dcrat | c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 03:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe
Size

1.3MB
MD5

96151ae8a24af8f51f588069a1d46afb
SHA1

fdb848eb86e671c9190b5fc40449cf16f43eb7ce
SHA256

c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee
SHA512

8f2d2d4b35227aa10f0639b6ae386e0b86b5429c3c1fc204354dcd37748ac46716ca8032b78e0f4365cb6f0174943977e16399ae73185cdb000f9a9683b48652
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4460	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3712	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4796	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3660	2060	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2060	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b6a-9.dat	dcrat
behavioral2/memory/3696-13-0x0000000000900000-0x0000000000A10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5060	powershell.exe
5072	powershell.exe
824	powershell.exe
4988	powershell.exe
1400	powershell.exe
4872	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	fontdrvhost.exe

Executes dropped EXE 14 IoCs

pid	Process
3696	DllCommonsvc.exe
2612	fontdrvhost.exe
4356	fontdrvhost.exe
2528	fontdrvhost.exe
4236	fontdrvhost.exe
5012	fontdrvhost.exe
1968	fontdrvhost.exe
348	fontdrvhost.exe
624	fontdrvhost.exe
3500	fontdrvhost.exe
4964	fontdrvhost.exe
4404	fontdrvhost.exe
4128	fontdrvhost.exe
2736	fontdrvhost.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
60	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
18	raw.githubusercontent.com
53	raw.githubusercontent.com
59	raw.githubusercontent.com
19	raw.githubusercontent.com
42	raw.githubusercontent.com
43	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
49	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft\Edge\Application\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\IdentityCRL\INT\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\INT\5b884080fd4f94	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	fontdrvhost.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3712	schtasks.exe
2236	schtasks.exe
528	schtasks.exe
2412	schtasks.exe
4456	schtasks.exe
4460	schtasks.exe
2744	schtasks.exe
1992	schtasks.exe
2164	schtasks.exe
1592	schtasks.exe
4796	schtasks.exe
4868	schtasks.exe
1464	schtasks.exe
3660	schtasks.exe
1020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
3696	DllCommonsvc.exe
4872	powershell.exe
824	powershell.exe
1400	powershell.exe
5072	powershell.exe
4988	powershell.exe
4988	powershell.exe
5060	powershell.exe
5060	powershell.exe
5060	powershell.exe
824	powershell.exe
4872	powershell.exe
4988	powershell.exe
1400	powershell.exe
5072	powershell.exe
2612	fontdrvhost.exe
4356	fontdrvhost.exe
2528	fontdrvhost.exe
4236	fontdrvhost.exe
5012	fontdrvhost.exe
1968	fontdrvhost.exe
348	fontdrvhost.exe
624	fontdrvhost.exe
3500	fontdrvhost.exe
4964	fontdrvhost.exe
4404	fontdrvhost.exe
4128	fontdrvhost.exe
2736	fontdrvhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3696	DllCommonsvc.exe
Token: SeDebugPrivilege	4872	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	4988	powershell.exe
Token: SeDebugPrivilege	1400	powershell.exe
Token: SeDebugPrivilege	5072	powershell.exe
Token: SeDebugPrivilege	5060	powershell.exe
Token: SeDebugPrivilege	2612	fontdrvhost.exe
Token: SeDebugPrivilege	4356	fontdrvhost.exe
Token: SeDebugPrivilege	2528	fontdrvhost.exe
Token: SeDebugPrivilege	4236	fontdrvhost.exe
Token: SeDebugPrivilege	5012	fontdrvhost.exe
Token: SeDebugPrivilege	1968	fontdrvhost.exe
Token: SeDebugPrivilege	348	fontdrvhost.exe
Token: SeDebugPrivilege	624	fontdrvhost.exe
Token: SeDebugPrivilege	3500	fontdrvhost.exe
Token: SeDebugPrivilege	4964	fontdrvhost.exe
Token: SeDebugPrivilege	4404	fontdrvhost.exe
Token: SeDebugPrivilege	4128	fontdrvhost.exe
Token: SeDebugPrivilege	2736	fontdrvhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2916 wrote to memory of 2952	2916	JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe	82
PID 2916 wrote to memory of 2952	2916	JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe	82
PID 2916 wrote to memory of 2952	2916	JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe	82
PID 2952 wrote to memory of 3192	2952	WScript.exe	83
PID 2952 wrote to memory of 3192	2952	WScript.exe	83
PID 2952 wrote to memory of 3192	2952	WScript.exe	83
PID 3192 wrote to memory of 3696	3192	cmd.exe	85
PID 3192 wrote to memory of 3696	3192	cmd.exe	85
PID 3696 wrote to memory of 824	3696	DllCommonsvc.exe	102
PID 3696 wrote to memory of 824	3696	DllCommonsvc.exe	102
PID 3696 wrote to memory of 4988	3696	DllCommonsvc.exe	103
PID 3696 wrote to memory of 4988	3696	DllCommonsvc.exe	103
PID 3696 wrote to memory of 1400	3696	DllCommonsvc.exe	104
PID 3696 wrote to memory of 1400	3696	DllCommonsvc.exe	104
PID 3696 wrote to memory of 4872	3696	DllCommonsvc.exe	105
PID 3696 wrote to memory of 4872	3696	DllCommonsvc.exe	105
PID 3696 wrote to memory of 5060	3696	DllCommonsvc.exe	106
PID 3696 wrote to memory of 5060	3696	DllCommonsvc.exe	106
PID 3696 wrote to memory of 5072	3696	DllCommonsvc.exe	107
PID 3696 wrote to memory of 5072	3696	DllCommonsvc.exe	107
PID 3696 wrote to memory of 4600	3696	DllCommonsvc.exe	114
PID 3696 wrote to memory of 4600	3696	DllCommonsvc.exe	114
PID 4600 wrote to memory of 996	4600	cmd.exe	116
PID 4600 wrote to memory of 996	4600	cmd.exe	116
PID 4600 wrote to memory of 2612	4600	cmd.exe	117
PID 4600 wrote to memory of 2612	4600	cmd.exe	117
PID 2612 wrote to memory of 3080	2612	fontdrvhost.exe	122
PID 2612 wrote to memory of 3080	2612	fontdrvhost.exe	122
PID 3080 wrote to memory of 2700	3080	cmd.exe	124
PID 3080 wrote to memory of 2700	3080	cmd.exe	124
PID 3080 wrote to memory of 4356	3080	cmd.exe	127
PID 3080 wrote to memory of 4356	3080	cmd.exe	127
PID 4356 wrote to memory of 4352	4356	fontdrvhost.exe	129
PID 4356 wrote to memory of 4352	4356	fontdrvhost.exe	129
PID 4352 wrote to memory of 2400	4352	cmd.exe	131
PID 4352 wrote to memory of 2400	4352	cmd.exe	131
PID 4352 wrote to memory of 2528	4352	cmd.exe	133
PID 4352 wrote to memory of 2528	4352	cmd.exe	133
PID 2528 wrote to memory of 1940	2528	fontdrvhost.exe	134
PID 2528 wrote to memory of 1940	2528	fontdrvhost.exe	134
PID 1940 wrote to memory of 2176	1940	cmd.exe	136
PID 1940 wrote to memory of 2176	1940	cmd.exe	136
PID 1940 wrote to memory of 4236	1940	cmd.exe	137
PID 1940 wrote to memory of 4236	1940	cmd.exe	137
PID 4236 wrote to memory of 5084	4236	fontdrvhost.exe	138
PID 4236 wrote to memory of 5084	4236	fontdrvhost.exe	138
PID 5084 wrote to memory of 1196	5084	cmd.exe	140
PID 5084 wrote to memory of 1196	5084	cmd.exe	140
PID 5084 wrote to memory of 5012	5084	cmd.exe	141
PID 5084 wrote to memory of 5012	5084	cmd.exe	141
PID 5012 wrote to memory of 1936	5012	fontdrvhost.exe	142
PID 5012 wrote to memory of 1936	5012	fontdrvhost.exe	142
PID 1936 wrote to memory of 4840	1936	cmd.exe	144
PID 1936 wrote to memory of 4840	1936	cmd.exe	144
PID 1936 wrote to memory of 1968	1936	cmd.exe	145
PID 1936 wrote to memory of 1968	1936	cmd.exe	145
PID 1968 wrote to memory of 4684	1968	fontdrvhost.exe	146
PID 1968 wrote to memory of 4684	1968	fontdrvhost.exe	146
PID 4684 wrote to memory of 4796	4684	cmd.exe	148
PID 4684 wrote to memory of 4796	4684	cmd.exe	148
PID 4684 wrote to memory of 348	4684	cmd.exe	149
PID 4684 wrote to memory of 348	4684	cmd.exe	149
PID 348 wrote to memory of 3536	348	fontdrvhost.exe	150
PID 348 wrote to memory of 3536	348	fontdrvhost.exe	150

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c1272e6f60c9ea8fc6befbaddd5df976b3f6db87454a810d3da68ae3a1b1c4ee.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2916
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3192
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wqBpcQR611.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4600
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:996
      - C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2700
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2400
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2176
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:5084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1196
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4840
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4796
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
        19⤵
        
        PID:3536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1728
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        21⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1588
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
        23⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4804
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        25⤵
        
        PID:4516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:408
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        27⤵
        
        PID:824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:428
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        29⤵
        
        PID:3124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2164
        
        C:\Windows\IdentityCRL\INT\fontdrvhost.exe
        
        "C:\Windows\IdentityCRL\INT\fontdrvhost.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
        31⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 10 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft\Edge\Application\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\IdentityCRL\INT\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\fontdrvhost.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2U51WDObLZ.bat

Filesize
207B

MD5
2a5b3de41f8bcd2f529c5adaa4a340b2

SHA1
8a924ce9b49e56f017cb22d2c8bd9179e175ad4a

SHA256
18ce460b386b4edb9e04542eeca2cd3e891e5c57e7f66350f3fa63a4134a07f0

SHA512
e9b4ac2aa36be66588d9c59ed7a8be34ae77a6a044719a62944ebc6b4c14c94d3d1569bd2b130e8d09f45ac3e90d0ed4b024043e7c198f79735571a6a864be61

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
207B

MD5
9b11b688c0b143f36da19e13e9f7bd53

SHA1
a81e5fa43a71381a3aea71dd1e00074faa172f1c

SHA256
703210635bd16b384837b1d099584166105d199020cfee834be7eb18ef74489d

SHA512
85c00cda3ccb47737769a3bdfdce380e29adca9f0800ec4fbeecac563cdf39523230a21da1c4bd8d407cd39b7cda6ecc252e8c7e5046277b7faf0cc363eabf19

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
207B

MD5
33ab6e25fcfc0386a5ea9e6f0f0fb246

SHA1
b40e5ec74cb6df7eefd151a95fba4923eec73ad4

SHA256
63230585d26e17f417d30a0171eb7a16689366bd37b8c174a97eda28b9c81923

SHA512
4f4af7d6f7a788ea11a20dab89fdf3979b52fba42d7d237492673f25a4a90e1910f889e1d3676651ab421328eaf159b6f673c42fc29655724bf6bd43bfb08e3f

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

Filesize
207B

MD5
901217f3193c96feb6da7107e4cc8de0

SHA1
e354b421734f53d4b95aa1c8bceee6ddf3046205

SHA256
bc07a2e995999d3f4f94dab5a8684dc28699501727db337dc1a9710bf03ef40d

SHA512
3a8e26f41f91376fe214e3e9c141dd0b132c6f4521cca0329c60c4b357482548785449641c8dc8fafe577f41f64fb9f69832a87cf21e7606e910430bb6303c8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
207B

MD5
6d24ddcc0bc120c50de1d4694edfc7cf

SHA1
27d2b8e3ed05be89dc1db16043ff39a807bb5894

SHA256
56ed99f2fefe41c2553b6f92c7e53fb95be50716706cf80377aae3c89ac9b8d0

SHA512
794fa2e18e5de1a37dd0d7db418f4940a15fc9425d86411503a8612baf00b05bbb0b4e8fafb898f7fb76f15147e8e18e3b88158c7104995c7d0fd4f30a1e613a

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
207B

MD5
34d2de40f51b2a00267618536b4276c3

SHA1
96a5f7ba507495d13c0c7c091e2491378776d800

SHA256
b21a946799f6c8d18800b7f79c7165adf3e166c9fdf5572e8a2b4643e5c94c4d

SHA512
b0f6d7c220e188f42faacd2b62c691d2c08600b23fd42b95cb2d82cd0c638dd2f6c2afc39f6186562d948465057a43a491444821efdebd81caa5ecb3edb4b84c

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
207B

MD5
f2f143d88f69f5d13c08fe5a74afe886

SHA1
719723b2a1315283ad7afd611f1f9c4d32563e18

SHA256
ade09c125eeab9896c311328de9b02de83af6c081f0a4c2a364d0f325fe6b899

SHA512
db63f66c6cfc784de07f11c624e40d0dbc40149321b41a6d3ac8d5d44d54ea087c7f3126772202477b8d05a40443a6494a393fc391ce5d0f8490c05ffdc7c4d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat

Filesize
207B

MD5
5668834a24d98dff31d1562f63f6a637

SHA1
91aa74b04c67d009d5a0e0d0b7235929ad13119b

SHA256
650d4ba593cd8fadb0579b4c4d29dc8d8b4d1fcaafd3d9a5bb5abcb5efc3a4dc

SHA512
9c08c9d2c724d2787e4ba4dbf7ae9df146fdab541986efb1edab3956de2d60a66d47135b96c03f9b165de4de324ea400cb5b7e9446586eda9fbf8ecf8be4cbbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2lmqze42.chq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
207B

MD5
257cba6005b4ee3d544ac183759d78ee

SHA1
3e72dd4817ad0f4fc7bb63950cdaf9371d0eac5f

SHA256
f0f0b49808d0553dfe54614c2342a5636201b7c20ca1c7b52a08647dd1eb116b

SHA512
12dff7638d6c7a8839ee82094b971b6b603d1343f7744ad536443b560597ff4b3f93569c44d66818dc2eb5b98132cdb2395babd58ef1d5f489c69e6d6884ee65

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
207B

MD5
61c9475249cbfb1d0b665bda076060e3

SHA1
0244b8c364e4f0ed870a1e9b8fa04ebb24e349bf

SHA256
9b122e84350537098f7227d89765c179a750cfbcd2ca68d77a178c0dcf103887

SHA512
f384a8368407f199b284d1662301c285d44e5162cd542c4d95918515c8909e36efa325da9a94cd9349b31971f7b908b776855b2ee39b35ea24f5929482430ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
207B

MD5
c8584210a78d2ea490663788822edca5

SHA1
029fba8184914a037814f681e5e7d4591734072b

SHA256
9376835958c4feeee8d1e67daf72ad1ecf99391d1e0f8fc5820b8cb0d9d1d67b

SHA512
0f54aa5f2de8edd28e66c635ae22c92708de1cabf5f80b155220026c55a004393042ea6d1a8a7726aef76ef3b164c7e086040446c41dbe27865ad6c9c6293a91

Download Submit
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

Filesize
207B

MD5
5397ba48074f76da3e8c7cd0c564be97

SHA1
49469964b2538a518d052302ce693b2bfe1ff754

SHA256
614277a802b82ec0f75a7da989f92bfc09bc45ee31daf1e973a8b8fcfeed5dda

SHA512
e62facc3314a904ee5ab18ed8a04eb5bf2085e82152eb150972c6dd098a8d238db38c74b1f914ab2a2d0a6fc7a74a973c88b09b60aeb1e65a0d0842653c3e972

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
207B

MD5
5479024878096be2b904b71ced97acd7

SHA1
e07a656386197254f7ada5da2e3af5d2aba3860a

SHA256
c9e1dbae9203bfccc2e162aba6381cee7bdcf757ff284299e0fa5367f777cc2b

SHA512
8128b5925f1ef1677cfbfb1ef144b25400c370a759392fc5a8339fddecf8b0289cb2abc5dfb9a5763931091954d3c6c8831df331906747dd3e668a425d8937d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\wqBpcQR611.bat

Filesize
207B

MD5
dd4794d43a4dd7a44a6a1b0fd7d9546c

SHA1
16bccbf9f3135e51e18054914485cefef12937b1

SHA256
241e71ea55ba85600845170f5c15462b0fb92f0c9e0bc21cbae61052051fbf79

SHA512
45a3c3c8bbd5873e7cbebb4ff7502c814b07485db63e3193371d8cfb32cb11a3472ee1800760cd64e36832e0e7bbcee59559c137664c8b88f60d45e5b6ed7d1f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/624-148-0x0000000002CE0000-0x0000000002CF2000-memory.dmp

Filesize
72KB

Download
memory/1968-135-0x00000000031E0000-0x00000000031F2000-memory.dmp

Filesize
72KB

Download
memory/2736-179-0x0000000002FF0000-0x0000000003002000-memory.dmp

Filesize
72KB

Download
memory/3696-13-0x0000000000900000-0x0000000000A10000-memory.dmp

Filesize
1.1MB

Download
memory/3696-14-0x0000000002D40000-0x0000000002D52000-memory.dmp

Filesize
72KB

Download
memory/3696-17-0x0000000002D70000-0x0000000002D7C000-memory.dmp

Filesize
48KB

Download
memory/3696-16-0x0000000002D60000-0x0000000002D6C000-memory.dmp

Filesize
48KB

Download
memory/3696-12-0x00007FFBFAD53000-0x00007FFBFAD55000-memory.dmp

Filesize
8KB

Download
memory/3696-15-0x0000000002D50000-0x0000000002D5C000-memory.dmp

Filesize
48KB

Download
memory/4872-38-0x0000022844CB0000-0x0000022844CD2000-memory.dmp

Filesize
136KB

Download