dcrat | 42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae

Analysis

max time kernel
150s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe
Size

1.3MB
MD5

2dbe5c9a6f56201a4bc0519ca6e689bb
SHA1

63922b16f54dc160a7434a8358113b1d2050fbe8
SHA256

42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae
SHA512

c0a4c289aa4d8b7b9327c783699b92317954ea18578a785d6f83b1882586dc9336c97b2a190629b44874d8207ed446ae4277ac119bed53d1ecd24ee549d8e7c3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3908	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4400	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3860	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3388	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3960	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	32	1040	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4588	1040	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c92-10.dat	dcrat
behavioral2/memory/2832-13-0x0000000000440000-0x0000000000550000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
4724	powershell.exe
3996	powershell.exe
4984	powershell.exe
2388	powershell.exe
4656	powershell.exe
1348	powershell.exe
316	powershell.exe
516	powershell.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation	SearchApp.exe

Executes dropped EXE 16 IoCs

pid	Process
2832	DllCommonsvc.exe
1712	SearchApp.exe
4840	SearchApp.exe
2444	SearchApp.exe
3412	SearchApp.exe
1760	SearchApp.exe
4612	SearchApp.exe
684	SearchApp.exe
3996	SearchApp.exe
2828	SearchApp.exe
2384	SearchApp.exe
1624	SearchApp.exe
2104	SearchApp.exe
2672	SearchApp.exe
2748	SearchApp.exe
2312	SearchApp.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 15 IoCs

Web Service

T1102

flow	ioc
55	raw.githubusercontent.com
18	raw.githubusercontent.com
39	raw.githubusercontent.com
45	raw.githubusercontent.com
49	raw.githubusercontent.com
54	raw.githubusercontent.com
17	raw.githubusercontent.com
24	raw.githubusercontent.com
44	raw.githubusercontent.com
40	raw.githubusercontent.com
46	raw.githubusercontent.com
58	raw.githubusercontent.com
38	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\de-DE\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Performance\SearchApp.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\38384e6a620884	DllCommonsvc.exe
File created	C:\Windows\servicing\uk-UA\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 16 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe
Key created	\REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000_Classes\Local Settings	SearchApp.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
840	schtasks.exe
4244	schtasks.exe
3388	schtasks.exe
3960	schtasks.exe
2784	schtasks.exe
4588	schtasks.exe
1328	schtasks.exe
2748	schtasks.exe
3908	schtasks.exe
3860	schtasks.exe
1832	schtasks.exe
2828	schtasks.exe
4596	schtasks.exe
4400	schtasks.exe
1452	schtasks.exe
1156	schtasks.exe
752	schtasks.exe
2264	schtasks.exe
4772	schtasks.exe
32	schtasks.exe
1216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 52 IoCs

pid	Process
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
2832	DllCommonsvc.exe
4724	powershell.exe
4724	powershell.exe
2388	powershell.exe
2388	powershell.exe
4656	powershell.exe
4656	powershell.exe
1348	powershell.exe
1348	powershell.exe
516	powershell.exe
516	powershell.exe
316	powershell.exe
316	powershell.exe
3996	powershell.exe
3996	powershell.exe
4984	powershell.exe
4984	powershell.exe
4984	powershell.exe
2388	powershell.exe
4656	powershell.exe
4724	powershell.exe
316	powershell.exe
516	powershell.exe
1348	powershell.exe
3996	powershell.exe
1712	SearchApp.exe
4840	SearchApp.exe
2444	SearchApp.exe
3412	SearchApp.exe
1760	SearchApp.exe
4612	SearchApp.exe
684	SearchApp.exe
3996	SearchApp.exe
2828	SearchApp.exe
2384	SearchApp.exe
1624	SearchApp.exe
2104	SearchApp.exe
2672	SearchApp.exe
2748	SearchApp.exe
2312	SearchApp.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	DllCommonsvc.exe
Token: SeDebugPrivilege	4724	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	4656	powershell.exe
Token: SeDebugPrivilege	1348	powershell.exe
Token: SeDebugPrivilege	516	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	3996	powershell.exe
Token: SeDebugPrivilege	4984	powershell.exe
Token: SeDebugPrivilege	1712	SearchApp.exe
Token: SeDebugPrivilege	4840	SearchApp.exe
Token: SeDebugPrivilege	2444	SearchApp.exe
Token: SeDebugPrivilege	3412	SearchApp.exe
Token: SeDebugPrivilege	1760	SearchApp.exe
Token: SeDebugPrivilege	4612	SearchApp.exe
Token: SeDebugPrivilege	684	SearchApp.exe
Token: SeDebugPrivilege	3996	SearchApp.exe
Token: SeDebugPrivilege	2828	SearchApp.exe
Token: SeDebugPrivilege	2384	SearchApp.exe
Token: SeDebugPrivilege	1624	SearchApp.exe
Token: SeDebugPrivilege	2104	SearchApp.exe
Token: SeDebugPrivilege	2672	SearchApp.exe
Token: SeDebugPrivilege	2748	SearchApp.exe
Token: SeDebugPrivilege	2312	SearchApp.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1612 wrote to memory of 1484	1612	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe	83
PID 1612 wrote to memory of 1484	1612	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe	83
PID 1612 wrote to memory of 1484	1612	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe	83
PID 1484 wrote to memory of 1400	1484	WScript.exe	84
PID 1484 wrote to memory of 1400	1484	WScript.exe	84
PID 1484 wrote to memory of 1400	1484	WScript.exe	84
PID 1400 wrote to memory of 2832	1400	cmd.exe	86
PID 1400 wrote to memory of 2832	1400	cmd.exe	86
PID 2832 wrote to memory of 316	2832	DllCommonsvc.exe	110
PID 2832 wrote to memory of 316	2832	DllCommonsvc.exe	110
PID 2832 wrote to memory of 516	2832	DllCommonsvc.exe	111
PID 2832 wrote to memory of 516	2832	DllCommonsvc.exe	111
PID 2832 wrote to memory of 1348	2832	DllCommonsvc.exe	112
PID 2832 wrote to memory of 1348	2832	DllCommonsvc.exe	112
PID 2832 wrote to memory of 4656	2832	DllCommonsvc.exe	113
PID 2832 wrote to memory of 4656	2832	DllCommonsvc.exe	113
PID 2832 wrote to memory of 2388	2832	DllCommonsvc.exe	114
PID 2832 wrote to memory of 2388	2832	DllCommonsvc.exe	114
PID 2832 wrote to memory of 4984	2832	DllCommonsvc.exe	115
PID 2832 wrote to memory of 4984	2832	DllCommonsvc.exe	115
PID 2832 wrote to memory of 3996	2832	DllCommonsvc.exe	116
PID 2832 wrote to memory of 3996	2832	DllCommonsvc.exe	116
PID 2832 wrote to memory of 4724	2832	DllCommonsvc.exe	117
PID 2832 wrote to memory of 4724	2832	DllCommonsvc.exe	117
PID 2832 wrote to memory of 2524	2832	DllCommonsvc.exe	126
PID 2832 wrote to memory of 2524	2832	DllCommonsvc.exe	126
PID 2524 wrote to memory of 4796	2524	cmd.exe	128
PID 2524 wrote to memory of 4796	2524	cmd.exe	128
PID 2524 wrote to memory of 1712	2524	cmd.exe	135
PID 2524 wrote to memory of 1712	2524	cmd.exe	135
PID 1712 wrote to memory of 2532	1712	SearchApp.exe	139
PID 1712 wrote to memory of 2532	1712	SearchApp.exe	139
PID 2532 wrote to memory of 1508	2532	cmd.exe	141
PID 2532 wrote to memory of 1508	2532	cmd.exe	141
PID 2532 wrote to memory of 4840	2532	cmd.exe	147
PID 2532 wrote to memory of 4840	2532	cmd.exe	147
PID 4840 wrote to memory of 448	4840	SearchApp.exe	149
PID 4840 wrote to memory of 448	4840	SearchApp.exe	149
PID 448 wrote to memory of 3868	448	cmd.exe	151
PID 448 wrote to memory of 3868	448	cmd.exe	151
PID 448 wrote to memory of 2444	448	cmd.exe	153
PID 448 wrote to memory of 2444	448	cmd.exe	153
PID 2444 wrote to memory of 1140	2444	SearchApp.exe	158
PID 2444 wrote to memory of 1140	2444	SearchApp.exe	158
PID 1140 wrote to memory of 1556	1140	cmd.exe	160
PID 1140 wrote to memory of 1556	1140	cmd.exe	160
PID 1140 wrote to memory of 3412	1140	cmd.exe	162
PID 1140 wrote to memory of 3412	1140	cmd.exe	162
PID 3412 wrote to memory of 4968	3412	SearchApp.exe	164
PID 3412 wrote to memory of 4968	3412	SearchApp.exe	164
PID 4968 wrote to memory of 3920	4968	cmd.exe	166
PID 4968 wrote to memory of 3920	4968	cmd.exe	166
PID 4968 wrote to memory of 1760	4968	cmd.exe	168
PID 4968 wrote to memory of 1760	4968	cmd.exe	168
PID 1760 wrote to memory of 1712	1760	SearchApp.exe	170
PID 1760 wrote to memory of 1712	1760	SearchApp.exe	170
PID 1712 wrote to memory of 1960	1712	cmd.exe	172
PID 1712 wrote to memory of 1960	1712	cmd.exe	172
PID 1712 wrote to memory of 4612	1712	cmd.exe	174
PID 1712 wrote to memory of 4612	1712	cmd.exe	174
PID 4612 wrote to memory of 4984	4612	SearchApp.exe	177
PID 4612 wrote to memory of 4984	4612	SearchApp.exe	177
PID 4984 wrote to memory of 312	4984	cmd.exe	179
PID 4984 wrote to memory of 312	4984	cmd.exe	179

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1484
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1400
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\SearchApp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4724
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ufSgU4AUWD.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2524
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4796
      - C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1508
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3868
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1556
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3920
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1960
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:312
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        19⤵
        
        PID:5068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4120
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        21⤵
        
        PID:4460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3692
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        23⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3108
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"
        25⤵
        
        PID:4940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4376
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        27⤵
        
        PID:1172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4492
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
        29⤵
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2168
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        31⤵
        
        PID:3248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2196
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        32⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat"
        33⤵
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:1156
        
        C:\Windows\Performance\SearchApp.exe
        
        "C:\Windows\Performance\SearchApp.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\SearchApp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\Windows\Performance\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\SearchApp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Local Settings\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:32

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Local Settings\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4588

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SearchApp.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
664B

MD5
f26b28e43f23ac618a61e89b90040efb

SHA1
7c21ba878f80014228fd5625ee18441df6f5f0e9

SHA256
71048df8b2b2b67731d40d22cfc823bb81cfd4bbe0ec38b3c7afec0f1ac93863

SHA512
65499c8d3b48573232546fe905ff6a2815ba68ac85941e1a0872361381fa639517dc8b4f04aac0fa321a66a91fb070d4981b911321839d13735a288e71085459

Download Submit
C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat

Filesize
201B

MD5
6e35444e4422e8fbd28bded3bfcee2dd

SHA1
d2290368cd163f2253e4cef14b1e368b3d364af3

SHA256
b477aacfe5f3ca3a5207d3027482105ec62f951a4b64399b1cc18af3654c6382

SHA512
f039fd810bb75518864cb68a8e89a7be920170fb0f3517aa8fef407e1b9e3ffc409585fa7c612be8b26242a6bddf06463c6b488375df8ee1b16594d44423bbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
201B

MD5
64191e4f5d5879cfb17a5b5d0ea58712

SHA1
6e844abf0d1b7bc8684ead003fcfaffcc0b5f651

SHA256
89af059fc944376e29d4e674ab0814c92bfb1c05a77d224b6358b6626fabebe1

SHA512
5c12edbdb5561514c831100a7b401d3e2f13a20691b843bdba2f473f26815f5cb9a424e39a78e3b6c2fef97194739fbe11a04b0a15243fdab79d731ee6218ae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat

Filesize
201B

MD5
4001e17621202a61dae9f2ded6bcd922

SHA1
dad068a2007b81491208713f50bd21f6011ead85

SHA256
0ca4596170f4c0ff1045d418c85c0804398fd75860e2632578e022cfa02fa961

SHA512
997cd1ed82d5d3987f0a7aa406ba652263b8e19bf97e61ff569336b5c85b0d2d093ed3cdc5024767502315389ee579f1bbc805b09854499e2c6e2773291ed670

Download Submit
C:\Users\Admin\AppData\Local\Temp\Asmf6CRzTu.bat

Filesize
201B

MD5
62f2f0e288f3c7082cdcd71f546eb2b1

SHA1
f7910b1f297fd20f79aae15334b6e8bfc8621608

SHA256
2abf84dd7ce029d1ea958cef11b327500cf64aefca75b03f788bce054094592a

SHA512
32aed6fc74eaecac92ceb9b2070328f19b993db7cf61696124a81c2531dce3f65e421b326a9969f2ded63b0d509b88ff100dadbef6e05ef108c1df791dddd8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
201B

MD5
b766497ddfaa590d34350d61793cb770

SHA1
09e81f066fa9b9814ac66276eba72961606a132f

SHA256
4019d8cf6e65fc2f0b7ffd16fb374e7916a39c7ef000db81702d0658197e1570

SHA512
ec54af8318c99e4427888cfb3aabf7dba3e6e149f4bea669ed64a5c0b76a1e458e2a4c3cf09615a639883afe68adc8503fde6d0ca15bddf14ed53a1813047aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbgl9PPr7s.bat

Filesize
201B

MD5
3ad1837025ab237ed78f08d41d1e6baf

SHA1
b8d0e43313c9787823202302fcddafe91cdc7800

SHA256
d38a43feee66d2150857f5a79f422c3fc91a6629ae62b58e0e69ec8d9e6466e8

SHA512
3de1087fbb735cf464a04440494f8d220b5b7ac85e2cfb0a4bfc620a6ee1299a045f3bc3051b2afb6c3f89c8b517cb3d20056f0f4521fe7a79afb1b314da37ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

Filesize
201B

MD5
0ae14260728fd7bfc8281661a866b0f3

SHA1
1c55649aaea806157db613d77d71a3af5f5fb0de

SHA256
a473a47bda0b20f564fbcc6e23de3e1c9b60c8a5b290e01ba5b2eda007e947e1

SHA512
e2bd2949f87b7a36c70843720be6c0beea9e6e802a0200463599e7f33996cf820bc00d4799bf1dda4d9821bda99fef5b4676695483091efb127e751f2da1003b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UTkrWZWekQ.bat

Filesize
201B

MD5
d32607570c368c34ebac3ae1d524d8ff

SHA1
829bc697aa7dce91a9d5caa2fb36d482007922f5

SHA256
d3b6a5c677590901ebf57a581eb174a99182e1147aa7a2daa9296bdd095cc3c3

SHA512
cf3fc393c41d86ed81799136759633806a02c3cc1dea667c25782940e48fd9b40fe91949ddcf2233f0a13624436667663e3cfa21ea19340fef47b59cccd0cf74

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

Filesize
201B

MD5
57e8ed65f392eb5ea2cf057e8ebdca81

SHA1
b9a171b033b8c14a1e848603012407c42436c3ff

SHA256
fb17cbefa022e48a1e2a733b10a267d715d15f6738aaff1833da2a2f15dd0dcb

SHA512
b56d5c98fa7a0503453e76c3ef94e237c3dcbdff3c9a978fbdd32e8272f9fb884765aff2970251d651dba4b1f945ce3ac332f24b509e798c162823b3daa21ca8

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_xafxomnz.cpr.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
201B

MD5
a9f64f1d231534feb3aa484936725eb9

SHA1
61dda30a45d15033de2789de66a6c5af90daa2eb

SHA256
1f7b3f7eeb3c3310c57d49cedd790914bbc61a880c8b7b884da65207b4798f14

SHA512
b73a7a85424fc713a23c7b5c2c25b8f3f2c6f1f21e38eeca96af03c2a19eb6113ad1595d28e8eb67cbc3c54c2f6ab9130b5000e552e047802b9f8d49aead7bdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
201B

MD5
a1ae097e01543468320a0b2f68c9e732

SHA1
4134edfd2c99022e0ca87265ad801bf4d8f29ccd

SHA256
232b0d124fc3220d81bf2ea59b0331e7074bc4a6ecc15e88326bfa2f2c3f3aaf

SHA512
29a75b8ac198042ee868199a1dcef54a0a1df8bce4106c8e0b24fe1aca1ca7145764333453a11c3eaef63024b88afd9206d3efa491015a9234b3b86d1353f9b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
201B

MD5
a3264ddcf58c64e88bbf93c3293e3745

SHA1
e3719ba72c9cd525e83e67edd16bfc712e609777

SHA256
8eee6b14f5c4ac8a1f79ddb6b5a446df1f1bd36730382688d4b1d9bb46287af9

SHA512
2e81a2687c2d67eeddada7fe33ac4e927e7920332543905f26c955a631ef414fe39e5db7272a0ab0e9de13eb1b35e809a5d7556587201231669bb2179ab64237

Download Submit
C:\Users\Admin\AppData\Local\Temp\ufSgU4AUWD.bat

Filesize
201B

MD5
aa140d6accfed8459b36a3671ba60b5b

SHA1
c2b642a52ecada467ed0b982e4409aa19e1fc143

SHA256
b622c25c2c2494d85c15037cd2525a95c18c41e34dc116b9a763369d0ef7a2bc

SHA512
b10ada84c09fab5e43f6b5074685fe9d5a4790921a2124c1f8bb110ad6066e8e02591a52485323a0bbb7f711729eb4b45f2b08f91c5b9a020e21522840b504d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

Filesize
201B

MD5
94d0f2638de3cae4cb691b6d26605561

SHA1
203fbeb16cd81ebfd50f885a8d5aed66c5a3aa38

SHA256
888ec2641379de7c6f0becf1763c64347ce4cac1d839b2ce8ca57152887a1846

SHA512
0c5917d84b81969d4dc8a74577bf4b1f8d46730b6594e6b215e06ff89d25a2c7144f28530b5f6dbed27ea504c18aae8c9e11850d639bea4b3bd274cc3d2bf2ef

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1624-200-0x0000000001700000-0x0000000001712000-memory.dmp

Filesize
72KB

Download
memory/1712-131-0x0000000002560000-0x0000000002572000-memory.dmp

Filesize
72KB

Download
memory/1760-159-0x0000000001740000-0x0000000001752000-memory.dmp

Filesize
72KB

Download
memory/2104-207-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/2384-193-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download
memory/2388-42-0x0000028A6ADF0000-0x0000028A6AE12000-memory.dmp

Filesize
136KB

Download
memory/2828-186-0x0000000000C80000-0x0000000000C92000-memory.dmp

Filesize
72KB

Download
memory/2832-17-0x000000001B890000-0x000000001B89C000-memory.dmp

Filesize
48KB

Download
memory/2832-16-0x000000001B120000-0x000000001B12C000-memory.dmp

Filesize
48KB

Download
memory/2832-15-0x000000001B130000-0x000000001B13C000-memory.dmp

Filesize
48KB

Download
memory/2832-14-0x0000000000E90000-0x0000000000EA2000-memory.dmp

Filesize
72KB

Download
memory/2832-13-0x0000000000440000-0x0000000000550000-memory.dmp

Filesize
1.1MB

Download
memory/2832-12-0x00007FFC7B4E3000-0x00007FFC7B4E5000-memory.dmp

Filesize
8KB

Download
memory/3996-179-0x00000000031C0000-0x00000000031D2000-memory.dmp

Filesize
72KB

Download
memory/4612-166-0x000000001B4C0000-0x000000001B4D2000-memory.dmp

Filesize
72KB

Download
memory/4840-140-0x0000000002C60000-0x0000000002C72000-memory.dmp

Filesize
72KB

Download