440	Idle.exe
4796	Idle.exe
1696	Idle.exe
444	Idle.exe
4672	Idle.exe
4972	Idle.exe
648	Idle.exe
468	Idle.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3788	DllCommonsvc.exe
Token: SeDebugPrivilege	452	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	3596	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	4600	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	5044	Idle.exe
Token: SeDebugPrivilege	4656	Idle.exe
Token: SeDebugPrivilege	4740	Idle.exe
Token: SeDebugPrivilege	4604	Idle.exe
Token: SeDebugPrivilege	1440	Idle.exe
Token: SeDebugPrivilege	4796	Idle.exe
Token: SeDebugPrivilege	1696	Idle.exe
Token: SeDebugPrivilege	444	Idle.exe
Token: SeDebugPrivilege	4672	Idle.exe
Token: SeDebugPrivilege	4972	Idle.exe
Token: SeDebugPrivilege	648	Idle.exe
Token: SeDebugPrivilege	468	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3156 wrote to memory of 2356	3156	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe	82
PID 3156 wrote to memory of 2356	3156	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe	82
PID 3156 wrote to memory of 2356	3156	JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe	82
PID 2356 wrote to memory of 1712	2356	WScript.exe	83
PID 2356 wrote to memory of 1712	2356	WScript.exe	83
PID 2356 wrote to memory of 1712	2356	WScript.exe	83
PID 1712 wrote to memory of 3788	1712	cmd.exe	85
PID 1712 wrote to memory of 3788	1712	cmd.exe	85
PID 3788 wrote to memory of 2056	3788	DllCommonsvc.exe	111
PID 3788 wrote to memory of 2056	3788	DllCommonsvc.exe	111
PID 3788 wrote to memory of 452	3788	DllCommonsvc.exe	112
PID 3788 wrote to memory of 452	3788	DllCommonsvc.exe	112
PID 3788 wrote to memory of 1124	3788	DllCommonsvc.exe	113
PID 3788 wrote to memory of 1124	3788	DllCommonsvc.exe	113
PID 3788 wrote to memory of 1872	3788	DllCommonsvc.exe	114
PID 3788 wrote to memory of 1872	3788	DllCommonsvc.exe	114
PID 3788 wrote to memory of 1032	3788	DllCommonsvc.exe	115
PID 3788 wrote to memory of 1032	3788	DllCommonsvc.exe	115
PID 3788 wrote to memory of 1528	3788	DllCommonsvc.exe	116
PID 3788 wrote to memory of 1528	3788	DllCommonsvc.exe	116
PID 3788 wrote to memory of 1052	3788	DllCommonsvc.exe	117
PID 3788 wrote to memory of 1052	3788	DllCommonsvc.exe	117
PID 3788 wrote to memory of 4600	3788	DllCommonsvc.exe	118
PID 3788 wrote to memory of 4600	3788	DllCommonsvc.exe	118
PID 3788 wrote to memory of 3596	3788	DllCommonsvc.exe	119
PID 3788 wrote to memory of 3596	3788	DllCommonsvc.exe	119
PID 3788 wrote to memory of 3268	3788	DllCommonsvc.exe	129
PID 3788 wrote to memory of 3268	3788	DllCommonsvc.exe	129
PID 3268 wrote to memory of 1772	3268	cmd.exe	131
PID 3268 wrote to memory of 1772	3268	cmd.exe	131
PID 3268 wrote to memory of 5044	3268	cmd.exe	132
PID 3268 wrote to memory of 5044	3268	cmd.exe	132
PID 5044 wrote to memory of 1040	5044	Idle.exe	136
PID 5044 wrote to memory of 1040	5044	Idle.exe	136
PID 1040 wrote to memory of 2380	1040	cmd.exe	138
PID 1040 wrote to memory of 2380	1040	cmd.exe	138
PID 1040 wrote to memory of 4656	1040	cmd.exe	142
PID 1040 wrote to memory of 4656	1040	cmd.exe	142
PID 4656 wrote to memory of 4496	4656	Idle.exe	145
PID 4656 wrote to memory of 4496	4656	Idle.exe	145
PID 4496 wrote to memory of 4672	4496	cmd.exe	147
PID 4496 wrote to memory of 4672	4496	cmd.exe	147
PID 4496 wrote to memory of 4740	4496	cmd.exe	148
PID 4496 wrote to memory of 4740	4496	cmd.exe	148
PID 4740 wrote to memory of 1424	4740	Idle.exe	149
PID 4740 wrote to memory of 1424	4740	Idle.exe	149
PID 1424 wrote to memory of 4048	1424	cmd.exe	151
PID 1424 wrote to memory of 4048	1424	cmd.exe	151
PID 1424 wrote to memory of 4604	1424	cmd.exe	152
PID 1424 wrote to memory of 4604	1424	cmd.exe	152
PID 4604 wrote to memory of 4340	4604	Idle.exe	153
PID 4604 wrote to memory of 4340	4604	Idle.exe	153
PID 4340 wrote to memory of 2612	4340	cmd.exe	155
PID 4340 wrote to memory of 2612	4340	cmd.exe	155
PID 4340 wrote to memory of 1440	4340	cmd.exe	156
PID 4340 wrote to memory of 1440	4340	cmd.exe	156
PID 1440 wrote to memory of 920	1440	Idle.exe	157
PID 1440 wrote to memory of 920	1440	Idle.exe	157
PID 920 wrote to memory of 440	920	cmd.exe	159
PID 920 wrote to memory of 440	920	cmd.exe	159
PID 920 wrote to memory of 4796	920	cmd.exe	160
PID 920 wrote to memory of 4796	920	cmd.exe	160
PID 4796 wrote to memory of 4136	4796	Idle.exe	161
PID 4796 wrote to memory of 4136	4796	Idle.exe	161

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb31e81be27c3fa782ad08fed1d2626375cd33e279e710281abf9c1c4f27a069.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2356
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1712
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\PrintHood\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Screen\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n4puYQqyJ1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3268
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1772
      - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2380
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4672
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4048
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2612
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:440
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat"
        17⤵
        
        PID:4136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3776
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        19⤵
        
        PID:4752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3780
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        21⤵
        
        PID:3972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4248
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat"
        23⤵
        
        PID:5032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1376
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat"
        25⤵
        
        PID:3932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1212
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"
        27⤵
        
        PID:1232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2296
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\PrintHood\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\PrintHood\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 14 /tr "'C:\Windows\SystemApps\Microsoft.Windows.FileExplorer_cw5n1h2txyewy\Assets\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Screen\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Web\Screen\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Screen\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Idle.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\0LMDaVm4bI.bat

Filesize
191B

MD5
e8a3a7ccd10c53351395291b5f466b36

SHA1
b0e0121529d903c8b9f35bc454373d66229d9efa

SHA256
0a81f906ac70dbdecaa8383a5499957d717ec024ae0eafc56f293e332bcd13da

SHA512
79aaf1bf998e810cd76a1394a7acaa87a7ef1e9578b65ed861b3bb97ba5465414328f1ee8d235b91ec13ed899a36d3ccd6b613c284a08fa729af4c160df812fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\BGyPdaK1JU.bat

Filesize
191B

MD5
d4b1e9b1fcd7621a026618f33cf54ab1

SHA1
f32a43b660244e765a124e068285cf25686e5191

SHA256
bddf71841abb5dc2b4b3df5eed0c31762c8c26ddd5f49b8c7759f9f740bc3dc3

SHA512
2b14cc3263aba077f2ebcda8d835296b5d7a754634dc79bd22546672ba53e5dddfd41abf1e2f9a076222000be437714501c73cc71ec76766321ceb812fe85589

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat

Filesize
191B

MD5
a938149761d1e34f72d9598e3dfa54aa

SHA1
c4647604da792668fdde5dc1be8b0db797f8248e

SHA256
6bdbfaf72b35172e4fc1821b29579c7b16d619b895aff70af6e687a98ed3651b

SHA512
9160982567e22e795ae3b8ae19c5607b457298b4079124d9f32d931aaa69fc9055bf176ac5b5bc230dccd97c632969e3f44b9da21367e506856c83ab6c2aca1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
191B

MD5
b2a8cb431ad268cd6d247e8ad590fa4d

SHA1
2278ae7aed02fd68f8a80b3098b7351f262a08bf

SHA256
4dbff311971b08422513c1af6453af196e288c73f2096b20a6beb433f62b1f3f

SHA512
f7549c37b41db1b5f08c382ec0a0e0574604e934ac2de74cda8df3b71e0bd209f127bacaa4d5e2f89b2fa60f7a3a5b0ed0d5ea2d747fc04ae7485472be381aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
191B

MD5
c401fb8c7a400e07bd035ede23cc443c

SHA1
b72cd71be35c86babd8f6541b9a3b44af41d2775

SHA256
5f1ab376cfe1e0127b32582177977e21b89b35aa662931bb4b3b83d6d8ed3abe

SHA512
5b41077ff535c1493c89858dd13fe175892ae08d40c83877c7b5f006345be910cdbb5650b033f72ee211e607a884b9ce6ef3a505a64c7478388ddd9df509070e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kz6bOuYaab.bat

Filesize
191B

MD5
4c992899a4a1698effb7e036c2695f14

SHA1
af29fa63dc0c7ac3ed904011e6e4e7f32577fe48

SHA256
40f18065c06dad1f588ebefa0e14b4488d60340f6c5cacb2143df0f7124a14ca

SHA512
429b4dd5eeea92daeb3f2abaaa7f2f70940cc7273fc1d37af080812b8985d5fd38576c006afafa29ef7a6586e24f69fcd83d643d3b19aa50cc737ceb387a938e

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
191B

MD5
7bc506d9ec0288185eefbd9a34f48cbf

SHA1
b0e996bb81ad2e7d871b2da3069540362d3639aa

SHA256
1e069214d096f40bad52051e6756cad6420629f3820468144dc6933774ba0910

SHA512
b6115ea11529ff878fb3081d9b80383bcc81f54c144f11b61af2ed4b22582e909c07e37ec837d876b7edd54bd05603a9d71a21fd32df2a9d0a35a408c28ef30c

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_avqj0nm1.qss.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
191B

MD5
6f31a78eee2dc8f8f328be8323f4f79e

SHA1
b32c316572a044b772f532007274ada7726eda1d

SHA256
ebed92f877f85d00704f916a50532a0d3a76c2097dc8d6ef354a93020d2f84f9

SHA512
437b30c59dcaf2f73f2f8517a9f03d79dfe2c254a34d4bf68ca2cdcb78f542d9a8937aed477c28fab6cccbe663c25e31e0223019d1c7279caee89f2b62fc0336

Download Submit
C:\Users\Admin\AppData\Local\Temp\n4puYQqyJ1.bat

Filesize
191B

MD5
3c2f5e6a177c89aeab6982c7dfe00b60

SHA1
e0040d29493ad9146e5adfec9ddf5236337e1ffb

SHA256
0c1abd18839f9733a8d0d5eebb7c506496b9220a9d440ff86d59b6c65b782483

SHA512
9ef5e07e298359a07af03b6f2ab3ae505188dfe85e5cf7368853037309226e73ce9528cfeb5d822bfafe098021d219c9e045b5eee3c3d132ed645e52e29e4cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
191B

MD5
b673bb5898240760aefcc5ac3c3dcebc

SHA1
913f65c7cce5900091ee7a5cc130fdd351f2d421

SHA256
663da8441479e95778597ca8965fb24aa7d3b52a94269fad4fbf1a064efdd7b8

SHA512
1e06f83eff2591ccf00828d47720692feec49756f334ad21aec25b32e3f724d42779d3a8b4a008ca886fe6ed8f69c4bdbfd3c76d9f879e4796d4b20f51f5a0a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
191B

MD5
d151d793eb3a55ef3ddbcd490cf8d9d6

SHA1
3f464bf6ca3969f9002d15f2e7d6441b6fbf9d5f

SHA256
c05422405e5ee91a2d83d99c4356e71361f1cb6dce3893cef4ed82e747c0b69f

SHA512
3d286f664a4a054b69ce2484550039f1c07422fe54c459d8a1419538d390836ba2f5d30f76ba2c4d631d3f57ac335f2db0019c6b6019474bcaa266c9670b5899

Download Submit
C:\Users\Admin\AppData\Local\Temp\zAqEIlSfAD.bat

Filesize
191B

MD5
2bbaf6b39ad379bd104cdb50174fd787

SHA1
e7ba2ae5cd7fa54c786f0e2b018ac6b2bf142e4d

SHA256
c30027cb516c26a0d2f299e687440b46fb1046cea30e229ab58fbd510e60b1fc

SHA512
12a6014c3cd145904586990a212d31dc3c34d86923d5be13a60f1b79bd8cb8a2f7a9d1390b92790a0d7dfdb8e725fdfb16f8d85ef12cd517e6ab1311c77f53bb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/444-189-0x0000000002E00000-0x0000000002E12000-memory.dmp

Filesize
72KB

Download
memory/452-44-0x0000013E42AE0000-0x0000013E42B02000-memory.dmp

Filesize
136KB

Download
memory/3788-15-0x00000000013E0000-0x00000000013EC000-memory.dmp

Filesize
48KB

Download
memory/3788-13-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/3788-14-0x00000000013C0000-0x00000000013D2000-memory.dmp

Filesize
72KB

Download
memory/3788-12-0x00007FFF703D3000-0x00007FFF703D5000-memory.dmp

Filesize
8KB

Download
memory/3788-16-0x00000000013D0000-0x00000000013DC000-memory.dmp

Filesize
48KB

Download
memory/3788-17-0x00000000013F0000-0x00000000013FC000-memory.dmp

Filesize
48KB

Download
memory/4656-151-0x0000000002D90000-0x0000000002DA2000-memory.dmp

Filesize
72KB

Download
memory/4796-176-0x0000000000D50000-0x0000000000D62000-memory.dmp

Filesize
72KB

Download
memory/5044-142-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download