dcrat | 6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 10:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe
Size

1.3MB
MD5

77ffda5ff2e563a64c2f7d2840620c8d
SHA1

246d003969350060bce81fd983d04e98efcb3d2a
SHA256

6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700
SHA512

772a903833ed988e313f4d982d012136317f2135538dc5f4f82a0ee292699290201d74c530cd33e4f8e07c55e2f988a9da22b03516b36896443077fc3bdc42bf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4624	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	936	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3212	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3240	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3080	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4908	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4804	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4060	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1216	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4308	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3248	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3588	2600	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	2600	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023ca2-10.dat	dcrat
behavioral2/memory/1560-13-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3892	powershell.exe
772	powershell.exe
964	powershell.exe
2360	powershell.exe
1220	powershell.exe
716	powershell.exe
4700	powershell.exe
4864	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	dwm.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe

Executes dropped EXE 13 IoCs

pid	Process
1560	DllCommonsvc.exe
2148	dwm.exe
2144	dwm.exe
4708	dwm.exe
3092	dwm.exe
2760	dwm.exe
1228	dwm.exe
412	dwm.exe
1144	dwm.exe
2180	dwm.exe
5064	dwm.exe
1764	dwm.exe
2760	dwm.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
53	raw.githubusercontent.com
22	raw.githubusercontent.com
46	raw.githubusercontent.com
49	raw.githubusercontent.com
50	raw.githubusercontent.com
52	raw.githubusercontent.com
14	raw.githubusercontent.com
41	raw.githubusercontent.com
45	raw.githubusercontent.com
37	raw.githubusercontent.com
51	raw.githubusercontent.com
15	raw.githubusercontent.com
35	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\PrintDialog\pris\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\PrintDialog\pris\services.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PrintDialog\pris\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	dwm.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1216	schtasks.exe
4308	schtasks.exe
5080	schtasks.exe
3588	schtasks.exe
1144	schtasks.exe
4624	schtasks.exe
948	schtasks.exe
4908	schtasks.exe
3212	schtasks.exe
2088	schtasks.exe
1844	schtasks.exe
2276	schtasks.exe
3248	schtasks.exe
4276	schtasks.exe
4312	schtasks.exe
2248	schtasks.exe
4060	schtasks.exe
4804	schtasks.exe
936	schtasks.exe
3240	schtasks.exe
3080	schtasks.exe

Suspicious behavior: EnumeratesProcesses 38 IoCs

pid	Process
1560	DllCommonsvc.exe
3892	powershell.exe
964	powershell.exe
772	powershell.exe
716	powershell.exe
2360	powershell.exe
2360	powershell.exe
1220	powershell.exe
1220	powershell.exe
4700	powershell.exe
4700	powershell.exe
4864	powershell.exe
4864	powershell.exe
1220	powershell.exe
2360	powershell.exe
2148	dwm.exe
2148	dwm.exe
3892	powershell.exe
3892	powershell.exe
964	powershell.exe
964	powershell.exe
716	powershell.exe
716	powershell.exe
772	powershell.exe
772	powershell.exe
4864	powershell.exe
4700	powershell.exe
2144	dwm.exe
4708	dwm.exe
3092	dwm.exe
2760	dwm.exe
1228	dwm.exe
412	dwm.exe
1144	dwm.exe
2180	dwm.exe
5064	dwm.exe
1764	dwm.exe
2760	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1560	DllCommonsvc.exe
Token: SeDebugPrivilege	3892	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	716	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1220	powershell.exe
Token: SeDebugPrivilege	4700	powershell.exe
Token: SeDebugPrivilege	4864	powershell.exe
Token: SeDebugPrivilege	2148	dwm.exe
Token: SeDebugPrivilege	2144	dwm.exe
Token: SeDebugPrivilege	4708	dwm.exe
Token: SeDebugPrivilege	3092	dwm.exe
Token: SeDebugPrivilege	2760	dwm.exe
Token: SeDebugPrivilege	1228	dwm.exe
Token: SeDebugPrivilege	412	dwm.exe
Token: SeDebugPrivilege	1144	dwm.exe
Token: SeDebugPrivilege	2180	dwm.exe
Token: SeDebugPrivilege	5064	dwm.exe
Token: SeDebugPrivilege	1764	dwm.exe
Token: SeDebugPrivilege	2760	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 684 wrote to memory of 3304	684	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe	82
PID 684 wrote to memory of 3304	684	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe	82
PID 684 wrote to memory of 3304	684	JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe	82
PID 3304 wrote to memory of 3124	3304	WScript.exe	83
PID 3304 wrote to memory of 3124	3304	WScript.exe	83
PID 3304 wrote to memory of 3124	3304	WScript.exe	83
PID 3124 wrote to memory of 1560	3124	cmd.exe	85
PID 3124 wrote to memory of 1560	3124	cmd.exe	85
PID 1560 wrote to memory of 964	1560	DllCommonsvc.exe	108
PID 1560 wrote to memory of 964	1560	DllCommonsvc.exe	108
PID 1560 wrote to memory of 772	1560	DllCommonsvc.exe	109
PID 1560 wrote to memory of 772	1560	DllCommonsvc.exe	109
PID 1560 wrote to memory of 3892	1560	DllCommonsvc.exe	110
PID 1560 wrote to memory of 3892	1560	DllCommonsvc.exe	110
PID 1560 wrote to memory of 2360	1560	DllCommonsvc.exe	111
PID 1560 wrote to memory of 2360	1560	DllCommonsvc.exe	111
PID 1560 wrote to memory of 4864	1560	DllCommonsvc.exe	112
PID 1560 wrote to memory of 4864	1560	DllCommonsvc.exe	112
PID 1560 wrote to memory of 4700	1560	DllCommonsvc.exe	113
PID 1560 wrote to memory of 4700	1560	DllCommonsvc.exe	113
PID 1560 wrote to memory of 716	1560	DllCommonsvc.exe	114
PID 1560 wrote to memory of 716	1560	DllCommonsvc.exe	114
PID 1560 wrote to memory of 1220	1560	DllCommonsvc.exe	115
PID 1560 wrote to memory of 1220	1560	DllCommonsvc.exe	115
PID 1560 wrote to memory of 2148	1560	DllCommonsvc.exe	124
PID 1560 wrote to memory of 2148	1560	DllCommonsvc.exe	124
PID 2148 wrote to memory of 1444	2148	dwm.exe	128
PID 2148 wrote to memory of 1444	2148	dwm.exe	128
PID 1444 wrote to memory of 4060	1444	cmd.exe	130
PID 1444 wrote to memory of 4060	1444	cmd.exe	130
PID 1444 wrote to memory of 2144	1444	cmd.exe	134
PID 1444 wrote to memory of 2144	1444	cmd.exe	134
PID 2144 wrote to memory of 4132	2144	dwm.exe	135
PID 2144 wrote to memory of 4132	2144	dwm.exe	135
PID 4132 wrote to memory of 5072	4132	cmd.exe	137
PID 4132 wrote to memory of 5072	4132	cmd.exe	137
PID 4132 wrote to memory of 4708	4132	cmd.exe	138
PID 4132 wrote to memory of 4708	4132	cmd.exe	138
PID 4708 wrote to memory of 3520	4708	dwm.exe	141
PID 4708 wrote to memory of 3520	4708	dwm.exe	141
PID 3520 wrote to memory of 4388	3520	cmd.exe	143
PID 3520 wrote to memory of 4388	3520	cmd.exe	143
PID 3520 wrote to memory of 3092	3520	cmd.exe	144
PID 3520 wrote to memory of 3092	3520	cmd.exe	144
PID 3092 wrote to memory of 4004	3092	dwm.exe	145
PID 3092 wrote to memory of 4004	3092	dwm.exe	145
PID 4004 wrote to memory of 5116	4004	cmd.exe	147
PID 4004 wrote to memory of 5116	4004	cmd.exe	147
PID 4004 wrote to memory of 2760	4004	cmd.exe	148
PID 4004 wrote to memory of 2760	4004	cmd.exe	148
PID 2760 wrote to memory of 4216	2760	dwm.exe	149
PID 2760 wrote to memory of 4216	2760	dwm.exe	149
PID 4216 wrote to memory of 4512	4216	cmd.exe	151
PID 4216 wrote to memory of 4512	4216	cmd.exe	151
PID 4216 wrote to memory of 1228	4216	cmd.exe	152
PID 4216 wrote to memory of 1228	4216	cmd.exe	152
PID 1228 wrote to memory of 4252	1228	dwm.exe	153
PID 1228 wrote to memory of 4252	1228	dwm.exe	153
PID 4252 wrote to memory of 4624	4252	cmd.exe	155
PID 4252 wrote to memory of 4624	4252	cmd.exe	155
PID 4252 wrote to memory of 412	4252	cmd.exe	156
PID 4252 wrote to memory of 412	4252	cmd.exe	156
PID 412 wrote to memory of 4908	412	dwm.exe	157
PID 412 wrote to memory of 4908	412	dwm.exe	157

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6a605bb663231bbe8a2e263568ea41e125a18350250bc75fbb9a43c4fae81700.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:684
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3304
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3124
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PrintDialog\pris\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1220
    - - C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:4060
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:5072
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:4388
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:4004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:5116
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:4512
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:4624
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        18⤵
        
        PID:4908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2380
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        20⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3240
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        22⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3284
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"
        24⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3092
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"
        26⤵
        
        PID:3272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:716
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
        28⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\PrintDialog\pris\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PrintDialog\pris\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\PrintDialog\pris\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Cookies\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 8 /tr "'C:\Users\Default\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\dwm.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d3e9c29fe44e90aae6ed30ccf799ca8

SHA1
c7974ef72264bbdf13a2793ccf1aed11bc565dce

SHA256
2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d

SHA512
60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat

Filesize
220B

MD5
469caa37327c121958671cabc872b13c

SHA1
8edae17b8ac376564a9c974a7c42f56d2beeb1a4

SHA256
96943aaf08e184ebd5aa22666323e7576f29ec3457c4737da0f0ed1aa5d5e55c

SHA512
2c911e2a75a441208834b3cb3fa32d44faed16096b93fff425afec875bc347eda514bd8971569a9b14cac45791c398dca79216404bdbe6bb2a3f97e75c7dc8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

Filesize
220B

MD5
dd3d6e77c92719f465b6e947e96976a0

SHA1
37a9184f1e7a85e85e3162a79d16119e9654fce2

SHA256
f2a560fb6887a79d2bfe1f14d051841522013ff5717c4359d0ed41ffd486cac0

SHA512
0707b4c32368665c52cc53e7f4c3cebc686a2bf4f6949426fd72869c2e4310273513b2e38492e3ea275d536a4be6ca9c5bfe851e034b0accd7c692eea75569ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
220B

MD5
6b788fc59c48ac948cca60c293ce5464

SHA1
3f480a46da99fed0f706bd168407304e86d99243

SHA256
1bb6db8230cb718c228eea381a6bcdb0b4577a65608235960e700612db69b58f

SHA512
233fcbd2d4fb12ed0ee572703977ff1baa706acfe23bd118db1c4dd04c0e9b9b91a13ab07126afdf289537943fe625a6004a46d21635de6c895c27395bdc91fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
220B

MD5
b0e46554ba49f322cb71db7eb8574713

SHA1
15429d8d3e3c02451eb5958d63d8d4b47a533181

SHA256
aa1690debb925fc465dc37be4197201fd600ab943fa728861efc971f58be2f36

SHA512
a19329f580d147e54c0fc54feae05bac67a0199fb53128f798d8e259766b989902ccfe276a4f6f7b1e0a81728cc5267bd10c1efc855a1aa16b76b14e772b9ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
220B

MD5
e55a47f651eb1b17c4fa97819c6207df

SHA1
b66573cc8d9fda8e6b818c2c214b7c96787d2053

SHA256
e0171f961552b4332700bd6e59f4578a75a3c945a78b43a00a3ab8a03df57446

SHA512
6cc008f0902b3e058603077c59346b39ac3ed4c22ff360113803d36f2d5eed97fcbf308754ce7d73c5998dded7901c8ba67694d8c7c445ae682f82608842d1f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
220B

MD5
8c49cd979e92c4b92e0c1e9632473327

SHA1
69ac19c86dfa1d9a5e31ce99130f7218f47823b2

SHA256
b45cd91437e8c8551090e7b81837a3304330d501b7d075240560993ee933443e

SHA512
a243e11dfe56281d0b6cad5beaddad6ffd0e023931a48ad88585bed78407c0bca99c85e31407329219528f964c7bb7ec898b90304a431003dca81459618d0638

Download Submit
C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat

Filesize
220B

MD5
667c283509a7201435dd5b9c090b3713

SHA1
fd8b0342f935f894bacf3062b8b83ce4083312c1

SHA256
896dd851f42dcfe5383dedf27f8fa8b5fdd7bdd0a8122bf62dc09d2247513704

SHA512
8a3309332a53bae5617d2f31244c98b81f4b1a5f1634dda36361c60df1ee1b9817ea620d96d4e5c68b643c5f86e278207d9f3e849d7f66816d24ee5f3e12acd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bwhg52jw.wwv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

Filesize
220B

MD5
845cb9af1329f0c65abf27cf51b010b4

SHA1
1ab894661e7f8f47dd9147ca451fe47d7a8af50c

SHA256
910d4667bfd36c346150c8788740d0b68969f605cc4813aa51c2664b3997e68f

SHA512
d854c267f4eacd98e8645b0e7d430ae68344463c09e6e5d26c27e3f8a395e486141734041dedaa594cff30f0df5d46e3cb8e7186b8cb84a11f023103aa7441c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat

Filesize
220B

MD5
32f256df6c82444af208a5b24ffd38e6

SHA1
4ed8c0d7025608f956da7b336d6aff82b68c3380

SHA256
6b9c95a92eeda6b237c2288c372b027102cbe1bbcb131690278a8f8a75d9b9ab

SHA512
df64bf6738219842bffc3810bc012d4ea41769d040ea013b9686065098bbda58b5d90283135a153bf0f5b7231967d32f18ce9eb6fa3ece564565dfadb1dd4c86

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat

Filesize
220B

MD5
6659f7906065a471b6391515829d946f

SHA1
260cfcff17fd5253f0e19b000b82f5a43782a275

SHA256
b0ec3d75f7b716c7de9b94d28236793aed301363cf23f59cefd3ff7e1cf059e6

SHA512
ccba9a9595399d4a3391c6eaec5044d0937bc0fce8e73400d345df7085265a8fd2029a6586130d0aa9a6bcc0614ccde5c85cf92b7a738d6d42bf8b9ec7ebeffa

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
220B

MD5
eb68ab8258e074e2aef4a600cecfa439

SHA1
1f0f10fb2bb74f9561acf9fc1988b15550b89e4f

SHA256
05c32cc7277dc51d0db01ba3748c3ec598f19224204394faceef43f1e6769eaf

SHA512
41cd113aa2d59e19d28648903f9a4de7192e7eae386bd02ee96a18bdaafc4bbc2c65e1ddb0bd1bbdb5161a1840fffe2baf975c915ae34f5f56a4d1d5295e1412

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1228-172-0x000000001C050000-0x000000001C152000-memory.dmp

Filesize
1.0MB

Download
memory/1560-17-0x000000001B460000-0x000000001B46C000-memory.dmp

Filesize
48KB

Download
memory/1560-16-0x0000000002B60000-0x0000000002B6C000-memory.dmp

Filesize
48KB

Download
memory/1560-15-0x000000001B450000-0x000000001B45C000-memory.dmp

Filesize
48KB

Download
memory/1560-14-0x0000000002B50000-0x0000000002B62000-memory.dmp

Filesize
72KB

Download
memory/1560-13-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/1560-12-0x00007FFF96C23000-0x00007FFF96C25000-memory.dmp

Filesize
8KB

Download
memory/2144-145-0x000000001BD90000-0x000000001BF39000-memory.dmp

Filesize
1.7MB

Download
memory/2148-137-0x000000001BA70000-0x000000001BB72000-memory.dmp

Filesize
1.0MB

Download
memory/2760-165-0x000000001B950000-0x000000001BA52000-memory.dmp

Filesize
1.0MB

Download
memory/2760-206-0x0000000003190000-0x00000000031A2000-memory.dmp

Filesize
72KB

Download
memory/3092-158-0x000000001C180000-0x000000001C282000-memory.dmp

Filesize
1.0MB

Download
memory/3892-52-0x000001B9CEB20000-0x000001B9CEB42000-memory.dmp

Filesize
136KB

Download
memory/4708-152-0x000000001B9C0000-0x000000001BAC2000-memory.dmp

Filesize
1.0MB

Download
memory/5064-193-0x00000000023B0000-0x00000000023C2000-memory.dmp

Filesize
72KB

Download