dcrat | 91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5

Analysis

max time kernel
146s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe
Size

1.3MB
MD5

376eeca1f2be0ee2012d5ef131f29d60
SHA1

08bfd8ec49c02cc7eaae3f7200716a5431b7d0f0
SHA256

91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5
SHA512

2d7f089192b89dfeb97ba22bc9115d89e417402fb695924a7a19c2d87355ad8373d4d3ce4ecf10eeb29b4896af0345dc253926ea06c87c70a9f6b7a489ad7a0a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3092	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3992	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4808	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4248	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4252	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3328	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4672	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3376	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3632	1636	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1636	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c94-9.dat	dcrat
behavioral2/memory/672-13-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2204	powershell.exe
4560	powershell.exe
2360	powershell.exe
3492	powershell.exe
892	powershell.exe
4860	powershell.exe
852	powershell.exe
3532	powershell.exe
4936	powershell.exe
4780	powershell.exe
2220	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation	sysmon.exe

Executes dropped EXE 15 IoCs

pid	Process
672	DllCommonsvc.exe
2376	DllCommonsvc.exe
4736	sysmon.exe
5016	sysmon.exe
2948	sysmon.exe
3456	sysmon.exe
1332	sysmon.exe
2608	sysmon.exe
844	sysmon.exe
3700	sysmon.exe
2720	sysmon.exe
4564	sysmon.exe
3380	sysmon.exe
4420	sysmon.exe
3804	sysmon.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
26	raw.githubusercontent.com
40	raw.githubusercontent.com
46	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com
48	raw.githubusercontent.com
55	raw.githubusercontent.com
18	raw.githubusercontent.com
19	raw.githubusercontent.com
41	raw.githubusercontent.com
45	raw.githubusercontent.com
47	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Security\sysmon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Security\121e5b5079f7c0	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\InputMethod\CHS\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\InputMethod\CHS\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe
Key created	\REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings	sysmon.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2172	schtasks.exe
2860	schtasks.exe
3328	schtasks.exe
4808	schtasks.exe
4248	schtasks.exe
4252	schtasks.exe
2336	schtasks.exe
3632	schtasks.exe
3092	schtasks.exe
2716	schtasks.exe
2196	schtasks.exe
3648	schtasks.exe
2664	schtasks.exe
1224	schtasks.exe
4456	schtasks.exe
2720	schtasks.exe
3152	schtasks.exe
2864	schtasks.exe
1912	schtasks.exe
2644	schtasks.exe
3376	schtasks.exe
3992	schtasks.exe
4756	schtasks.exe
4672	schtasks.exe
4036	schtasks.exe
1548	schtasks.exe
2648	schtasks.exe

Suspicious behavior: EnumeratesProcesses 47 IoCs

pid	Process
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
672	DllCommonsvc.exe
892	powershell.exe
852	powershell.exe
4860	powershell.exe
2204	powershell.exe
2360	powershell.exe
3492	powershell.exe
2204	powershell.exe
852	powershell.exe
892	powershell.exe
2360	powershell.exe
4860	powershell.exe
3492	powershell.exe
2376	DllCommonsvc.exe
2220	powershell.exe
4936	powershell.exe
3532	powershell.exe
4780	powershell.exe
3532	powershell.exe
4560	powershell.exe
4560	powershell.exe
4736	sysmon.exe
2220	powershell.exe
4780	powershell.exe
4936	powershell.exe
5016	sysmon.exe
2948	sysmon.exe
3456	sysmon.exe
1332	sysmon.exe
2608	sysmon.exe
844	sysmon.exe
3700	sysmon.exe
2720	sysmon.exe
4564	sysmon.exe
3380	sysmon.exe
4420	sysmon.exe
3804	sysmon.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	672	DllCommonsvc.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	852	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	4860	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3492	powershell.exe
Token: SeDebugPrivilege	2376	DllCommonsvc.exe
Token: SeDebugPrivilege	4936	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	3532	powershell.exe
Token: SeDebugPrivilege	4780	powershell.exe
Token: SeDebugPrivilege	4560	powershell.exe
Token: SeDebugPrivilege	4736	sysmon.exe
Token: SeDebugPrivilege	5016	sysmon.exe
Token: SeDebugPrivilege	2948	sysmon.exe
Token: SeDebugPrivilege	3456	sysmon.exe
Token: SeDebugPrivilege	1332	sysmon.exe
Token: SeDebugPrivilege	2608	sysmon.exe
Token: SeDebugPrivilege	844	sysmon.exe
Token: SeDebugPrivilege	3700	sysmon.exe
Token: SeDebugPrivilege	2720	sysmon.exe
Token: SeDebugPrivilege	4564	sysmon.exe
Token: SeDebugPrivilege	3380	sysmon.exe
Token: SeDebugPrivilege	4420	sysmon.exe
Token: SeDebugPrivilege	3804	sysmon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 404 wrote to memory of 4484	404	JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe	82
PID 404 wrote to memory of 4484	404	JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe	82
PID 404 wrote to memory of 4484	404	JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe	82
PID 4484 wrote to memory of 2332	4484	WScript.exe	83
PID 4484 wrote to memory of 2332	4484	WScript.exe	83
PID 4484 wrote to memory of 2332	4484	WScript.exe	83
PID 2332 wrote to memory of 672	2332	cmd.exe	85
PID 2332 wrote to memory of 672	2332	cmd.exe	85
PID 672 wrote to memory of 3492	672	DllCommonsvc.exe	102
PID 672 wrote to memory of 3492	672	DllCommonsvc.exe	102
PID 672 wrote to memory of 2360	672	DllCommonsvc.exe	103
PID 672 wrote to memory of 2360	672	DllCommonsvc.exe	103
PID 672 wrote to memory of 892	672	DllCommonsvc.exe	104
PID 672 wrote to memory of 892	672	DllCommonsvc.exe	104
PID 672 wrote to memory of 4860	672	DllCommonsvc.exe	105
PID 672 wrote to memory of 4860	672	DllCommonsvc.exe	105
PID 672 wrote to memory of 852	672	DllCommonsvc.exe	106
PID 672 wrote to memory of 852	672	DllCommonsvc.exe	106
PID 672 wrote to memory of 2204	672	DllCommonsvc.exe	107
PID 672 wrote to memory of 2204	672	DllCommonsvc.exe	107
PID 672 wrote to memory of 1984	672	DllCommonsvc.exe	114
PID 672 wrote to memory of 1984	672	DllCommonsvc.exe	114
PID 1984 wrote to memory of 4944	1984	cmd.exe	116
PID 1984 wrote to memory of 4944	1984	cmd.exe	116
PID 1984 wrote to memory of 2376	1984	cmd.exe	117
PID 1984 wrote to memory of 2376	1984	cmd.exe	117
PID 2376 wrote to memory of 3532	2376	DllCommonsvc.exe	130
PID 2376 wrote to memory of 3532	2376	DllCommonsvc.exe	130
PID 2376 wrote to memory of 4560	2376	DllCommonsvc.exe	131
PID 2376 wrote to memory of 4560	2376	DllCommonsvc.exe	131
PID 2376 wrote to memory of 4936	2376	DllCommonsvc.exe	132
PID 2376 wrote to memory of 4936	2376	DllCommonsvc.exe	132
PID 2376 wrote to memory of 4780	2376	DllCommonsvc.exe	133
PID 2376 wrote to memory of 4780	2376	DllCommonsvc.exe	133
PID 2376 wrote to memory of 2220	2376	DllCommonsvc.exe	134
PID 2376 wrote to memory of 2220	2376	DllCommonsvc.exe	134
PID 2376 wrote to memory of 4736	2376	DllCommonsvc.exe	140
PID 2376 wrote to memory of 4736	2376	DllCommonsvc.exe	140
PID 4736 wrote to memory of 4828	4736	sysmon.exe	144
PID 4736 wrote to memory of 4828	4736	sysmon.exe	144
PID 4828 wrote to memory of 3420	4828	cmd.exe	146
PID 4828 wrote to memory of 3420	4828	cmd.exe	146
PID 4828 wrote to memory of 5016	4828	cmd.exe	148
PID 4828 wrote to memory of 5016	4828	cmd.exe	148
PID 5016 wrote to memory of 3524	5016	sysmon.exe	151
PID 5016 wrote to memory of 3524	5016	sysmon.exe	151
PID 3524 wrote to memory of 3000	3524	cmd.exe	154
PID 3524 wrote to memory of 3000	3524	cmd.exe	154
PID 3524 wrote to memory of 2948	3524	cmd.exe	156
PID 3524 wrote to memory of 2948	3524	cmd.exe	156
PID 2948 wrote to memory of 3440	2948	sysmon.exe	157
PID 2948 wrote to memory of 3440	2948	sysmon.exe	157
PID 3440 wrote to memory of 3180	3440	cmd.exe	159
PID 3440 wrote to memory of 3180	3440	cmd.exe	159
PID 3440 wrote to memory of 3456	3440	cmd.exe	160
PID 3440 wrote to memory of 3456	3440	cmd.exe	160
PID 3456 wrote to memory of 5036	3456	sysmon.exe	161
PID 3456 wrote to memory of 5036	3456	sysmon.exe	161
PID 5036 wrote to memory of 1272	5036	cmd.exe	163
PID 5036 wrote to memory of 1272	5036	cmd.exe	163
PID 5036 wrote to memory of 1332	5036	cmd.exe	164
PID 5036 wrote to memory of 1332	5036	cmd.exe	164
PID 1332 wrote to memory of 3600	1332	sysmon.exe	165
PID 1332 wrote to memory of 3600	1332	sysmon.exe	165

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_91c7626f5c2f0d316b262d5003159b12238c38fc4004c2e4bc0d6aba3f3ef5d5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\CHS\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iH4enlMEf2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1984
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4944
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3532
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4560
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Security\sysmon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3420
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3000
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3180
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1272
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        16⤵
        
        PID:3600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1244
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat"
        18⤵
        
        PID:5096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1924
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
        20⤵
        
        PID:4404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:680
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat"
        22⤵
        
        PID:732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:4356
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        24⤵
        
        PID:1444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:876
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        26⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2616
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat"
        28⤵
        
        PID:4248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1256
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        30⤵
        
        PID:232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2136
        
        C:\Program Files\Windows Security\sysmon.exe
        
        "C:\Program Files\Windows Security\sysmon.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\InputMethod\CHS\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHS\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\InputMethod\CHS\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 7 /tr "'C:\providercommon\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 11 /tr "'C:\providercommon\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Security\sysmon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmon" /sc ONLOGON /tr "'C:\Program Files\Windows Security\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sysmons" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Security\sysmon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sysmon.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ee9f1be5d4d351a5c376b370adcf0eea

SHA1
1779cecfb13c6a2f0f2813ae65d0d91ebdcf5583

SHA256
70600f0f93bca5f0548bfe5503513caadda31cbcd14dc007824b0925a8626e4b

SHA512
fda7345f64a6352e99bb3f5d94e58751a71d45a27147f60da32d12ff0307dbe416f482f1b9950e52ce63cbb5f0e5c1647f72dbb7a05c5419ccd8b7980ea86754

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
19e1e2a79d89d1a806d9f998551c82a8

SHA1
3ea8c6b09bcaa874efc3a220f6f61eed4be85ebd

SHA256
210f353fbdf0ed0f95aec9d76a455c1e92f96000551a875c5de55cfa712f4adc

SHA512
da427ad972596f8f795ae978337e943cb07f9c5a2ed1c8d1f1cad27c07dcec2f4d4ffe9424db2b90fcba3c2f301524f52931a863efae38fca2bef1def53567b8

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
209B

MD5
9245d0603cf02db2efa9dc49aa733151

SHA1
4ad0b96fd91b9842f34785fe0d3a0815f1cc60da

SHA256
844b432c19cb78dd1bfd80dc26bc12ae64200903316cc249502b4a038410f329

SHA512
7ca4d1dd52841890a3c5324c87cec0e8a636953870dba0e6b9b1797bd0ef1e7538af6f0e57288b89f1cfcfa99fdf28462e582c7ef50a73afd76639a5cdd21372

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

Filesize
209B

MD5
b7b51b94cdf38660fc9c5858ad1cd557

SHA1
77efb33a588a3c1854736047ff5b242a38f1368b

SHA256
4c197709c950613b4e99d800d10395d1ea7f6e86addb389eba5fcfe662bc4951

SHA512
da25f468e270cb4f799bdb5d858e496d6a8cc3df1e574207b5e9f87bc01324014b94759877b99c39ce5cddf5ca0ef2a6f29b6bfcba3f53750a52d3b8ef021a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\I4yJNRBzAA.bat

Filesize
209B

MD5
67bc7e26297f1703575e442690928b7a

SHA1
e3f9458b149a539114b5327df4e4c8367577331b

SHA256
c2a2a5440021ea1dee78df37142e195083590dfb263b44a307437e32dd63f5f0

SHA512
5bbe06367ad1265903649172b21b2a0dd269d2defb2fbefe0ef857bf835115ac7e24840b74a80bd2d22ef7b3858aa32efa18d04eec90cf0644bd0b39fa35f4bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WqeaogqjWu.bat

Filesize
209B

MD5
2ae017e621c090b3bc7f8e0da8368b15

SHA1
6abd38c094d14a543d85f1e0ea1272d395de10c6

SHA256
bb818ea040eaf571b5c0f94212aa292fa63a5328e196a9364bae7064ef776549

SHA512
64222a117746c04b56a01353a1358815a93beb482a88170ed9adeb8290b76a2f54fd7997747cf52d7468866407e1822ed360be5e143a34139a5319490fb21ee7

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_odj1v4t3.f1m.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
209B

MD5
45441ea029dad4104fc5bab16be70532

SHA1
b773770abbf41bf39f062d436b62f1c6f14424ba

SHA256
6b0ea04caa96e010c670579e01700dd0d307f5e339e66945f03d78ba370c0a16

SHA512
ac2d528b3bc928b76754d4b6a5b044e791848be160de471e9339e42585aacb78f64de8cacd8f23a08012c8738ebccce974ae9fc69861e4406e9b0f44c29d876c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iH4enlMEf2.bat

Filesize
199B

MD5
249f484c2fda8aca4cf7cb9278417b9e

SHA1
5f45628f9d36a24e8cef6ed5fb8ffe46fa2bfa56

SHA256
9336aa05a699bc48b2306933b2bc2dfd1adc897548dbb7f0f11b4c82d88d72e5

SHA512
633360472bb4c3fdd3b4d4c5d72fb1299fc485e6d9128656be2c142938e2d02dcd889b6868c2c95a2332cccb3d5ced39f8652251aa4a76b247fca30fcaca5e22

Download Submit
C:\Users\Admin\AppData\Local\Temp\nfin2KLgOh.bat

Filesize
209B

MD5
d32c20cb03ff407ed98896063690e205

SHA1
c17fe51aadc696fd1750727aafa3e78c7b3de93a

SHA256
725df43a95da6fb5d38d1caf55a73f41cb5de7bd189c4903b21c0afef3415639

SHA512
1bc62c928c47dbce2a780909d9b9351b4d9e1825e59cb4f127dbc8811eb113b54a55382e5eda0d5dcd2db58f51f1bdce7d259cbebf78e8031f600eaa32e44ba0

Download Submit
C:\Users\Admin\AppData\Local\Temp\pakqiPPahT.bat

Filesize
209B

MD5
ae59fd5528b232efcbf52d4b6621d08e

SHA1
868de0c5cbd0cb49f34dbd0cb406d88b6a77d683

SHA256
df381fac172dc54f38144dcd71c6f1a46493b9d77b778cd20fc60400e93d04ed

SHA512
dcef3171e734bfbbe4294ba8f75b7e014fe04eb170e8020bd4586b5720dc9acbeea342ee357f2318a0e6a9a6f27adf98f77d1ab137849513adb84c3abfa4d545

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
209B

MD5
de5b1cbba42ab63759a2fd3ccbdbc34e

SHA1
d91d25fae7bc2e52e86ddb21ea88d37c437b12f4

SHA256
41dbd02af0a2f6ca3b5ebc34794e7d4fdcae93952690d4bd3d6c73201d93d463

SHA512
92efee4d8adeb38a392909373d8a667d9ea67fc186b0f2a9f4612708977e307cbb891d82d54e155f98b229f731aed33f5dfcaebbc53585d43321c56a4dd5e28e

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

Filesize
209B

MD5
100735cb3031ca43442e41d762e88909

SHA1
4a633173d7d81249c2dd33f9508253bef753863d

SHA256
8ec98ede0e3ce648bb5cba3e20501c65c7a66439701324d6a6309c5021601808

SHA512
15e150548914e5bd3c920a1da30c91137dbb3bc0595b983b7d6a5e42c9268e591ccb34ea9d3b05bb8d359c0407a22ffd460d54e9c3e711be303cbab4e2567d85

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/672-15-0x0000000002F20000-0x0000000002F2C000-memory.dmp

Filesize
48KB

Download
memory/672-12-0x00007FFFD1BC3000-0x00007FFFD1BC5000-memory.dmp

Filesize
8KB

Download
memory/672-13-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/672-17-0x0000000002F30000-0x0000000002F3C000-memory.dmp

Filesize
48KB

Download
memory/672-14-0x00000000016C0000-0x00000000016D2000-memory.dmp

Filesize
72KB

Download
memory/672-16-0x0000000002F10000-0x0000000002F1C000-memory.dmp

Filesize
48KB

Download
memory/892-41-0x000001FF25780000-0x000001FF257A2000-memory.dmp

Filesize
136KB

Download
memory/1332-208-0x00000000024E0000-0x00000000024F2000-memory.dmp

Filesize
72KB

Download
memory/2376-106-0x0000000002860000-0x0000000002872000-memory.dmp

Filesize
72KB

Download
memory/2948-194-0x0000000002420000-0x0000000002432000-memory.dmp

Filesize
72KB

Download
memory/3380-246-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/3456-201-0x0000000001190000-0x00000000011A2000-memory.dmp

Filesize
72KB

Download
memory/3700-227-0x00000000022C0000-0x00000000022D2000-memory.dmp

Filesize
72KB

Download
memory/3804-260-0x0000000000E30000-0x0000000000E42000-memory.dmp

Filesize
72KB

Download
memory/4420-253-0x0000000002CD0000-0x0000000002CE2000-memory.dmp

Filesize
72KB

Download
memory/4564-239-0x0000000001A30000-0x0000000001A42000-memory.dmp

Filesize
72KB

Download