dcrat | c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78

Analysis

max time kernel
147s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 04:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe
Size

1.3MB
MD5

032fd8766cb2ca7853ec975b1d30fa2b
SHA1

c2c30479ca22d458a2ce282d8c106e5ab43807dd
SHA256

c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78
SHA512

72dcea535b7230310de761f8a02696ec54e2108a41d15eb5d40626c55953867171862ebec49e57abcac67d893f714468551ba7d89ec03ab439e5d8e7a51ef232
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4784	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	208	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4860	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4528	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3744	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	512	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3408	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	3408	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b93-10.dat	dcrat
behavioral2/memory/2264-13-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1488	powershell.exe
2376	powershell.exe
3876	powershell.exe
2544	powershell.exe
3228	powershell.exe
3824	powershell.exe
4160	powershell.exe
2952	powershell.exe

Checks computer location settings 2 TTPs 18 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	explorer.exe

Executes dropped EXE 17 IoCs

pid	Process
2264	DllCommonsvc.exe
4276	explorer.exe
4620	explorer.exe
1592	explorer.exe
1656	explorer.exe
1736	explorer.exe
5052	explorer.exe
4576	explorer.exe
4476	explorer.exe
5072	explorer.exe
396	explorer.exe
1112	explorer.exe
4260	explorer.exe
3788	explorer.exe
4600	explorer.exe
1772	explorer.exe
2240	explorer.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 16 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
46	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
14	raw.githubusercontent.com
19	raw.githubusercontent.com
39	raw.githubusercontent.com
13	raw.githubusercontent.com
40	raw.githubusercontent.com
57	raw.githubusercontent.com
58	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
47	raw.githubusercontent.com
48	raw.githubusercontent.com
56	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Java\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\ja-JP\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	explorer.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3312	schtasks.exe
1624	schtasks.exe
4596	schtasks.exe
3152	schtasks.exe
3992	schtasks.exe
4528	schtasks.exe
1296	schtasks.exe
628	schtasks.exe
512	schtasks.exe
4912	schtasks.exe
4784	schtasks.exe
1440	schtasks.exe
3744	schtasks.exe
4556	schtasks.exe
1544	schtasks.exe
4724	schtasks.exe
2036	schtasks.exe
840	schtasks.exe
2496	schtasks.exe
208	schtasks.exe
4860	schtasks.exe

Suspicious behavior: EnumeratesProcesses 49 IoCs

pid	Process
2264	DllCommonsvc.exe
2264	DllCommonsvc.exe
2264	DllCommonsvc.exe
2264	DllCommonsvc.exe
2264	DllCommonsvc.exe
2264	DllCommonsvc.exe
2264	DllCommonsvc.exe
2264	DllCommonsvc.exe
2264	DllCommonsvc.exe
2376	powershell.exe
2952	powershell.exe
4160	powershell.exe
3876	powershell.exe
3824	powershell.exe
2952	powershell.exe
2544	powershell.exe
2544	powershell.exe
3228	powershell.exe
3228	powershell.exe
4276	explorer.exe
4276	explorer.exe
1488	powershell.exe
1488	powershell.exe
2376	powershell.exe
2376	powershell.exe
3876	powershell.exe
3876	powershell.exe
3824	powershell.exe
3824	powershell.exe
4160	powershell.exe
4160	powershell.exe
3228	powershell.exe
2544	powershell.exe
1488	powershell.exe
4620	explorer.exe
1592	explorer.exe
1656	explorer.exe
1736	explorer.exe
5052	explorer.exe
4576	explorer.exe
4476	explorer.exe
5072	explorer.exe
396	explorer.exe
1112	explorer.exe
4260	explorer.exe
3788	explorer.exe
4600	explorer.exe
1772	explorer.exe
2240	explorer.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2264	DllCommonsvc.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	3876	powershell.exe
Token: SeDebugPrivilege	3824	powershell.exe
Token: SeDebugPrivilege	4276	explorer.exe
Token: SeDebugPrivilege	2544	powershell.exe
Token: SeDebugPrivilege	3228	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	4620	explorer.exe
Token: SeDebugPrivilege	1592	explorer.exe
Token: SeDebugPrivilege	1656	explorer.exe
Token: SeDebugPrivilege	1736	explorer.exe
Token: SeDebugPrivilege	5052	explorer.exe
Token: SeDebugPrivilege	4576	explorer.exe
Token: SeDebugPrivilege	4476	explorer.exe
Token: SeDebugPrivilege	5072	explorer.exe
Token: SeDebugPrivilege	396	explorer.exe
Token: SeDebugPrivilege	1112	explorer.exe
Token: SeDebugPrivilege	4260	explorer.exe
Token: SeDebugPrivilege	3788	explorer.exe
Token: SeDebugPrivilege	4600	explorer.exe
Token: SeDebugPrivilege	1772	explorer.exe
Token: SeDebugPrivilege	2240	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4252 wrote to memory of 4496	4252	JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe	83
PID 4252 wrote to memory of 4496	4252	JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe	83
PID 4252 wrote to memory of 4496	4252	JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe	83
PID 4496 wrote to memory of 3208	4496	WScript.exe	85
PID 4496 wrote to memory of 3208	4496	WScript.exe	85
PID 4496 wrote to memory of 3208	4496	WScript.exe	85
PID 3208 wrote to memory of 2264	3208	cmd.exe	87
PID 3208 wrote to memory of 2264	3208	cmd.exe	87
PID 2264 wrote to memory of 1488	2264	DllCommonsvc.exe	111
PID 2264 wrote to memory of 1488	2264	DllCommonsvc.exe	111
PID 2264 wrote to memory of 2376	2264	DllCommonsvc.exe	112
PID 2264 wrote to memory of 2376	2264	DllCommonsvc.exe	112
PID 2264 wrote to memory of 3876	2264	DllCommonsvc.exe	113
PID 2264 wrote to memory of 3876	2264	DllCommonsvc.exe	113
PID 2264 wrote to memory of 2544	2264	DllCommonsvc.exe	114
PID 2264 wrote to memory of 2544	2264	DllCommonsvc.exe	114
PID 2264 wrote to memory of 3228	2264	DllCommonsvc.exe	115
PID 2264 wrote to memory of 3228	2264	DllCommonsvc.exe	115
PID 2264 wrote to memory of 3824	2264	DllCommonsvc.exe	116
PID 2264 wrote to memory of 3824	2264	DllCommonsvc.exe	116
PID 2264 wrote to memory of 4160	2264	DllCommonsvc.exe	117
PID 2264 wrote to memory of 4160	2264	DllCommonsvc.exe	117
PID 2264 wrote to memory of 2952	2264	DllCommonsvc.exe	118
PID 2264 wrote to memory of 2952	2264	DllCommonsvc.exe	118
PID 2264 wrote to memory of 4276	2264	DllCommonsvc.exe	126
PID 2264 wrote to memory of 4276	2264	DllCommonsvc.exe	126
PID 4276 wrote to memory of 5052	4276	explorer.exe	129
PID 4276 wrote to memory of 5052	4276	explorer.exe	129
PID 5052 wrote to memory of 3388	5052	cmd.exe	131
PID 5052 wrote to memory of 3388	5052	cmd.exe	131
PID 5052 wrote to memory of 4620	5052	cmd.exe	138
PID 5052 wrote to memory of 4620	5052	cmd.exe	138
PID 4620 wrote to memory of 1472	4620	explorer.exe	142
PID 4620 wrote to memory of 1472	4620	explorer.exe	142
PID 1472 wrote to memory of 4592	1472	cmd.exe	144
PID 1472 wrote to memory of 4592	1472	cmd.exe	144
PID 1472 wrote to memory of 1592	1472	cmd.exe	150
PID 1472 wrote to memory of 1592	1472	cmd.exe	150
PID 1592 wrote to memory of 4496	1592	explorer.exe	152
PID 1592 wrote to memory of 4496	1592	explorer.exe	152
PID 4496 wrote to memory of 3636	4496	cmd.exe	154
PID 4496 wrote to memory of 3636	4496	cmd.exe	154
PID 4496 wrote to memory of 1656	4496	cmd.exe	159
PID 4496 wrote to memory of 1656	4496	cmd.exe	159
PID 1656 wrote to memory of 2648	1656	explorer.exe	161
PID 1656 wrote to memory of 2648	1656	explorer.exe	161
PID 2648 wrote to memory of 3116	2648	cmd.exe	163
PID 2648 wrote to memory of 3116	2648	cmd.exe	163
PID 2648 wrote to memory of 1736	2648	cmd.exe	165
PID 2648 wrote to memory of 1736	2648	cmd.exe	165
PID 1736 wrote to memory of 4488	1736	explorer.exe	167
PID 1736 wrote to memory of 4488	1736	explorer.exe	167
PID 4488 wrote to memory of 2912	4488	cmd.exe	169
PID 4488 wrote to memory of 2912	4488	cmd.exe	169
PID 4488 wrote to memory of 5052	4488	cmd.exe	171
PID 4488 wrote to memory of 5052	4488	cmd.exe	171
PID 5052 wrote to memory of 4660	5052	explorer.exe	173
PID 5052 wrote to memory of 4660	5052	explorer.exe	173
PID 4660 wrote to memory of 3916	4660	cmd.exe	175
PID 4660 wrote to memory of 3916	4660	cmd.exe	175
PID 4660 wrote to memory of 4576	4660	cmd.exe	177
PID 4660 wrote to memory of 4576	4660	cmd.exe	177
PID 4576 wrote to memory of 4772	4576	explorer.exe	179
PID 4576 wrote to memory of 4772	4576	explorer.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c994fc5bd1c3b7fee448afd3ed85e85141d57febc9f25d43c23ae2bc5744db78.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4252
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3208
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4276
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3388
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:4592
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3636
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3116
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2912
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3916
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
        18⤵
        
        PID:4772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1184
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        20⤵
        
        PID:3936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1352
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        22⤵
        
        PID:3284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3892
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        24⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2844
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
        26⤵
        
        PID:3652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3240
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
        28⤵
        
        PID:4308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3552
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
        30⤵
        
        PID:3192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4668
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        31⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
        32⤵
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        33⤵
        
        PID:4400
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat"
        34⤵
        
        PID:4368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        35⤵
        
        PID:3544
        
        C:\Windows\PrintDialog\explorer.exe
        
        "C:\Windows\PrintDialog\explorer.exe"
        35⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Defender\ja-JP\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\PrintDialog\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PrintDialog\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\PrintDialog\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Media Player\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Default\SendTo\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Default\SendTo\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\explorer.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
3a6bad9528f8e23fb5c77fbd81fa28e8

SHA1
f127317c3bc6407f536c0f0600dcbcf1aabfba36

SHA256
986366767de5873f1b170a63f2a33ce05132d1afd90c8f5017afbca8ef1beb05

SHA512
846002154a0ece6f3e9feda6f115d3161dc21b3789525dd62ae1d9188495171293efdbe7be4710666dd8a15e66b557315b5a02918a741ed1d5f3ff0c515b98e2

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
120B

MD5
5c37fb9a06ec5e24316c99b969ad3c1b

SHA1
ebcde24081714a20d1c88f5527fce3aa6da6b833

SHA256
d25c8dcd9eaedf398d9dc315f41aaa063043b27ea21b717cc79d6259b77c78ae

SHA512
517cf9aea5440ff85d5df41e9443ae41cb31a0d85c0023a87a272369c86bf4c66e9c42321a9c10cc6157cb24bd9f4d641a8f5f0f1204ae08642047ca6b9c045f

Download Submit
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

Filesize
200B

MD5
f73adbca5973d6dc7eae509142c04dd3

SHA1
a598ccc3313bf2a1bed0b2923120b33c019c4acb

SHA256
c53bbf4a6efde40b4ca7dc77b01e7c0dad780da2023f38873e81a4b9a645e3d0

SHA512
d2b736398e6d6dbed99d507ade311eeb6cdd0dac990d4451c0795dcca902747570efe0f2d01e0b9d13bb0c6b0569e0cbab8b199a6a7e8493a95d622ca0bfcdf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat

Filesize
200B

MD5
46e02523bf4c618ae84a80ff819dc0f5

SHA1
615cedbb28d5de365ee923d9a6ee6b1c7ab9ec5a

SHA256
411e48158b413e79f1871bf2d43d8f3b6ee589cd4dc2b93f3a90849a1422528d

SHA512
f70c857f37be12cb17995c059118486d49b049d064ee7be8026dd035301ae5d35e253232e3e0028bc89ba3beced6f10be8de9bba114e4803fa028e1732777134

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvLkm7sAXX.bat

Filesize
200B

MD5
0e57bc4b8d3df874256181ad036fe109

SHA1
9f27fdaee68c0a3b0287576174b27421db36ce70

SHA256
0984a1f35d1bd914061310320ed5c8ca342360048146e465bb3ce79831a5050f

SHA512
3436e17501f1169c6cffa8074b404f3ea5ff4f314fc1cbdae23a10fcd4a32a2ef1d74e4c92b847d0ca9130e163142ccfc6c7f35929075dbeb7fa424d118ef773

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

Filesize
200B

MD5
8e04c1e272de4cb4c78966266235f790

SHA1
6611460c2cceebec548826babf0bface585bc07a

SHA256
e030a692ada956c4668cb3b855a2e1a39004322be797a8091d8d3445aadfcac1

SHA512
9082c8e1c0288c17deb5573adc70560afd05e076cee84ee7e573f4b95bc9c556cdaaa814862bf58342829572c09ae3157279dcc0a37fb2f0ba719da2c3aabb1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

Filesize
200B

MD5
79ad0518426f2f60b78ca4304466ac17

SHA1
31db58c097ec02e68b97e57e62fc34d0d307907f

SHA256
dba66acfde25bcb94999cf620150c5dd65fb719a2e0dd034507b0ff30a864887

SHA512
154bc20238ef42f4c677386b143405e8c336a5226e458bc2890b19777a1e467815bb03a52ab4e36a0521043c43e322dfcd937c1f3e7d89d1f8e8b23147e635eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

Filesize
200B

MD5
f5802dc7588409a85303665edd615c97

SHA1
814bfcd0b1758b29e901ff9933c615ffe48f5089

SHA256
d5fc197e77640a8c2d18bf59b111e9bc98e473eec3753f39a0c857ac749bfe8d

SHA512
5474aa2fb6a9df4cdd011791752754ba07b7628030a6ac9bdd40ddce281d19444084ca1539f0718463368600fb782ff798e8f8dab730fdb8838918903ad2687f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat

Filesize
200B

MD5
18b511d414a8262c987648bdb641288c

SHA1
3c400a3964bd904df7db23d5a8f20eefcc8cf73e

SHA256
739d1d16ca492a5b98db8c3d938ac93adfc1b8655d8a88dea6e5b798ab086f6e

SHA512
4cc1b0c797223a9e7b346c9f6573d4d23704dda380411dc378f95e74a0f73a01fe40e1d53a3f571ace3971239735305513847eab8d20c154561ccd0b55b077c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

Filesize
200B

MD5
1270216d4cc1c66cdd017547ea39c44f

SHA1
06d2fed1af960aa58754be5791a6b992c6a254b4

SHA256
3cf6407e51e84db7998f1d2e948e5d0e7fc70e7e3637b625a45c944f1c43162c

SHA512
197096478ee2fd9daf272b1fbb0f55d1ce75807498cde0d7d3a62ea87407ffa6644f251149dac6b1c7160f6e8102699a4b6251ba33a63daea79dfaa454f16e02

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
200B

MD5
65bb525bc25af316048860089e72e8f6

SHA1
b7a7f43aa63e71b10f914e47a63ca75cf364bc94

SHA256
e5eb51c788a7caea8d113260ed89c92ecfbd8a8784aceb0b100d569976dc4028

SHA512
0e03783acb6226d3e1b60da28538b4dba4baf7cc5e234ad2b0017d6c1a5b373c0a87aefb93b4e8b2ed82a2a230cefc1bda847476a4e9433bf33ed0ffb95fdd45

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
200B

MD5
09a88af8f80d9b06a9e27acf4b76b228

SHA1
1b101b3acc7f4a76cde8e17826dca1f7b2496944

SHA256
7410e2e166359710f906afa65338fc3213d45a972042da14eba30e8b00c58c4b

SHA512
5289bac3c4c7de1fff4c9ad8d7afe68594403848597a1e335996ef158ddd116838fcd081a4b68020a491e60150b29fbb8c7865e335f47bfc27a4198cf9da4683

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_so4alno2.wre.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
200B

MD5
447771f73329486d40a0d800be23b966

SHA1
00725a00d470344ad9b3125fd78f273625b6f070

SHA256
a891393862790d3b5268b74e69803320e2cbcc25e4ab827301f00e13a19a0b5c

SHA512
418ef9722c7a9e34dee71f14599ddcc8b449bb76769e41aecebd35aa96da0212952f665deb9d522497fa770887eab5f8dc1476e646aa9511c9f5e75a38b4b4c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

Filesize
200B

MD5
09d04c07a24ba36778568e78c35e7284

SHA1
1c8af6236feddac04e147d5f5c392dd5088cc721

SHA256
c92437d8ae94482d3184dd3a1bc2f7246721a2e0d8da54dc1b0ab303b0e9f0f0

SHA512
68a9311058e34f92764d8271f2f0dc8f0948b727f5118e8070f54a0657fff53633aec1dec9b9d7ccb406293de4c4980b3c7a6546d8d1597ff844b215e3b07e0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
200B

MD5
f4457a6c8bab5f1c1f463254bf18f72f

SHA1
c3d37d251bdbd9611b434028ce25b8f81c9efd12

SHA256
fa8b2333e4b0dff535233fa550637b31b9ae1937d046a5454f96b2373bf7a11c

SHA512
b9650abc1e40c3cf5a11bfd90c2eab0a79bbd2b2bb88fb81c14925f80d9d58f704ed1f3ac7023127e24e805557ec211d66ea3abc19d8a29ed09b0697529df6a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

Filesize
200B

MD5
7eeea47297f97d446a52af7ff963083b

SHA1
e85e501496e890d8ffd957e5fd4167bb5e2957a2

SHA256
73fbf28ab5be029359ba88a12af527c1688abfe3cc31715a31806228e487e9fa

SHA512
0daccc0534e24e6077d24c50ee980614bde3e7cfb782d50ebcc45e316d8e25c9230deab8967583625f83573b2fc2b91130677515c17b06ae2f91a8959b2e577d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/396-199-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/1592-149-0x0000000002300000-0x0000000002312000-memory.dmp

Filesize
72KB

Download
memory/1656-160-0x000000001BDC0000-0x000000001BE61000-memory.dmp

Filesize
644KB

Download
memory/1736-167-0x000000001C350000-0x000000001C3F1000-memory.dmp

Filesize
644KB

Download
memory/2240-237-0x00000000017D0000-0x00000000017E2000-memory.dmp

Filesize
72KB

Download
memory/2264-17-0x0000000001410000-0x000000000141C000-memory.dmp

Filesize
48KB

Download
memory/2264-12-0x00007FFD411C3000-0x00007FFD411C5000-memory.dmp

Filesize
8KB

Download
memory/2264-13-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/2264-16-0x0000000001400000-0x000000000140C000-memory.dmp

Filesize
48KB

Download
memory/2264-14-0x00000000013D0000-0x00000000013E2000-memory.dmp

Filesize
72KB

Download
memory/2264-15-0x00000000013E0000-0x00000000013EC000-memory.dmp

Filesize
48KB

Download
memory/2952-48-0x0000018978A40000-0x0000018978A62000-memory.dmp

Filesize
136KB

Download
memory/4276-90-0x00000000022B0000-0x00000000022C2000-memory.dmp

Filesize
72KB

Download
memory/4476-189-0x000000001CB80000-0x000000001CC21000-memory.dmp

Filesize
644KB

Download
memory/4576-182-0x000000001CAA0000-0x000000001CB41000-memory.dmp

Filesize
644KB

Download
memory/4576-177-0x00000000031D0000-0x00000000031E2000-memory.dmp

Filesize
72KB

Download
memory/4600-224-0x0000000001400000-0x0000000001412000-memory.dmp

Filesize
72KB

Download
memory/4620-146-0x000000001BD10000-0x000000001BE12000-memory.dmp

Filesize
1.0MB

Download
memory/5052-174-0x000000001BD70000-0x000000001BE11000-memory.dmp

Filesize
644KB

Download
memory/5072-196-0x0000000002DB0000-0x0000000002E51000-memory.dmp

Filesize
644KB

Download