dcrat | 7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad

Analysis

max time kernel
147s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 08:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe
Size

1.3MB
MD5

2b995f0184bd3b5a518216a272ad5395
SHA1

924ae1241cf0e3a01097a13c6ab7a04bb6adbf68
SHA256

7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad
SHA512

a82dec0540eef8dfd504b6a1e8b5789ea11610c604d4f1692ef5ea95b72d83258412ba0475f84ff2175a7499209efdf0409cc79ec3585d77da49ee67ccdf3ec0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4316	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3736	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4304	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5112	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3824	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3816	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	732	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3748	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3416	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	760	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	760	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb3-9.dat	dcrat
behavioral2/memory/5028-13-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2420	powershell.exe
3096	powershell.exe
4636	powershell.exe
1204	powershell.exe
2904	powershell.exe
1652	powershell.exe
4368	powershell.exe
4836	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 13 IoCs

pid	Process
5028	DllCommonsvc.exe
4612	lsass.exe
4516	lsass.exe
2652	lsass.exe
744	lsass.exe
4652	lsass.exe
4996	lsass.exe
1344	lsass.exe
3532	lsass.exe
4608	lsass.exe
1652	lsass.exe
3528	lsass.exe
2608	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
51	raw.githubusercontent.com
53	raw.githubusercontent.com
22	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
45	raw.githubusercontent.com
54	raw.githubusercontent.com
23	raw.githubusercontent.com
44	raw.githubusercontent.com
50	raw.githubusercontent.com
52	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\en-US\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1156	schtasks.exe
3736	schtasks.exe
1988	schtasks.exe
3452	schtasks.exe
2168	schtasks.exe
732	schtasks.exe
3748	schtasks.exe
688	schtasks.exe
2916	schtasks.exe
4316	schtasks.exe
4292	schtasks.exe
3824	schtasks.exe
1184	schtasks.exe
3416	schtasks.exe
2132	schtasks.exe
1896	schtasks.exe
1920	schtasks.exe
3816	schtasks.exe
4304	schtasks.exe
2400	schtasks.exe
5112	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
5028	DllCommonsvc.exe
5028	DllCommonsvc.exe
5028	DllCommonsvc.exe
1204	powershell.exe
4636	powershell.exe
3096	powershell.exe
4836	powershell.exe
2420	powershell.exe
2420	powershell.exe
1652	powershell.exe
1652	powershell.exe
4368	powershell.exe
4368	powershell.exe
2904	powershell.exe
2904	powershell.exe
4836	powershell.exe
4836	powershell.exe
1652	powershell.exe
1204	powershell.exe
4636	powershell.exe
4636	powershell.exe
3096	powershell.exe
3096	powershell.exe
2420	powershell.exe
4368	powershell.exe
2904	powershell.exe
4612	lsass.exe
4516	lsass.exe
2652	lsass.exe
744	lsass.exe
4652	lsass.exe
4996	lsass.exe
1344	lsass.exe
3532	lsass.exe
4608	lsass.exe
1652	lsass.exe
3528	lsass.exe
2608	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	5028	DllCommonsvc.exe
Token: SeDebugPrivilege	1204	powershell.exe
Token: SeDebugPrivilege	4636	powershell.exe
Token: SeDebugPrivilege	3096	powershell.exe
Token: SeDebugPrivilege	4836	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2420	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	4368	powershell.exe
Token: SeDebugPrivilege	4612	lsass.exe
Token: SeDebugPrivilege	4516	lsass.exe
Token: SeDebugPrivilege	2652	lsass.exe
Token: SeDebugPrivilege	744	lsass.exe
Token: SeDebugPrivilege	4652	lsass.exe
Token: SeDebugPrivilege	4996	lsass.exe
Token: SeDebugPrivilege	1344	lsass.exe
Token: SeDebugPrivilege	3532	lsass.exe
Token: SeDebugPrivilege	4608	lsass.exe
Token: SeDebugPrivilege	1652	lsass.exe
Token: SeDebugPrivilege	3528	lsass.exe
Token: SeDebugPrivilege	2608	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 4512	1800	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe	82
PID 1800 wrote to memory of 4512	1800	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe	82
PID 1800 wrote to memory of 4512	1800	JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe	82
PID 4512 wrote to memory of 2388	4512	WScript.exe	83
PID 4512 wrote to memory of 2388	4512	WScript.exe	83
PID 4512 wrote to memory of 2388	4512	WScript.exe	83
PID 2388 wrote to memory of 5028	2388	cmd.exe	85
PID 2388 wrote to memory of 5028	2388	cmd.exe	85
PID 5028 wrote to memory of 4836	5028	DllCommonsvc.exe	108
PID 5028 wrote to memory of 4836	5028	DllCommonsvc.exe	108
PID 5028 wrote to memory of 2420	5028	DllCommonsvc.exe	109
PID 5028 wrote to memory of 2420	5028	DllCommonsvc.exe	109
PID 5028 wrote to memory of 3096	5028	DllCommonsvc.exe	110
PID 5028 wrote to memory of 3096	5028	DllCommonsvc.exe	110
PID 5028 wrote to memory of 4636	5028	DllCommonsvc.exe	111
PID 5028 wrote to memory of 4636	5028	DllCommonsvc.exe	111
PID 5028 wrote to memory of 1204	5028	DllCommonsvc.exe	112
PID 5028 wrote to memory of 1204	5028	DllCommonsvc.exe	112
PID 5028 wrote to memory of 2904	5028	DllCommonsvc.exe	113
PID 5028 wrote to memory of 2904	5028	DllCommonsvc.exe	113
PID 5028 wrote to memory of 1652	5028	DllCommonsvc.exe	114
PID 5028 wrote to memory of 1652	5028	DllCommonsvc.exe	114
PID 5028 wrote to memory of 4368	5028	DllCommonsvc.exe	115
PID 5028 wrote to memory of 4368	5028	DllCommonsvc.exe	115
PID 5028 wrote to memory of 412	5028	DllCommonsvc.exe	124
PID 5028 wrote to memory of 412	5028	DllCommonsvc.exe	124
PID 412 wrote to memory of 4908	412	cmd.exe	126
PID 412 wrote to memory of 4908	412	cmd.exe	126
PID 412 wrote to memory of 4612	412	cmd.exe	130
PID 412 wrote to memory of 4612	412	cmd.exe	130
PID 4612 wrote to memory of 956	4612	lsass.exe	134
PID 4612 wrote to memory of 956	4612	lsass.exe	134
PID 956 wrote to memory of 3008	956	cmd.exe	136
PID 956 wrote to memory of 3008	956	cmd.exe	136
PID 956 wrote to memory of 4516	956	cmd.exe	137
PID 956 wrote to memory of 4516	956	cmd.exe	137
PID 4516 wrote to memory of 3216	4516	lsass.exe	140
PID 4516 wrote to memory of 3216	4516	lsass.exe	140
PID 3216 wrote to memory of 4360	3216	cmd.exe	142
PID 3216 wrote to memory of 4360	3216	cmd.exe	142
PID 3216 wrote to memory of 2652	3216	cmd.exe	143
PID 3216 wrote to memory of 2652	3216	cmd.exe	143
PID 2652 wrote to memory of 3928	2652	lsass.exe	144
PID 2652 wrote to memory of 3928	2652	lsass.exe	144
PID 3928 wrote to memory of 1204	3928	cmd.exe	146
PID 3928 wrote to memory of 1204	3928	cmd.exe	146
PID 3928 wrote to memory of 744	3928	cmd.exe	147
PID 3928 wrote to memory of 744	3928	cmd.exe	147
PID 744 wrote to memory of 3728	744	lsass.exe	148
PID 744 wrote to memory of 3728	744	lsass.exe	148
PID 3728 wrote to memory of 3864	3728	cmd.exe	150
PID 3728 wrote to memory of 3864	3728	cmd.exe	150
PID 3728 wrote to memory of 4652	3728	cmd.exe	151
PID 3728 wrote to memory of 4652	3728	cmd.exe	151
PID 4652 wrote to memory of 520	4652	lsass.exe	152
PID 4652 wrote to memory of 520	4652	lsass.exe	152
PID 520 wrote to memory of 848	520	cmd.exe	154
PID 520 wrote to memory of 848	520	cmd.exe	154
PID 520 wrote to memory of 4996	520	cmd.exe	155
PID 520 wrote to memory of 4996	520	cmd.exe	155
PID 4996 wrote to memory of 1868	4996	lsass.exe	156
PID 4996 wrote to memory of 1868	4996	lsass.exe	156
PID 1868 wrote to memory of 4780	1868	cmd.exe	158
PID 1868 wrote to memory of 4780	1868	cmd.exe	158

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7165f7aa2d27b2a785f34a620012232d87e2aa7a886f84edf77c8b5df1bde1ad.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4512
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2388
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:5028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\AccountPictures\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4368
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AkdfbCjoS6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:412
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4908
      - C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3008
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4360
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:3928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1204
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3864
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:848
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:4780
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
        19⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:972
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat"
        21⤵
        
        PID:3676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3460
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat"
        23⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:976
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat"
        25⤵
        
        PID:3096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4312
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        27⤵
        
        PID:3596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1548
        
        C:\Users\Public\AccountPictures\lsass.exe
        
        "C:\Users\Public\AccountPictures\lsass.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        29⤵
        
        PID:2368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:4892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Users\Public\AccountPictures\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\AccountPictures\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Templates\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows NT\TableTextService\en-US\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
280B

MD5
ae4b2d36d40b77616d3d68e8525bb99a

SHA1
ffa22b6ce53e2e764f1377c68980ca93e91d28db

SHA256
d761bdfb47a34d028bdf590af192e5135a82467e593b3680cb3c3684cc264684

SHA512
83ce3758e44ccfa78817ac5395a8715e3569bf45e15b7d94dfea3fdc5b719b975a730f44924bcea0b34909bb13d1d7df2ff94ae303005838bc1c007b7af98772

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

Filesize
206B

MD5
0078239fd61dc3006b2c7206c7c5f12d

SHA1
4699c117eead6e322f1a17226b1f08a5f49ce031

SHA256
ac9f6e70d2485cc9df054176779740d3caf28d09778347ecc33019ffdbfa57a7

SHA512
b7207d1f0a240197824bc4a2f599c52981216b62d5728a4cd82252dc74722edfea8eff8ff628a1540c2ce6123612c42aafdcd1b9067548a820fc4c2593de0af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\7Xe7C8pmPD.bat

Filesize
206B

MD5
90fe0ea530f7c844128034739e0ba0cc

SHA1
675b71109a56270fe3b0eade44b523ffcb1d96dd

SHA256
419b9453a1a13d13ade4e2f3666c36f48ac672063c564a216f11dc5f359fee3d

SHA512
c0b7441def85eed478b071be22ecbb9cc365566e440171e965e9399fc6791b463c1477dfc0fd138f56ff026d771b7f15001d2a6f08aebf0a960f8fbf9347c27c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
206B

MD5
b28c06c71be169fd3c21220c388098da

SHA1
c2ebda79ac2bbb505cee14b45bc0ad74188e492a

SHA256
1e80028b149e4b00c77268ce9f1cc2d755f5561a3daa158b4dfe6f85e9fe6337

SHA512
151731c116cb3a8c8be267b9cfe9168c15fc94ba479df6e294195adebbfa556a131a63ec354c9eafdf27321e88ae188afb2110cdaaf6cb94f52db09ec73ebf60

Download Submit
C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat

Filesize
206B

MD5
eff2e48bf0f042078dff10c36e541e2e

SHA1
4cc8272a75c319c1d0fa3f35da5600adcc3b1785

SHA256
95a03102d8de7f608d48b0bc4ae470b4b8388df2c501353cd54f6aff6c3f01f9

SHA512
a22636668ec4cad198e186aca34cce4ef2f71561ef99217730d01d6807f18e67e88e30a5d452a1aa5390463a1bbe5fd84dda4620e820b2b0a09c8209e8cefefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\AkdfbCjoS6.bat

Filesize
206B

MD5
326f385aeac040b4f8250130aff12710

SHA1
d225f2f164b91cad9ae51e635d0a5b2345f68309

SHA256
bcab9d0aca6df4dadfc2a610c66c5ad6bc5fbdf9d0bb1764ddd2626349d50084

SHA512
af0694d449b8540ba715ede9222508f766c991239eb7d2d94766878d9f6d98a6e205a9bae647aa99967450f6acf36bb2204721e1306bca2d1912d3177a27fc89

Download Submit
C:\Users\Admin\AppData\Local\Temp\HEz7ZQMTyX.bat

Filesize
206B

MD5
3a3bdaf7f1ab6e7b5be454d2e8b16a28

SHA1
86ab4d498732119637e5eb56e85668783be7e480

SHA256
ba75c7280f7c8aa0913cd5e90d707cfeaf1f7ddbafabe19bc80f9695e0f0497b

SHA512
a723d320779cc247ca953637abfe1374bd631b105ef0d46b99042bfc8b7bbe47df603b6d539022a4a4a9cf94c23e8a0f224501da7e1db87c9047b3e854b63784

Download Submit
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

Filesize
206B

MD5
03e101340e13dfcfbf3c8a26e2ae068d

SHA1
ac9467539e7b70e485e086f29d533097ec54ccd6

SHA256
0dccc06a42e359bfe63e782388b2f07e822470abbbeb34712d90916ab2ea75b3

SHA512
2c4fa6f7b673e9584c2ec7e60db5a51b22d1ddf38914c9afa813e1be3fd4b76ca1b3e749326d70b27ecb865fee47ab08bbee6ed4f92a20ecef9a355c792b6a36

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

Filesize
206B

MD5
3568a5d50bb8afcab9ff30b2617e3615

SHA1
e798937947b359ea4f2257ea651530287feaef67

SHA256
a0bc09da711e00c1df586c95cc2af8f71725cbeb146c517f9077ca6a7debd16d

SHA512
5d5eb4a3981d1c0260238ace22d1fe4a7e6d6f3d9e3d23fd5b73e5abec3560645c8a281ef479aa1d0cf3b6d2917faf071c18504494d0c752411251787696109c

Download Submit
C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat

Filesize
206B

MD5
db4d0eaba7afff44f4ad7b92bf01c4fb

SHA1
274c9fa2dbba3b1ab72123465db23822c6df38da

SHA256
2365bd9f5a3f04173d68fe40b6139eac51911827d0398e41ada3fac18e05830d

SHA512
057a24235161f6c139b6a651dde9383e7fb1e2db780a0848b684f8e1562b56d3efb4beb33321bba11e8ff9946e56ba70cf7a43a9a33df416a79085a3002deec2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
206B

MD5
ca4b6d81d19420618e4d2e6b6b9f3634

SHA1
17c11be6c10c24484ea8096be9a5a012293a5bc1

SHA256
b67c6220dd5c10fb38c4d9de116237a33de9d393080230748231e248ea283557

SHA512
0a8e840cc0c900dbd95de1ada574bb1e01ba2338b9cbf990f56cfb3c1131c7bd143c66fcff282fb8f284d46b106fc55a00c47261f82454c78210372ffa168eda

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ujzkufzj.cub.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
206B

MD5
61da44101d24ea856c5e1ae9872ecd82

SHA1
1ee636fd8a37ba03736c765c24d71a2751ffc736

SHA256
dc9ac7e4ab1825d42703fafbe9e204419ae2e24033182faae5b41f2423a2db28

SHA512
b9c1017cecaf36735df6de77f65e6455ebdfdbf2e7ce88d902c9ffbf276f0f9326dae0e7f5830d0a138556b0be7e9b78a521f136fc0a3e24d86d6fe91790e5ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\ottjOj3FQt.bat

Filesize
206B

MD5
c10b38deb4b1ff54535f9a1453ba0e82

SHA1
ab69f52eb362ebf5bed44d4b06f97c4a20f142a4

SHA256
cf83c000e5787fea2a36af3e9da1d43f00d196abf226870c07d85e5adce6f6ed

SHA512
9ec0b19128d2001a0cb2f037d5a8b42d1625501789ae8fedd61b3776cd045219adab9848b26ca7f41fb171126891144f96f42726633c5a755926135f75d2b67f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
206B

MD5
d8d2626e54511da5b39d5746de5f896a

SHA1
1ed1b2a39985a0596d5f59b2f5cadcd02c6d06fd

SHA256
60cfcedb552411f326e6b035495736264d9d500b578c58a8863bd9c73a98499d

SHA512
acd794227f577df66bb0ecd9d620504a566a5ee9f71352c3ca7e25714c0efa8dc734a470cb7de2cdcbfec9a35455df4184fdfff0f87f02908c5b5ce461fb2284

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1204-45-0x0000028DE4AE0000-0x0000028DE4B02000-memory.dmp

Filesize
136KB

Download
memory/4612-131-0x000000001C7B0000-0x000000001C7C2000-memory.dmp

Filesize
72KB

Download
memory/4612-137-0x000000001D280000-0x000000001D3EA000-memory.dmp

Filesize
1.4MB

Download
memory/5028-14-0x0000000002FF0000-0x0000000003002000-memory.dmp

Filesize
72KB

Download
memory/5028-13-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/5028-12-0x00007FF8CF8E3000-0x00007FF8CF8E5000-memory.dmp

Filesize
8KB

Download
memory/5028-15-0x000000001BAE0000-0x000000001BAEC000-memory.dmp

Filesize
48KB

Download
memory/5028-16-0x000000001BAF0000-0x000000001BAFC000-memory.dmp

Filesize
48KB

Download
memory/5028-17-0x000000001BC50000-0x000000001BC5C000-memory.dmp

Filesize
48KB

Download