dcrat | aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe
Size

1.3MB
MD5

812eed33556e2a76021b9aa60e902ef7
SHA1

a8998ce8af6fbdfecdd051d8a1b88f20667b6eb7
SHA256

aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7
SHA512

9008414f0983a241e4612e98cefcc7c9fa5bf8fd941884191ee719ed96b0bdefeed70102a34eac26bd9f49791a4b9f677d449f1ed4588e110cd92c40e9dda4b7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	728	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5016	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3180	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4636	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	3604	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	3604	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b99-10.dat	dcrat
behavioral2/memory/1344-13-0x00000000006E0000-0x00000000007F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1688	powershell.exe
3516	powershell.exe
2684	powershell.exe
1748	powershell.exe
112	powershell.exe
5052	powershell.exe
776	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 15 IoCs

pid	Process
1344	DllCommonsvc.exe
4376	SppExtComObj.exe
4620	SppExtComObj.exe
2732	SppExtComObj.exe
1332	SppExtComObj.exe
776	SppExtComObj.exe
2656	SppExtComObj.exe
2204	SppExtComObj.exe
1616	SppExtComObj.exe
4732	SppExtComObj.exe
212	SppExtComObj.exe
3556	SppExtComObj.exe
1636	SppExtComObj.exe
3112	SppExtComObj.exe
3808	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
39	raw.githubusercontent.com
53	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com
54	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
44	raw.githubusercontent.com
52	raw.githubusercontent.com
55	raw.githubusercontent.com
14	raw.githubusercontent.com
38	raw.githubusercontent.com
40	raw.githubusercontent.com
45	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\9e8d7a4ca61bd9	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\WindowsPowerShell\Configuration\Registration\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Web\Screen\wininit.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Screen\56085415360792	DllCommonsvc.exe
File created	C:\Windows\SchCache\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3180	schtasks.exe
2008	schtasks.exe
2480	schtasks.exe
1888	schtasks.exe
4636	schtasks.exe
2688	schtasks.exe
5016	schtasks.exe
2020	schtasks.exe
4700	schtasks.exe
728	schtasks.exe
4772	schtasks.exe
3864	schtasks.exe
1316	schtasks.exe
836	schtasks.exe
4320	schtasks.exe
1224	schtasks.exe
4740	schtasks.exe
1144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
1344	DllCommonsvc.exe
3516	powershell.exe
776	powershell.exe
112	powershell.exe
2684	powershell.exe
1748	powershell.exe
5052	powershell.exe
1688	powershell.exe
1748	powershell.exe
3516	powershell.exe
2684	powershell.exe
112	powershell.exe
776	powershell.exe
5052	powershell.exe
1688	powershell.exe
4376	SppExtComObj.exe
4620	SppExtComObj.exe
2732	SppExtComObj.exe
1332	SppExtComObj.exe
776	SppExtComObj.exe
2656	SppExtComObj.exe
2204	SppExtComObj.exe
1616	SppExtComObj.exe
4732	SppExtComObj.exe
212	SppExtComObj.exe
3556	SppExtComObj.exe
1636	SppExtComObj.exe
3112	SppExtComObj.exe
3808	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	1344	DllCommonsvc.exe
Token: SeDebugPrivilege	3516	powershell.exe
Token: SeDebugPrivilege	776	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	5052	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	4376	SppExtComObj.exe
Token: SeDebugPrivilege	4620	SppExtComObj.exe
Token: SeDebugPrivilege	2732	SppExtComObj.exe
Token: SeDebugPrivilege	1332	SppExtComObj.exe
Token: SeDebugPrivilege	776	SppExtComObj.exe
Token: SeDebugPrivilege	2656	SppExtComObj.exe
Token: SeDebugPrivilege	2204	SppExtComObj.exe
Token: SeDebugPrivilege	1616	SppExtComObj.exe
Token: SeDebugPrivilege	4732	SppExtComObj.exe
Token: SeDebugPrivilege	212	SppExtComObj.exe
Token: SeDebugPrivilege	3556	SppExtComObj.exe
Token: SeDebugPrivilege	1636	SppExtComObj.exe
Token: SeDebugPrivilege	3112	SppExtComObj.exe
Token: SeDebugPrivilege	3808	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1620 wrote to memory of 1308	1620	JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe	82
PID 1620 wrote to memory of 1308	1620	JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe	82
PID 1620 wrote to memory of 1308	1620	JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe	82
PID 1308 wrote to memory of 4780	1308	WScript.exe	83
PID 1308 wrote to memory of 4780	1308	WScript.exe	83
PID 1308 wrote to memory of 4780	1308	WScript.exe	83
PID 4780 wrote to memory of 1344	4780	cmd.exe	85
PID 4780 wrote to memory of 1344	4780	cmd.exe	85
PID 1344 wrote to memory of 112	1344	DllCommonsvc.exe	105
PID 1344 wrote to memory of 112	1344	DllCommonsvc.exe	105
PID 1344 wrote to memory of 1748	1344	DllCommonsvc.exe	106
PID 1344 wrote to memory of 1748	1344	DllCommonsvc.exe	106
PID 1344 wrote to memory of 2684	1344	DllCommonsvc.exe	107
PID 1344 wrote to memory of 2684	1344	DllCommonsvc.exe	107
PID 1344 wrote to memory of 3516	1344	DllCommonsvc.exe	108
PID 1344 wrote to memory of 3516	1344	DllCommonsvc.exe	108
PID 1344 wrote to memory of 1688	1344	DllCommonsvc.exe	109
PID 1344 wrote to memory of 1688	1344	DllCommonsvc.exe	109
PID 1344 wrote to memory of 776	1344	DllCommonsvc.exe	110
PID 1344 wrote to memory of 776	1344	DllCommonsvc.exe	110
PID 1344 wrote to memory of 5052	1344	DllCommonsvc.exe	111
PID 1344 wrote to memory of 5052	1344	DllCommonsvc.exe	111
PID 1344 wrote to memory of 4676	1344	DllCommonsvc.exe	119
PID 1344 wrote to memory of 4676	1344	DllCommonsvc.exe	119
PID 4676 wrote to memory of 1704	4676	cmd.exe	121
PID 4676 wrote to memory of 1704	4676	cmd.exe	121
PID 4676 wrote to memory of 4376	4676	cmd.exe	122
PID 4676 wrote to memory of 4376	4676	cmd.exe	122
PID 4376 wrote to memory of 1880	4376	SppExtComObj.exe	123
PID 4376 wrote to memory of 1880	4376	SppExtComObj.exe	123
PID 1880 wrote to memory of 2388	1880	cmd.exe	125
PID 1880 wrote to memory of 2388	1880	cmd.exe	125
PID 1880 wrote to memory of 4620	1880	cmd.exe	126
PID 1880 wrote to memory of 4620	1880	cmd.exe	126
PID 4620 wrote to memory of 2008	4620	SppExtComObj.exe	129
PID 4620 wrote to memory of 2008	4620	SppExtComObj.exe	129
PID 2008 wrote to memory of 1052	2008	cmd.exe	131
PID 2008 wrote to memory of 1052	2008	cmd.exe	131
PID 2008 wrote to memory of 2732	2008	cmd.exe	134
PID 2008 wrote to memory of 2732	2008	cmd.exe	134
PID 2732 wrote to memory of 4852	2732	SppExtComObj.exe	138
PID 2732 wrote to memory of 4852	2732	SppExtComObj.exe	138
PID 4852 wrote to memory of 4600	4852	cmd.exe	140
PID 4852 wrote to memory of 4600	4852	cmd.exe	140
PID 4852 wrote to memory of 1332	4852	cmd.exe	142
PID 4852 wrote to memory of 1332	4852	cmd.exe	142
PID 1332 wrote to memory of 3168	1332	SppExtComObj.exe	143
PID 1332 wrote to memory of 3168	1332	SppExtComObj.exe	143
PID 3168 wrote to memory of 3500	3168	cmd.exe	145
PID 3168 wrote to memory of 3500	3168	cmd.exe	145
PID 3168 wrote to memory of 776	3168	cmd.exe	146
PID 3168 wrote to memory of 776	3168	cmd.exe	146
PID 776 wrote to memory of 3232	776	SppExtComObj.exe	147
PID 776 wrote to memory of 3232	776	SppExtComObj.exe	147
PID 3232 wrote to memory of 4548	3232	cmd.exe	149
PID 3232 wrote to memory of 4548	3232	cmd.exe	149
PID 3232 wrote to memory of 2656	3232	cmd.exe	150
PID 3232 wrote to memory of 2656	3232	cmd.exe	150
PID 2656 wrote to memory of 4164	2656	SppExtComObj.exe	151
PID 2656 wrote to memory of 4164	2656	SppExtComObj.exe	151
PID 4164 wrote to memory of 4496	4164	cmd.exe	153
PID 4164 wrote to memory of 4496	4164	cmd.exe	153
PID 4164 wrote to memory of 2204	4164	cmd.exe	154
PID 4164 wrote to memory of 2204	4164	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aab849321a1b5193c9c739390024f2717125bc0b578429632cba7e3a90111da7.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1620
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1308
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4780
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Screen\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5052
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dYqoU7q79p.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4676
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1704
      - C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2388
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1052
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4600
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3168
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3500
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:3232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4548
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4496
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        19⤵
        
        PID:1496
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4056
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        21⤵
        
        PID:760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3936
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        23⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4172
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
        25⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4572
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        27⤵
        
        PID:4444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:3692
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat"
        29⤵
        
        PID:5052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:1504
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        31⤵
        
        PID:2392
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4000
        
        C:\providercommon\SppExtComObj.exe
        
        "C:\providercommon\SppExtComObj.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        33⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Screen\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Windows\Web\Screen\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\Screen\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\WindowsPowerShell\Configuration\Registration\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Windows\SchCache\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
160B

MD5
2226c673405e57a2d0bca8c0ef6da8b9

SHA1
10c3454817c9a1ce85a4b56010dee57ffa8d908e

SHA256
62ebe17b28f25187b7c02142666f9166e5cbecda5cc2f07c3a17fbe178568e07

SHA512
dabe1d8ed811eed3764af6ad8032fa60bef053778729aad33331df465357c1f07ad1376ee9490b38fa40fd00611cd0979ed37686984fc6e5b1cb124c1064211b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
199B

MD5
703512592f51550faff8db83a5f770df

SHA1
c7ca6720e86fb6c24c9dee7c65ae9caad6d002e4

SHA256
4a93301a1375722104c0d424885dee9e63680068e46a733f46dc5aa088618c29

SHA512
b2fbcbec476e430ae442d3338e56f08c6044d0c1a33368e35438fa3313dbe15b1044fc62e944fb915555c9d9b5919258cb1660e8744415850102efb9d80961ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
199B

MD5
61292b62cc059c81908e9ecd492acd50

SHA1
55ea52c3838838409bbc8983f77923bcb047188a

SHA256
b7d9f28145d1e3800b6e895cb04495c4821a77430c964ff493ceee3293285902

SHA512
fccbe5ec1d4e1b0cb7d4520ef78dbcbeea6bb39d65205e957d4ea1e5bab76d0de1e8d180ea8bf8d7f4a76525a1892c963bb29035f8d58d439d9b3a2a956b8d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

Filesize
199B

MD5
3991f813a0ccbe5b9f4e2327a372f2c0

SHA1
8f2e39f08c06a9626fbbbbd5f6f67b2c56b53796

SHA256
c9d60c07cf172b1c1f5a74dde0e8cf8933645757cf529e860248c0cc21a9f5b8

SHA512
e492f4ce1542bc0a7f378115c983a60ccc680aadfdbbe88b0f31563182792ecc1ece3e419250cd374b835f5bc6c38fbbadfc16499ec36aa94ae1fe45010c8e45

Download Submit
C:\Users\Admin\AppData\Local\Temp\QtXcZTVakC.bat

Filesize
199B

MD5
b6cc6709da3ab64ed604a8ca5b5a64b8

SHA1
0545e23707968675d6e91ce7016d459c1bf2ed14

SHA256
0a249a5ac1af88ff7283948727460d698b0748ed6708fbc3d909610f5aff850b

SHA512
f546593091f52ee7fd4e4f0f56b869ef6c857dffca1abb0bb2d8853cf7e909d9e0080ba8cb9e5512bace2240552cc6632e92e4b2cbdc98c5aaebb1b5af4bd648

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jqo2z4am.z44.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\bf2k7CZMYL.bat

Filesize
199B

MD5
2a74260bf35894893a7e3e701a736b19

SHA1
d052a2b4052620f7a9aae987d27b33f56ea5d918

SHA256
408462d33f53acb9c5e6d2f352b2e7c270327b847066b772aa1e7614f558c9e5

SHA512
94dd603bd4b0695daba5b8b3144229b63895b1bf5a152e86a86e5181493da804e20f55b230995773036ec80e1c6547c9ce23185f81fe418145c3af2d008bbdfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dYqoU7q79p.bat

Filesize
199B

MD5
c4f13f3870c0834bb845c48eac3f3a48

SHA1
b562cc87c9fa04f79265aff2564c7d00b17e663d

SHA256
754129d41e3e37adf829c9dcb102416258dcc50ca4aa2061beacf8664f2d5c9c

SHA512
3d46fa91665b07ab62fd689c50ccfa6dd310ee7154e5455b720f10af757cbb480c253d44551932fefc94e488fab51426cab7e066828320a6b90140670030a85b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ffEuziAK6w.bat

Filesize
199B

MD5
6874bb3ccc30068ad9555e03de224c3b

SHA1
7cce91139a48b50f1754d72c0a4e0d39075a62b0

SHA256
4fbe349ef9d5cc4352e9d9be9b5282833cae6b2393a6c736c21be2fd7e9672b9

SHA512
aa41b697b72a3f66e88a06ac498f6e5cc4282f4ea91b659e7bf389cc51caec0ba951a4a692d436625bbf38a73e43259dc2382c7c1fc0633cc611252472c18f88

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
199B

MD5
4627558238cd7491a7b1dd44371d6020

SHA1
b2d8671afa8c9e29474348dc27c0cda821590528

SHA256
a06424ae8c32371308aa85d3d83c0b9284fced6e96e0894c09ca8b32c3ecf7d2

SHA512
b735c9df1e926322ca0af0a2d71179d447c3996ead1e77e343d88a85f538464989c81056ba58d8b76ebabf88cc8acd67892992401ee0e8287b53067697d77406

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
199B

MD5
322c3eb400d16af813b345df1b102d88

SHA1
94eddf4636f1a0bf41e287953eb0e8fa68b79dda

SHA256
3bd61d71e3289b06a74032df68ef8431b46ccd8b558dccb9b3c1daae41db27d8

SHA512
4a32d881c9965da70b124ce984e64f359593eef6bfa22afe5a09456b39d270123410ff57e1e902ef55e5b35282d9749b99f70b3e3d06dd41e2783cff74e73ba4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
199B

MD5
1bd17edb2e472c5f285eb729c2b7f1be

SHA1
b5f087ced6f1b0fcc24b1905285f532e6fe3d58f

SHA256
7e37217b77415b6c396458a8cfb5a42471b4a6979d408be245ca2c77bd3cc42f

SHA512
296025c8a262ba7f04a0342d71afcc11f8671633d6c538067be6d4788a14a2bdbb4f6590d787a8fd24a4bf5389b00a8d1eee57377bea69c61b770d1027d4e008

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
199B

MD5
e4769bf4815c393fd1e25239272bcf31

SHA1
edbbf04a7da4773c33d18f90235c4a364c768e94

SHA256
88323beb71151c70f5ae784bf81d17062536a5450561e479a58d4d51ec5c6c7f

SHA512
b2eb372224f5e4b8f29985b753fe070aee1daf79946b67fe35d280a17e1756db93158a34cd1f0658bfa6bb22d03157c6b293436510cfe7bcc641b99b22ef4feb

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

Filesize
199B

MD5
a14f9b5d00e9b38b46bcf56b871e9f52

SHA1
b52951d95cdbf11d4fc72e72ced9233e788784b4

SHA256
d0db9be73172c38a337ff854df37547e513326c8ab0b94e1485969da8ad426ff

SHA512
9b1dbf0769b7f5cb26d97e07295d674a689867df3cd94359c8c0acf00fae46836f8d73c5f05b3c0172708685170ea5e0703cf2d32b86b37fb66e34dbeffcae75

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
199B

MD5
e9b269d1f79340fef39dea51004a3ecf

SHA1
efcf6f99066e1da9fd6006dbfec2912fb980b77d

SHA256
4d5fc3920e6fe67de948d09f7617774243587149845644d1ea888928c184ea27

SHA512
257fa3f2599ad2c3425b4afdc59690bafa0848d5567be2e937a12944f2d665f1bf050e6bcb8ac330898133beda804617b0b84496e3b850373ec43058124487de

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1344-13-0x00000000006E0000-0x00000000007F0000-memory.dmp

Filesize
1.1MB

Download
memory/1344-12-0x00007FFB51E93000-0x00007FFB51E95000-memory.dmp

Filesize
8KB

Download
memory/1344-14-0x0000000002B10000-0x0000000002B22000-memory.dmp

Filesize
72KB

Download
memory/1344-15-0x0000000002B20000-0x0000000002B2C000-memory.dmp

Filesize
48KB

Download
memory/1344-16-0x0000000002B30000-0x0000000002B3C000-memory.dmp

Filesize
48KB

Download
memory/1344-17-0x0000000002B40000-0x0000000002B4C000-memory.dmp

Filesize
48KB

Download
memory/1636-190-0x00000000028C0000-0x00000000028D2000-memory.dmp

Filesize
72KB

Download
memory/3112-197-0x0000000002410000-0x0000000002422000-memory.dmp

Filesize
72KB

Download
memory/3516-36-0x000001FD77820000-0x000001FD77842000-memory.dmp

Filesize
136KB

Download
memory/3556-183-0x0000000001090000-0x00000000010A2000-memory.dmp

Filesize
72KB

Download
memory/4376-118-0x0000000000CC0000-0x0000000000CD2000-memory.dmp

Filesize
72KB

Download
memory/4620-127-0x0000000001770000-0x0000000001782000-memory.dmp

Filesize
72KB

Download
memory/4732-170-0x00000000016A0000-0x00000000016B2000-memory.dmp

Filesize
72KB

Download