dcrat | 15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16

Analysis

max time kernel
144s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 04:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe
Size

1.3MB
MD5

afdd8b1e3323c50e4f4f3b3ca9140764
SHA1

2f16c7660b3e59885cf6f000e85603148141c295
SHA256

15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16
SHA512

024e842b090f70523eb7b71755253d8160104d6831508491506f01c4eb7dd452af13083957b77e13cf283c43bf62399eb3875a993d0eeb21de28fcc38aedde01
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4008	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4260	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	220	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4380	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3672	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4916	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	464	3220	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	3220	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b97-10.dat	dcrat
behavioral2/memory/772-13-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4088	powershell.exe
1648	powershell.exe
3712	powershell.exe
4508	powershell.exe
1376	powershell.exe
1524	powershell.exe
4796	powershell.exe
4636	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 16 IoCs

pid	Process
772	DllCommonsvc.exe
2468	sppsvc.exe
3416	sppsvc.exe
5004	sppsvc.exe
2396	sppsvc.exe
2436	sppsvc.exe
4540	sppsvc.exe
4132	sppsvc.exe
4020	sppsvc.exe
1540	sppsvc.exe
60	sppsvc.exe
2644	sppsvc.exe
3180	sppsvc.exe
4984	sppsvc.exe
4988	sppsvc.exe
1524	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
58	raw.githubusercontent.com
14	raw.githubusercontent.com
39	raw.githubusercontent.com
47	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
15	raw.githubusercontent.com
20	raw.githubusercontent.com
46	raw.githubusercontent.com
40	raw.githubusercontent.com
50	raw.githubusercontent.com
55	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
54	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\services.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\OCR\es-es\SppExtComObj.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4260	schtasks.exe
1344	schtasks.exe
3672	schtasks.exe
1896	schtasks.exe
712	schtasks.exe
220	schtasks.exe
4380	schtasks.exe
2644	schtasks.exe
4916	schtasks.exe
1460	schtasks.exe
628	schtasks.exe
4896	schtasks.exe
2612	schtasks.exe
464	schtasks.exe
4008	schtasks.exe
1516	schtasks.exe
4024	schtasks.exe
60	schtasks.exe
2632	schtasks.exe
1260	schtasks.exe
1892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 50 IoCs

pid	Process
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
772	DllCommonsvc.exe
4636	powershell.exe
4088	powershell.exe
1376	powershell.exe
1376	powershell.exe
4508	powershell.exe
4508	powershell.exe
4796	powershell.exe
4796	powershell.exe
1648	powershell.exe
1648	powershell.exe
1524	powershell.exe
1524	powershell.exe
1524	powershell.exe
3712	powershell.exe
3712	powershell.exe
3712	powershell.exe
4636	powershell.exe
4636	powershell.exe
4088	powershell.exe
4088	powershell.exe
1376	powershell.exe
4508	powershell.exe
4796	powershell.exe
1648	powershell.exe
2468	sppsvc.exe
3416	sppsvc.exe
5004	sppsvc.exe
2396	sppsvc.exe
2436	sppsvc.exe
4540	sppsvc.exe
4132	sppsvc.exe
4020	sppsvc.exe
1540	sppsvc.exe
60	sppsvc.exe
2644	sppsvc.exe
3180	sppsvc.exe
4984	sppsvc.exe
4988	sppsvc.exe
1524	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	772	DllCommonsvc.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	4088	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	4508	powershell.exe
Token: SeDebugPrivilege	4796	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	3712	powershell.exe
Token: SeDebugPrivilege	2468	sppsvc.exe
Token: SeDebugPrivilege	3416	sppsvc.exe
Token: SeDebugPrivilege	5004	sppsvc.exe
Token: SeDebugPrivilege	2396	sppsvc.exe
Token: SeDebugPrivilege	2436	sppsvc.exe
Token: SeDebugPrivilege	4540	sppsvc.exe
Token: SeDebugPrivilege	4132	sppsvc.exe
Token: SeDebugPrivilege	4020	sppsvc.exe
Token: SeDebugPrivilege	1540	sppsvc.exe
Token: SeDebugPrivilege	60	sppsvc.exe
Token: SeDebugPrivilege	2644	sppsvc.exe
Token: SeDebugPrivilege	3180	sppsvc.exe
Token: SeDebugPrivilege	4984	sppsvc.exe
Token: SeDebugPrivilege	4988	sppsvc.exe
Token: SeDebugPrivilege	1524	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1156 wrote to memory of 2536	1156	JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe	83
PID 1156 wrote to memory of 2536	1156	JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe	83
PID 1156 wrote to memory of 2536	1156	JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe	83
PID 2536 wrote to memory of 1912	2536	WScript.exe	85
PID 2536 wrote to memory of 1912	2536	WScript.exe	85
PID 2536 wrote to memory of 1912	2536	WScript.exe	85
PID 1912 wrote to memory of 772	1912	cmd.exe	87
PID 1912 wrote to memory of 772	1912	cmd.exe	87
PID 772 wrote to memory of 4636	772	DllCommonsvc.exe	111
PID 772 wrote to memory of 4636	772	DllCommonsvc.exe	111
PID 772 wrote to memory of 4088	772	DllCommonsvc.exe	112
PID 772 wrote to memory of 4088	772	DllCommonsvc.exe	112
PID 772 wrote to memory of 1648	772	DllCommonsvc.exe	113
PID 772 wrote to memory of 1648	772	DllCommonsvc.exe	113
PID 772 wrote to memory of 3712	772	DllCommonsvc.exe	114
PID 772 wrote to memory of 3712	772	DllCommonsvc.exe	114
PID 772 wrote to memory of 4508	772	DllCommonsvc.exe	115
PID 772 wrote to memory of 4508	772	DllCommonsvc.exe	115
PID 772 wrote to memory of 1376	772	DllCommonsvc.exe	116
PID 772 wrote to memory of 1376	772	DllCommonsvc.exe	116
PID 772 wrote to memory of 1524	772	DllCommonsvc.exe	117
PID 772 wrote to memory of 1524	772	DllCommonsvc.exe	117
PID 772 wrote to memory of 4796	772	DllCommonsvc.exe	118
PID 772 wrote to memory of 4796	772	DllCommonsvc.exe	118
PID 772 wrote to memory of 1200	772	DllCommonsvc.exe	127
PID 772 wrote to memory of 1200	772	DllCommonsvc.exe	127
PID 1200 wrote to memory of 1284	1200	cmd.exe	129
PID 1200 wrote to memory of 1284	1200	cmd.exe	129
PID 1200 wrote to memory of 2468	1200	cmd.exe	130
PID 1200 wrote to memory of 2468	1200	cmd.exe	130
PID 2468 wrote to memory of 3464	2468	sppsvc.exe	132
PID 2468 wrote to memory of 3464	2468	sppsvc.exe	132
PID 3464 wrote to memory of 4540	3464	cmd.exe	134
PID 3464 wrote to memory of 4540	3464	cmd.exe	134
PID 3464 wrote to memory of 3416	3464	cmd.exe	143
PID 3464 wrote to memory of 3416	3464	cmd.exe	143
PID 3416 wrote to memory of 5032	3416	sppsvc.exe	145
PID 3416 wrote to memory of 5032	3416	sppsvc.exe	145
PID 5032 wrote to memory of 904	5032	cmd.exe	147
PID 5032 wrote to memory of 904	5032	cmd.exe	147
PID 5032 wrote to memory of 5004	5032	cmd.exe	155
PID 5032 wrote to memory of 5004	5032	cmd.exe	155
PID 5004 wrote to memory of 2736	5004	sppsvc.exe	158
PID 5004 wrote to memory of 2736	5004	sppsvc.exe	158
PID 2736 wrote to memory of 4736	2736	cmd.exe	160
PID 2736 wrote to memory of 4736	2736	cmd.exe	160
PID 2736 wrote to memory of 2396	2736	cmd.exe	162
PID 2736 wrote to memory of 2396	2736	cmd.exe	162
PID 2396 wrote to memory of 4260	2396	sppsvc.exe	164
PID 2396 wrote to memory of 4260	2396	sppsvc.exe	164
PID 4260 wrote to memory of 664	4260	cmd.exe	166
PID 4260 wrote to memory of 664	4260	cmd.exe	166
PID 4260 wrote to memory of 2436	4260	cmd.exe	168
PID 4260 wrote to memory of 2436	4260	cmd.exe	168
PID 2436 wrote to memory of 1404	2436	sppsvc.exe	170
PID 2436 wrote to memory of 1404	2436	sppsvc.exe	170
PID 1404 wrote to memory of 2964	1404	cmd.exe	172
PID 1404 wrote to memory of 2964	1404	cmd.exe	172
PID 1404 wrote to memory of 4540	1404	cmd.exe	174
PID 1404 wrote to memory of 4540	1404	cmd.exe	174
PID 4540 wrote to memory of 1800	4540	sppsvc.exe	176
PID 4540 wrote to memory of 1800	4540	sppsvc.exe	176
PID 1800 wrote to memory of 4372	1800	cmd.exe	178
PID 1800 wrote to memory of 4372	1800	cmd.exe	178

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_15964da8c9f56f5edbd540702028c5df94b401d1d68891f54fbf02aa2b82ce16.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1156
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1912
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4796
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Klkyut6rVo.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1200
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1284
      - C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4540
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:904
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4736
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4260
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:664
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2964
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4372
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        19⤵
        
        PID:1108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4344
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        21⤵
        
        PID:4348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:4900
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        23⤵
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1892
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:60
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        25⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:432
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        27⤵
        
        PID:4888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4756
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        29⤵
        
        PID:3596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2936
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
        31⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2132
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        33⤵
        
        PID:4140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:3660
        
        C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe
        
        "C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\Public\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 12 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\es-ES\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
440cb38dbee06645cc8b74d51f6e5f71

SHA1
d7e61da91dc4502e9ae83281b88c1e48584edb7c

SHA256
8ef7a682dfd99ff5b7e9de0e1be43f0016d68695a43c33c028af2635cc15ecfe

SHA512
3aab19578535e6ba0f6beb5690c87d970292100704209d2dcebddcdd46c6bead27588ef5d98729bfd50606a54cc1edf608b3d15bef42c13b9982aaaf15de7fd6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
221B

MD5
3f088176e83f53ad5b13621a3af2ba03

SHA1
6392e8003c3bba7c64ed94044c5b950ba7e71516

SHA256
e065e9827b73fa9378b5f09b99a3c3ee21a95d5732b22b2c330c48753da51d52

SHA512
cdbee81982217c037838cf85284e438cfaedd5aebb6ddc5cf5f2692a483891a46543dd2a9af74e233c9c18dceb5f0309b9359ae679f6d5aa6e51f11915481532

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bp0TjAk7l7.bat

Filesize
221B

MD5
30ee2488732e5fe7153b1a7b0654fd94

SHA1
d6d17eb3cfbc87c105c80ef4f52a9cee1086fbb0

SHA256
6e1be46302e155a9c78bb36866cc21757bc1335bd1819d2ae6fd371dd5019eb8

SHA512
6bbfd55ece7a7350e0310decb9cfd69b5533d16d60c2460764f89d6d63467537448cb4176ef12c4df45ace6b529d996cc2e9f4ae68b02ebc7d61a37c4fb9df13

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
221B

MD5
585b07b290753f4d98d49f80ff267919

SHA1
602a80cf3e6c2091729d2bdbcaa16df638ac6f55

SHA256
be4387f342fefad3e12b6736e975a965b639a788e994c948970855bfc705c9ee

SHA512
1df1b292de8630c195b29af1c94bcea55ff7191745e84f86d36cc7c8a7e00ced88ec3ceeeb82dfcc5818f4486f989b6057ffd07f8527d10105730f89892b32ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\Klkyut6rVo.bat

Filesize
221B

MD5
a37336b14c01fccd25949557e05a9cb8

SHA1
3b58bfad61e7f7788cd51bd1c559bedc580bd4bd

SHA256
98e2ba690aab4208682f85905c3a25e769d10f3d00af43db71a87d01f65fd011

SHA512
2abd4230cb20edb0ecbcf8b4d7328215a22c02c67b114121b55901f93380fd368fc8d565a1979ad51c9bb3a0de42f944c1b095c3d45c4868b319e09be5e10859

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

Filesize
221B

MD5
334d4d23c07fc1acb69fbb792c4c6d7d

SHA1
b52c615f1316a16dec2e595fdda55e5df8846f81

SHA256
c1df18902bfbf6f74a8fc19563e72a3061be40ce435e9d24fe12e34f92d19d81

SHA512
2012915d397b9ae6d579106e12c98241a114d1f0f063c60c7020e78c98f90b5913ea2109018b24a018d1fd9e69d85bfca4f5ae5e0ed982600ff1173eeec883dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
221B

MD5
41d5d3d7a91e5ed0a903a97740109726

SHA1
11803e0ce93e5139805864717dcabfadaf4167fa

SHA256
fc51f0fae96fda9291e82ed2e341e6bdb970bd8e8de70ab48a542bb8c562cc96

SHA512
5bee500e3106c255c61b82e9d181a419a70a61792814bd70c85490818ad12d5022d1faf21a4c43d322a8566c8ab0f58d779fd0f5428b1be8e2f1c7156d6f37df

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

Filesize
221B

MD5
3c361e1fb9de8c947fe7de0ebafce39b

SHA1
ca3a777673d2c36452cce135c24d98b201fb88a5

SHA256
51345f39aeab1435ea7a7685ad3e1e22c3fa1b3610781f9f4e3b8bf505ab7b5f

SHA512
0830c4976f79a18dd1f225c35133b92896c1a7167d379e933f9629bbd5d6362901389ab4f16b844a55f761a7ec7523efc9cc3a71184b4a4a255061f5839799d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

Filesize
221B

MD5
ef246b7d96734f2ceaff49ef83d1ced0

SHA1
d2187252ef9d0aadab846811ccb9f6041418531e

SHA256
33c63ee09033b1de27e239aca10bb0f9bbd839f7e78586e7b6de4f4b38b5d3ad

SHA512
4d04f9890f990197e40975b44376011f27663a137f4fe9150d84666f99a695e5f9700aa5630140b45e9dde9885cd470fcf4125acbc52aaf846d67498407498ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_lg0rdekm.w41.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
221B

MD5
60b79987492b583c4ecf6a8ddfdb3546

SHA1
575a03f08ef5b6b14e04876e07fbce1fa8cf08cd

SHA256
d8e77cf0f68f7145ebf8549ffa6f7bd8a6e7fd252e4c6c34a0850716e03f6bd8

SHA512
29cc5645319dd83d29f60bd38e7e125d09aed6e4d1426d490fff6f45df56ddd112f69e384224c9e1aea23213eb3535e6f8d2e36d75894ded033b46da3b625e0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

Filesize
221B

MD5
730a36644ad9c690474debce077bb708

SHA1
f3d07cf13f9addfaa0cde24956076490ce55412e

SHA256
b0b1fd80b48f411e70a787d63be49422ea3994235ab09373e2d34296101b8740

SHA512
8e4d1aa9cc22e61f60bd72f5fa57c1746e80c3176d6dde08ee82d7e3d69f215fb0d7f4b352d8953d5ae5e77150c807e86029bc1dae0bbf7a89a66f5516c3c878

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

Filesize
221B

MD5
cf6be1f0bb820a622e76427faf048478

SHA1
6565d618afa2edfb6dbfebe4eb10c2c281b72fd4

SHA256
d5bdbc075a7041640e476b30f33fdbfd4bcc62ad92b835b1abd9b08c5a09700f

SHA512
d51015976bf027c465fa0fcca7a52961a66fbedbbee24787444e28ba643fcea925cd7a7769028d04d5bd7148a08348ba9c34e2cda3c9506022c85421d049efe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

Filesize
221B

MD5
84ee8233097e08259bb078834f7f6392

SHA1
b8901f8df21ac97471c135149666c6a31bbb9fa4

SHA256
0195a4bd3abd400ba5cc105be64b4e1ed9a7a4cf95457bd991716bb59f7517ce

SHA512
7d41766c966b2895b2d80587a78baf23db836de843c35f9cf9a144151f4c3ba63a3c7781b3bbdb3a2e339849c4caa10ffd30f5aae7a510a3f5e388185e21111d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/60-196-0x000000001C870000-0x000000001C9DA000-memory.dmp

Filesize
1.4MB

Download
memory/772-12-0x00007FFD2F563000-0x00007FFD2F565000-memory.dmp

Filesize
8KB

Download
memory/772-15-0x0000000001880000-0x000000000188C000-memory.dmp

Filesize
48KB

Download
memory/772-14-0x00000000016C0000-0x00000000016D2000-memory.dmp

Filesize
72KB

Download
memory/772-13-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/772-17-0x0000000001890000-0x000000000189C000-memory.dmp

Filesize
48KB

Download
memory/772-16-0x00000000016D0000-0x00000000016DC000-memory.dmp

Filesize
48KB

Download
memory/1376-56-0x00000279641D0000-0x00000279641F2000-memory.dmp

Filesize
136KB

Download
memory/1524-226-0x00000000030A0000-0x00000000030B2000-memory.dmp

Filesize
72KB

Download
memory/1540-185-0x0000000000FF0000-0x0000000001002000-memory.dmp

Filesize
72KB

Download
memory/2396-153-0x0000000002650000-0x0000000002662000-memory.dmp

Filesize
72KB

Download
memory/2468-131-0x00000000025A0000-0x00000000025B2000-memory.dmp

Filesize
72KB

Download
memory/2644-203-0x000000001C410000-0x000000001C57A000-memory.dmp

Filesize
1.4MB

Download
memory/4020-178-0x0000000000CA0000-0x0000000000CB2000-memory.dmp

Filesize
72KB

Download
memory/4984-216-0x000000001C340000-0x000000001C4AA000-memory.dmp

Filesize
1.4MB

Download
memory/4988-224-0x000000001CA90000-0x000000001CBFA000-memory.dmp

Filesize
1.4MB

Download
memory/5004-146-0x0000000000EB0000-0x0000000000EC2000-memory.dmp

Filesize
72KB

Download