dcrat | 168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce

Analysis

max time kernel
149s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 03:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe
Size

1.3MB
MD5

583151b2a3b04f60fec79c98215dfafc
SHA1

54a8397851774c36c6e2af1cf84fc0a27ed76967
SHA256

168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce
SHA512

913b552c0c5c1bf6aceec5f5c63689dd3b530880dbd4e38f9c2c86b77f5a2ad7fcbcc30307c15108c3beb669d8ec3f9b9f704e359fc8de3a15563c8779a987ae
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4088	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3764	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3336	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3292	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3676	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	724	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4868	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	224	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4504	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	2700	schtasks.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2700	schtasks.exe	90

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cae-10.dat	dcrat
behavioral2/memory/600-13-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
4136	powershell.exe
4128	powershell.exe
4464	powershell.exe
3056	powershell.exe
1852	powershell.exe
4320	powershell.exe
920	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation	Registry.exe

Executes dropped EXE 15 IoCs

pid	Process
600	DllCommonsvc.exe
4040	Registry.exe
3564	Registry.exe
1580	Registry.exe
4812	Registry.exe
3976	Registry.exe
4440	Registry.exe
468	Registry.exe
2480	Registry.exe
4056	Registry.exe
1440	Registry.exe
3084	Registry.exe
4748	Registry.exe
4012	Registry.exe
1168	Registry.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
24	raw.githubusercontent.com
44	raw.githubusercontent.com
40	raw.githubusercontent.com
17	raw.githubusercontent.com
18	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com
47	raw.githubusercontent.com
49	raw.githubusercontent.com
55	raw.githubusercontent.com
57	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Multimedia Platform\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\WaaS\tasks\Registry.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe
Key created	\REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000_Classes\Local Settings	Registry.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3676	schtasks.exe
2376	schtasks.exe
724	schtasks.exe
4868	schtasks.exe
944	schtasks.exe
4088	schtasks.exe
372	schtasks.exe
2640	schtasks.exe
2328	schtasks.exe
4896	schtasks.exe
3336	schtasks.exe
2676	schtasks.exe
1768	schtasks.exe
1168	schtasks.exe
1856	schtasks.exe
3764	schtasks.exe
3292	schtasks.exe
224	schtasks.exe
4504	schtasks.exe
2840	schtasks.exe
4968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
600	DllCommonsvc.exe
600	DllCommonsvc.exe
600	DllCommonsvc.exe
600	DllCommonsvc.exe
600	DllCommonsvc.exe
600	DllCommonsvc.exe
600	DllCommonsvc.exe
600	DllCommonsvc.exe
600	DllCommonsvc.exe
600	DllCommonsvc.exe
4464	powershell.exe
4464	powershell.exe
920	powershell.exe
920	powershell.exe
4136	powershell.exe
4136	powershell.exe
2992	powershell.exe
2992	powershell.exe
3056	powershell.exe
3056	powershell.exe
4128	powershell.exe
4128	powershell.exe
3056	powershell.exe
4320	powershell.exe
4320	powershell.exe
1852	powershell.exe
1852	powershell.exe
920	powershell.exe
4464	powershell.exe
2992	powershell.exe
4136	powershell.exe
4128	powershell.exe
4040	Registry.exe
4040	Registry.exe
4320	powershell.exe
1852	powershell.exe
3564	Registry.exe
1580	Registry.exe
4812	Registry.exe
3976	Registry.exe
4440	Registry.exe
468	Registry.exe
2480	Registry.exe
4056	Registry.exe
1440	Registry.exe
3084	Registry.exe
4748	Registry.exe
4012	Registry.exe
1168	Registry.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	600	DllCommonsvc.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	4464	powershell.exe
Token: SeDebugPrivilege	4136	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	4128	powershell.exe
Token: SeDebugPrivilege	4320	powershell.exe
Token: SeDebugPrivilege	1852	powershell.exe
Token: SeDebugPrivilege	4040	Registry.exe
Token: SeDebugPrivilege	3564	Registry.exe
Token: SeDebugPrivilege	1580	Registry.exe
Token: SeDebugPrivilege	4812	Registry.exe
Token: SeDebugPrivilege	3976	Registry.exe
Token: SeDebugPrivilege	4440	Registry.exe
Token: SeDebugPrivilege	468	Registry.exe
Token: SeDebugPrivilege	2480	Registry.exe
Token: SeDebugPrivilege	4056	Registry.exe
Token: SeDebugPrivilege	1440	Registry.exe
Token: SeDebugPrivilege	3084	Registry.exe
Token: SeDebugPrivilege	4748	Registry.exe
Token: SeDebugPrivilege	4012	Registry.exe
Token: SeDebugPrivilege	1168	Registry.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2892 wrote to memory of 4552	2892	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe	85
PID 2892 wrote to memory of 4552	2892	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe	85
PID 2892 wrote to memory of 4552	2892	JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe	85
PID 4552 wrote to memory of 2156	4552	WScript.exe	87
PID 4552 wrote to memory of 2156	4552	WScript.exe	87
PID 4552 wrote to memory of 2156	4552	WScript.exe	87
PID 2156 wrote to memory of 600	2156	cmd.exe	89
PID 2156 wrote to memory of 600	2156	cmd.exe	89
PID 600 wrote to memory of 1852	600	DllCommonsvc.exe	113
PID 600 wrote to memory of 1852	600	DllCommonsvc.exe	113
PID 600 wrote to memory of 4464	600	DllCommonsvc.exe	114
PID 600 wrote to memory of 4464	600	DllCommonsvc.exe	114
PID 600 wrote to memory of 4128	600	DllCommonsvc.exe	115
PID 600 wrote to memory of 4128	600	DllCommonsvc.exe	115
PID 600 wrote to memory of 3056	600	DllCommonsvc.exe	116
PID 600 wrote to memory of 3056	600	DllCommonsvc.exe	116
PID 600 wrote to memory of 4136	600	DllCommonsvc.exe	117
PID 600 wrote to memory of 4136	600	DllCommonsvc.exe	117
PID 600 wrote to memory of 2992	600	DllCommonsvc.exe	118
PID 600 wrote to memory of 2992	600	DllCommonsvc.exe	118
PID 600 wrote to memory of 920	600	DllCommonsvc.exe	119
PID 600 wrote to memory of 920	600	DllCommonsvc.exe	119
PID 600 wrote to memory of 4320	600	DllCommonsvc.exe	120
PID 600 wrote to memory of 4320	600	DllCommonsvc.exe	120
PID 600 wrote to memory of 4040	600	DllCommonsvc.exe	128
PID 600 wrote to memory of 4040	600	DllCommonsvc.exe	128
PID 4040 wrote to memory of 4992	4040	Registry.exe	136
PID 4040 wrote to memory of 4992	4040	Registry.exe	136
PID 4992 wrote to memory of 3536	4992	cmd.exe	138
PID 4992 wrote to memory of 3536	4992	cmd.exe	138
PID 4992 wrote to memory of 3564	4992	cmd.exe	146
PID 4992 wrote to memory of 3564	4992	cmd.exe	146
PID 3564 wrote to memory of 4884	3564	Registry.exe	148
PID 3564 wrote to memory of 4884	3564	Registry.exe	148
PID 4884 wrote to memory of 1696	4884	cmd.exe	150
PID 4884 wrote to memory of 1696	4884	cmd.exe	150
PID 4884 wrote to memory of 1580	4884	cmd.exe	154
PID 4884 wrote to memory of 1580	4884	cmd.exe	154
PID 1580 wrote to memory of 1132	1580	Registry.exe	157
PID 1580 wrote to memory of 1132	1580	Registry.exe	157
PID 1132 wrote to memory of 1048	1132	cmd.exe	159
PID 1132 wrote to memory of 1048	1132	cmd.exe	159
PID 1132 wrote to memory of 4812	1132	cmd.exe	161
PID 1132 wrote to memory of 4812	1132	cmd.exe	161
PID 4812 wrote to memory of 3264	4812	Registry.exe	163
PID 4812 wrote to memory of 3264	4812	Registry.exe	163
PID 3264 wrote to memory of 400	3264	cmd.exe	165
PID 3264 wrote to memory of 400	3264	cmd.exe	165
PID 3264 wrote to memory of 3976	3264	cmd.exe	167
PID 3264 wrote to memory of 3976	3264	cmd.exe	167
PID 3976 wrote to memory of 4972	3976	Registry.exe	169
PID 3976 wrote to memory of 4972	3976	Registry.exe	169
PID 4972 wrote to memory of 4052	4972	cmd.exe	171
PID 4972 wrote to memory of 4052	4972	cmd.exe	171
PID 4972 wrote to memory of 4440	4972	cmd.exe	174
PID 4972 wrote to memory of 4440	4972	cmd.exe	174
PID 4440 wrote to memory of 320	4440	Registry.exe	176
PID 4440 wrote to memory of 320	4440	Registry.exe	176
PID 320 wrote to memory of 428	320	cmd.exe	178
PID 320 wrote to memory of 428	320	cmd.exe	178
PID 320 wrote to memory of 468	320	cmd.exe	180
PID 320 wrote to memory of 468	320	cmd.exe	180
PID 468 wrote to memory of 4948	468	Registry.exe	182
PID 468 wrote to memory of 4948	468	Registry.exe	182

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_168b52f29e4901a96fba2542289bca7561d9a46e46f97b3b17437489bf5accce.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4552
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2156
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sysmon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\Registry.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
    - - C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4040
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3536
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1696
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1048
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:400
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4052
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:428
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"
        18⤵
        
        PID:4948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3560
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
        20⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:4808
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
        22⤵
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3148
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat"
        24⤵
        
        PID:3552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1840
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat"
        26⤵
        
        PID:4464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3212
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat"
        28⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3560
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        30⤵
        
        PID:2480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4864
        
        C:\Users\All Users\Documents\Registry.exe
        
        "C:\Users\All Users\Documents\Registry.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Multimedia Platform\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Documents\Registry.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\All Users\Documents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Documents\Registry.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Registry.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat

Filesize
206B

MD5
061332effd4572d358eee3d0a3aa4e17

SHA1
8855247f47b015a77251b6f0a3a6c51bf4e78725

SHA256
66c41334e525f50c38272a6084a6570fc70fd3b070ae49a261462359e25bc614

SHA512
a6fd2cb924599e4b71a6f1919e911802d15f87ad3e329d76a77229e4a85b443864a3c1d1e67e886d6a1d0a8d34344d33509c841725d4c22ac5d19b092fc2f2e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ixwcMXCIg.bat

Filesize
206B

MD5
ddad8b30cc5aeea8d864814984adfa41

SHA1
99dfe1c40a9a98094ccb0de3761e5e4fc6ccaecf

SHA256
22723b98c628eed387550dbbaea64127022064c09e7f8e1a7b3da09954f82dfd

SHA512
8e8a2350bc8938f7641735bad5af5a15cf137e80441aa003e8fb4fd82bd4652a0addf5704292e8d7756fe844a4ba76f09c8a98ccbe65a53a9fdee771317d9612

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat

Filesize
206B

MD5
502692c50b9ca5f7c2601c93fd24eb21

SHA1
812237edbeeac3f505b3dc90cb9e2a3f4f2bf5e5

SHA256
3d2b6fb4dc5c1d5d01a3ab7d8c614dc70f2ca799d4be323c0a4f7e563b970843

SHA512
b0b3f9727af863f806a80156745340dca5eee7e1c2ae4e1456c8b42ada4d5d343051e1b34a0415d235d64d69dedc27c5e886804e70235f9a9bc4c410ff6e5353

Download Submit
C:\Users\Admin\AppData\Local\Temp\IPU7rAfrPc.bat

Filesize
206B

MD5
fefae85a17d4b652de73150a87e2630e

SHA1
713b3d8ffc573e8b2ac29d5357b570ebcf8b906d

SHA256
6cd4251364e44b9d33b5f1370618847b9dab43382dbc44b0701e900b6fb26a36

SHA512
37270726aa9c824394c7026705e6e0a4b46000d5c0222ef7d9d340d40b86f6b2d8bbf63c796d93c06b384fed2023fcdd388582d336df6d73c29464b03b603d9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
206B

MD5
fcdde52ef344af1ce9aca9bddd0720cd

SHA1
0777302cbcb90f5a760a1b74dd21ac7116f826b1

SHA256
f27cad5d388b8af27e478ad27baca0f2903104665c58c954ca2cab62b72e2d32

SHA512
4b1cd0369306da383bc39998209b668ede1a47ba09aa14b2bce3da20d422f14f77e54fbfb2bdc52c6121de73fa8def8f2a051eae0a96ed59c18443ed7dac484f

Download Submit
C:\Users\Admin\AppData\Local\Temp\X9PDuMdk3a.bat

Filesize
206B

MD5
50c65b9b7d26734ba9b02f71c67a7ca8

SHA1
208957d234b4c6487b6f50be2765a128fcc3e59f

SHA256
6462fb6d47051b646bca6a90ff1b769663eb708b2e05799cac134e166ee02fb0

SHA512
c167a368f48f639e2194cfe63ac08b79aa1be9fcd8c0197944d0b18b39fb65460d9a7a312e83e7b1bd149bb817a9dbcb85d3e9bda25e12d7939690b37492ce1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fx5e53od.r1l.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

Filesize
206B

MD5
b7b51bb48ada1fca3957b5c785442b82

SHA1
c106ad50852db6ee5dd5f6f2ff59c766be111c49

SHA256
19b372964b4c3e01bfe03955222e883a72de30cc9e37f9c73f9965a60bb1413a

SHA512
5fab9adc269eee45d4724a3bf31ba86eadef70ae68d9081c592bb9bc1778d529b9f0a7c51236a045abfe92f31c90190ffe2c0f99ae1313782297409ffbc431cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

Filesize
206B

MD5
c1968d6e8fbaff81f599dbc5daf63723

SHA1
deef86d98a234b2bb848e0372f8d4a13f5ae5ed2

SHA256
ac20c9a5f2c39d6f3472eacbe318db3f9c67f33512e5673c7b6ee18b1a58b81a

SHA512
84c2d0a77a0cac5c3944862b65d815a36cb06b5b11e0407c89c083e3366479f6c34ff098898b9c4ee41ad438ffe32b937425ddd8cff540c5ca6c45b716c42632

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
206B

MD5
9ee41048f978f10ab5cd71b399bd44b0

SHA1
a254897d8752d43754410c3e383abec4c0dd3804

SHA256
3f79d3fe2fab04ddf2eed8c8d3a274e188479196ba0fd57b6cb8bcd1ead478ea

SHA512
952ac072607beda73d5a7fae0a2954eb3499fc9bc3f2e6efcabf1842040dd3d67e54cc820e9ae3f91164085305626b751076315cb9925223d6acfb267177f4d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
206B

MD5
f5edfa9581482e88ae69580ba1d9bb30

SHA1
0dd0e3e9956de29913121aaeda473e302d07c794

SHA256
d8a12c62dc0bb52fce89c4d896fd9388c3ad332221fa12d41b77d8af32ac3e35

SHA512
6a174a59458c64b3651d23bd5d6ade68ed5227185d85ff1d530bb93a814721d05101a11be48c093c6796988d155ecd8a9e2b2a3ad33dcf9169299b3ba24f6788

Download Submit
C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat

Filesize
206B

MD5
c99b3c2671f5fc95f1154cce9d1ddb45

SHA1
3d74c501a4b4d250b8226ea72f9bad70100bfc90

SHA256
65018209863cbb596cc1df3aba66f27224bd2764a443e30090df7a53057d8985

SHA512
3988ba55917613588afab49d7991f550d91679e5e8a389a68a8533a2a437c9f3f494ff5e4008841af037bd6e6e998462d76d9ee573cead74ddead84c1528361b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zlkj4ltLQI.bat

Filesize
206B

MD5
cc59555c9c9c872b7ba335eb2c020b93

SHA1
9889608d423b688db5972c65c47acb89934e95ab

SHA256
4e7c02d2e54a2f05cdd6b890bed3f27e844664a908506c42b9d10c7fa5d78b4c

SHA512
6daeac3247277d2247f10aa7ab2a8f3426063da2f942e8c7b6afc40ee179887f49a7a62f0982e09836a63383333ade61213f9beb9681c1a6f1636a6abd73b3a9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/600-16-0x0000000002DF0000-0x0000000002DFC000-memory.dmp

Filesize
48KB

Download
memory/600-12-0x00007FFDF67A3000-0x00007FFDF67A5000-memory.dmp

Filesize
8KB

Download
memory/600-13-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/600-14-0x0000000002D70000-0x0000000002D82000-memory.dmp

Filesize
72KB

Download
memory/600-15-0x0000000002DE0000-0x0000000002DEC000-memory.dmp

Filesize
48KB

Download
memory/600-17-0x0000000002E00000-0x0000000002E0C000-memory.dmp

Filesize
48KB

Download
memory/920-40-0x0000015F024A0000-0x0000015F024C2000-memory.dmp

Filesize
136KB

Download
memory/1440-197-0x000000001C920000-0x000000001CAC9000-memory.dmp

Filesize
1.7MB

Download
memory/2480-183-0x000000001C580000-0x000000001C729000-memory.dmp

Filesize
1.7MB

Download
memory/3084-200-0x0000000000A20000-0x0000000000A32000-memory.dmp

Filesize
72KB

Download
memory/3084-206-0x000000001BD50000-0x000000001BEF9000-memory.dmp

Filesize
1.7MB

Download
memory/4012-219-0x000000001C290000-0x000000001C439000-memory.dmp

Filesize
1.7MB

Download
memory/4040-117-0x0000000002720000-0x0000000002732000-memory.dmp

Filesize
72KB

Download
memory/4056-190-0x000000001C4D0000-0x000000001C679000-memory.dmp

Filesize
1.7MB

Download
memory/4748-212-0x000000001BE80000-0x000000001C029000-memory.dmp

Filesize
1.7MB

Download