dcrat | eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69

Analysis

max time kernel
145s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe
Size

1.3MB
MD5

4b37b6b4097d944ba7d9724243c70fb4
SHA1

74a967fecb6f243651a035e6fdc8a46dd624ed3c
SHA256

eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69
SHA512

10e130deef7f781b6e7c66ccefc45c1708097e763077bec3f6f42f226eb1ed371c0c7e00bda189f609b03f149df921159939a65b3135d3301e22f32e2d79c432
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3200	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3528	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4464	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3932	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3804	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5068	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3296	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3524	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4656	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3252	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4044	4780	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4408	4780	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c9f-10.dat	dcrat
behavioral2/memory/1988-13-0x0000000000420000-0x0000000000530000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3436	powershell.exe
844	powershell.exe
2200	powershell.exe
4744	powershell.exe
2028	powershell.exe
2072	powershell.exe
4824	powershell.exe
4396	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	SppExtComObj.exe

Executes dropped EXE 15 IoCs

pid	Process
1988	DllCommonsvc.exe
4656	SppExtComObj.exe
4916	SppExtComObj.exe
1752	SppExtComObj.exe
2688	SppExtComObj.exe
4596	SppExtComObj.exe
3840	SppExtComObj.exe
368	SppExtComObj.exe
452	SppExtComObj.exe
2540	SppExtComObj.exe
2844	SppExtComObj.exe
2872	SppExtComObj.exe
1512	SppExtComObj.exe
388	SppExtComObj.exe
4576	SppExtComObj.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
51	raw.githubusercontent.com
36	raw.githubusercontent.com
37	raw.githubusercontent.com
48	raw.githubusercontent.com
41	raw.githubusercontent.com
42	raw.githubusercontent.com
47	raw.githubusercontent.com
18	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com
19	raw.githubusercontent.com
21	raw.githubusercontent.com
50	raw.githubusercontent.com

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Setup\State\fontdrvhost.exe	DllCommonsvc.exe
File created	C:\Windows\Setup\State\5b884080fd4f94	DllCommonsvc.exe
File created	C:\Windows\Speech\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Speech\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Help\OEM\ContentStore\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Help\OEM\ContentStore\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000_Classes\Local Settings	SppExtComObj.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3932	schtasks.exe
2528	schtasks.exe
3804	schtasks.exe
3524	schtasks.exe
2884	schtasks.exe
3252	schtasks.exe
4936	schtasks.exe
3296	schtasks.exe
4408	schtasks.exe
1884	schtasks.exe
4464	schtasks.exe
380	schtasks.exe
2888	schtasks.exe
2040	schtasks.exe
4044	schtasks.exe
3528	schtasks.exe
4292	schtasks.exe
5068	schtasks.exe
4708	schtasks.exe
4656	schtasks.exe
3200	schtasks.exe

Suspicious behavior: EnumeratesProcesses 43 IoCs

pid	Process
1988	DllCommonsvc.exe
1988	DllCommonsvc.exe
1988	DllCommonsvc.exe
1988	DllCommonsvc.exe
1988	DllCommonsvc.exe
2028	powershell.exe
2028	powershell.exe
3436	powershell.exe
3436	powershell.exe
2072	powershell.exe
2072	powershell.exe
4396	powershell.exe
4396	powershell.exe
4744	powershell.exe
4744	powershell.exe
844	powershell.exe
844	powershell.exe
2200	powershell.exe
2200	powershell.exe
4824	powershell.exe
4824	powershell.exe
2200	powershell.exe
4744	powershell.exe
2028	powershell.exe
4824	powershell.exe
2072	powershell.exe
3436	powershell.exe
4396	powershell.exe
844	powershell.exe
4656	SppExtComObj.exe
4916	SppExtComObj.exe
1752	SppExtComObj.exe
2688	SppExtComObj.exe
4596	SppExtComObj.exe
3840	SppExtComObj.exe
368	SppExtComObj.exe
452	SppExtComObj.exe
2540	SppExtComObj.exe
2844	SppExtComObj.exe
2872	SppExtComObj.exe
1512	SppExtComObj.exe
388	SppExtComObj.exe
4576	SppExtComObj.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1988	DllCommonsvc.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	3436	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	4396	powershell.exe
Token: SeDebugPrivilege	4744	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	4824	powershell.exe
Token: SeDebugPrivilege	4656	SppExtComObj.exe
Token: SeDebugPrivilege	4916	SppExtComObj.exe
Token: SeDebugPrivilege	1752	SppExtComObj.exe
Token: SeDebugPrivilege	2688	SppExtComObj.exe
Token: SeDebugPrivilege	4596	SppExtComObj.exe
Token: SeDebugPrivilege	3840	SppExtComObj.exe
Token: SeDebugPrivilege	368	SppExtComObj.exe
Token: SeDebugPrivilege	452	SppExtComObj.exe
Token: SeDebugPrivilege	2540	SppExtComObj.exe
Token: SeDebugPrivilege	2844	SppExtComObj.exe
Token: SeDebugPrivilege	2872	SppExtComObj.exe
Token: SeDebugPrivilege	1512	SppExtComObj.exe
Token: SeDebugPrivilege	388	SppExtComObj.exe
Token: SeDebugPrivilege	4576	SppExtComObj.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 3016	1752	JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe	82
PID 1752 wrote to memory of 3016	1752	JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe	82
PID 1752 wrote to memory of 3016	1752	JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe	82
PID 3016 wrote to memory of 3068	3016	WScript.exe	87
PID 3016 wrote to memory of 3068	3016	WScript.exe	87
PID 3016 wrote to memory of 3068	3016	WScript.exe	87
PID 3068 wrote to memory of 1988	3068	cmd.exe	89
PID 3068 wrote to memory of 1988	3068	cmd.exe	89
PID 1988 wrote to memory of 2072	1988	DllCommonsvc.exe	111
PID 1988 wrote to memory of 2072	1988	DllCommonsvc.exe	111
PID 1988 wrote to memory of 4824	1988	DllCommonsvc.exe	112
PID 1988 wrote to memory of 4824	1988	DllCommonsvc.exe	112
PID 1988 wrote to memory of 2028	1988	DllCommonsvc.exe	113
PID 1988 wrote to memory of 2028	1988	DllCommonsvc.exe	113
PID 1988 wrote to memory of 4396	1988	DllCommonsvc.exe	114
PID 1988 wrote to memory of 4396	1988	DllCommonsvc.exe	114
PID 1988 wrote to memory of 3436	1988	DllCommonsvc.exe	115
PID 1988 wrote to memory of 3436	1988	DllCommonsvc.exe	115
PID 1988 wrote to memory of 4744	1988	DllCommonsvc.exe	116
PID 1988 wrote to memory of 4744	1988	DllCommonsvc.exe	116
PID 1988 wrote to memory of 2200	1988	DllCommonsvc.exe	117
PID 1988 wrote to memory of 2200	1988	DllCommonsvc.exe	117
PID 1988 wrote to memory of 844	1988	DllCommonsvc.exe	119
PID 1988 wrote to memory of 844	1988	DllCommonsvc.exe	119
PID 1988 wrote to memory of 624	1988	DllCommonsvc.exe	127
PID 1988 wrote to memory of 624	1988	DllCommonsvc.exe	127
PID 624 wrote to memory of 4328	624	cmd.exe	129
PID 624 wrote to memory of 4328	624	cmd.exe	129
PID 624 wrote to memory of 4656	624	cmd.exe	133
PID 624 wrote to memory of 4656	624	cmd.exe	133
PID 4656 wrote to memory of 4548	4656	SppExtComObj.exe	134
PID 4656 wrote to memory of 4548	4656	SppExtComObj.exe	134
PID 4548 wrote to memory of 4856	4548	cmd.exe	136
PID 4548 wrote to memory of 4856	4548	cmd.exe	136
PID 4548 wrote to memory of 4916	4548	cmd.exe	137
PID 4548 wrote to memory of 4916	4548	cmd.exe	137
PID 4916 wrote to memory of 4564	4916	SppExtComObj.exe	138
PID 4916 wrote to memory of 4564	4916	SppExtComObj.exe	138
PID 4564 wrote to memory of 4476	4564	cmd.exe	140
PID 4564 wrote to memory of 4476	4564	cmd.exe	140
PID 4564 wrote to memory of 1752	4564	cmd.exe	141
PID 4564 wrote to memory of 1752	4564	cmd.exe	141
PID 1752 wrote to memory of 1256	1752	SppExtComObj.exe	144
PID 1752 wrote to memory of 1256	1752	SppExtComObj.exe	144
PID 1256 wrote to memory of 4796	1256	cmd.exe	146
PID 1256 wrote to memory of 4796	1256	cmd.exe	146
PID 1256 wrote to memory of 2688	1256	cmd.exe	147
PID 1256 wrote to memory of 2688	1256	cmd.exe	147
PID 2688 wrote to memory of 2492	2688	SppExtComObj.exe	148
PID 2688 wrote to memory of 2492	2688	SppExtComObj.exe	148
PID 2492 wrote to memory of 5024	2492	cmd.exe	150
PID 2492 wrote to memory of 5024	2492	cmd.exe	150
PID 2492 wrote to memory of 4596	2492	cmd.exe	151
PID 2492 wrote to memory of 4596	2492	cmd.exe	151
PID 4596 wrote to memory of 2908	4596	SppExtComObj.exe	152
PID 4596 wrote to memory of 2908	4596	SppExtComObj.exe	152
PID 2908 wrote to memory of 3908	2908	cmd.exe	154
PID 2908 wrote to memory of 3908	2908	cmd.exe	154
PID 2908 wrote to memory of 3840	2908	cmd.exe	155
PID 2908 wrote to memory of 3840	2908	cmd.exe	155
PID 3840 wrote to memory of 3224	3840	SppExtComObj.exe	156
PID 3840 wrote to memory of 3224	3840	SppExtComObj.exe	156
PID 3224 wrote to memory of 2572	3224	cmd.exe	158
PID 3224 wrote to memory of 2572	3224	cmd.exe	158

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb53f773dd30ea38d01b3684c2daf4d1b688592be14bd4b660bf6dd02c873b69.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3068
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\OEM\ContentStore\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Links\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Setup\State\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\SppExtComObj.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pfQX3KyWWk.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4328
      - C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:4856
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:4564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4476
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4796
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:5024
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3908
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:3224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2572
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
        19⤵
        
        PID:456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3628
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        21⤵
        
        PID:5012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:5008
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        23⤵
        
        PID:4976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3456
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
        25⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2060
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
        27⤵
        
        PID:3124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:4376
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        29⤵
        
        PID:3372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:3528
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
        31⤵
        
        PID:4308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:4524
        
        C:\Users\Default User\SppExtComObj.exe
        
        "C:\Users\Default User\SppExtComObj.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Speech\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Speech\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Help\OEM\ContentStore\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\OEM\ContentStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\OEM\ContentStore\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Links\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 13 /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 14 /tr "'C:\Windows\Setup\State\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\SppExtComObj.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\SppExtComObj.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Downloads\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Downloads\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\SppExtComObj.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
bd5940f08d0be56e65e5f2aaf47c538e

SHA1
d7e31b87866e5e383ab5499da64aba50f03e8443

SHA256
2d2f364c75bd2897504249f42cdf1d19374f5230aad68fa9154ea3d03e3031a6

SHA512
c34d10c7e07da44a180fae9889b61f08903aa84e8ddfa80c31c272b1ef9d491b8cec6b8a4c836c3cb1583fe8f4955c6a8db872515de3a9e10eae09610c959406

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

Filesize
203B

MD5
a0bbac21977bcd92f4a1756d1325aa75

SHA1
176b496a823657c2eac19fbac8cc13e43a21a190

SHA256
b8df5dadd551f7dbe139534cfa6e87b809534e06d92967ae12b49e8a19edefd5

SHA512
4ca0b2742c5cf76d891aca9529d3fe08b2baaeb9034702c9a831f1d10cee55378b3081768e988b5b72a621059b067874181ef5fbb92db9470423a246450c9512

Download Submit
C:\Users\Admin\AppData\Local\Temp\83zFD3riGi.bat

Filesize
203B

MD5
d984a42aacd571a1157b3833c475734d

SHA1
2bc5a6dd2e5ba35825f83e83b9bd31265ac12e6b

SHA256
b08b1d281233fd09f3d29a1a0cf27536e588fc3a67b8bfec3c96fba4c8cd6177

SHA512
8d88fa7e0bd19d3ad10876e2cb90cbca3750c576457e800153e4aac56484db32453d10786f6fbaa98aacdfafb64cb6a0d649dd23f9482623babbd6cdf8383d15

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
203B

MD5
94de8b3d18dcfcd23b390707838e94fb

SHA1
1b3368bd1518a7780ea5092127c5ece80550f23f

SHA256
d49687b937a00cfeb975098c484f23235dbb37ddf299bf89a4691518de13bc46

SHA512
e1b90373ea4ea02056e2561b24abbce32d6617a9e90c5d5a1848a8e202d8b9e355b10361c06d732647056c04064b8d75f0b1798570adba4f93f168cdf4ab1ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\989MOUOnUX.bat

Filesize
203B

MD5
5d8d38292aede0f81ad4cbc16692a356

SHA1
5e6d7e0de12a932ef7b682efaa783e410e9187be

SHA256
abe131bfa05a7bf495331e7c40778d4a00f0117a788b4ecc14e34f80c98cf7cd

SHA512
9adec13210fdacb2107e9b1f5bbd3995a4495396aca54ce2b64cf4f3a6b866f72f2a897c778a3d85bf71aae174b8ba696606986a95b038228548ecd8345ed3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

Filesize
203B

MD5
2878a02ea930bd9d1290834a38e06513

SHA1
644509d95fd95d94fb71fc1ece6434403110ab63

SHA256
c71d8796b8e849a3e7664305144126b12e9d4b47f0a68fa8f1feeb3c4af9d0a3

SHA512
dfa46ebea6adbd54667d2c71348a302adeca8f9c9c81c5f73158e4d771a2a394cdf1412d0a88bee28ca8a3eb2a792d4f433ce6df0532957b7ed4b4ddaa057245

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat

Filesize
203B

MD5
471139af134b86f1702a86d9b0b37dc2

SHA1
13e34814221f3e25032e9cf887481a90ba239147

SHA256
0fed98982fc192888a9fb3326d2666c938866ba6a80b853be3071a7b3ceab055

SHA512
46e9162d975442d6abe1d3a00d82b66d406f16310c5ee9fb35218590c057bd458f2ad34da71ad4b7f5e7a7a94f43effc18296748a37f223705a493d5669b8388

Download Submit
C:\Users\Admin\AppData\Local\Temp\Myoa8e0eVV.bat

Filesize
203B

MD5
b708e7d6d2545126b4f59afedda868d1

SHA1
0e3164c7e6a41126dbbc1af091e401a1ffde1399

SHA256
6f4d979c27c5c32af8505f276639651ab1f19374a00d1595f9975fad33c473aa

SHA512
52eda226a9d20a95fa47a6bf34194b7736a121a4c28aba10c8f2e454589f6f91579de36a948f4e3dcec4f6bb6c0d70634096e673467b7ac83b60f7ffa9544055

Download Submit
C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat

Filesize
203B

MD5
396b787dd6754e4c82743b4731cac5c4

SHA1
03b42851ef8729ebf6d5baaa0e1f86c41137f330

SHA256
18271cf63ae437e197b5b19d162c1de843c1bf9b81d5da435809ca5552aa7116

SHA512
5c826c8e9194041eeb65129ddb5bad68410ab27b56975d94be88f444e46634cc3eb58e9783efefe76f26d7fbf989d0b985f52ed310f7f859943ec89ff26e7967

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
203B

MD5
bd13446b4140f4dc7529c2f05f4ff00d

SHA1
8ab02d81238cdcbc77762aa7654bf8673feecb2e

SHA256
c32d092d4fa15f7fd150e1af339867d4c57dcdebfd71d3cfa1e5bdb6b6e4c0ba

SHA512
1b6311885b8f3388a02329af903055f0a2c03dee832b33c64ed763c0c3137ea681e8c1ce1ecef0bd4304c4b0fda30e946a05e87382788facdf641569a342ce6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
203B

MD5
8e21a598e494ea5ae044ecbe88bd6f61

SHA1
be300f5303cf78e1ae767ff56d292856c38503f3

SHA256
46d934830e042f6884158060e6a3aa72ae4c183ab1b81cbe55bcd55e72552140

SHA512
9b69020172b804cd9bfa4280e7872c987d5aa5a3bc557879686a7fbb78f90099e02b3c716a5be7b81fc78dc1c717ce88a792d95e41bee8a8cf43cd3699c8d400

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
203B

MD5
9537bb667c22f3c42350535d8fb89edf

SHA1
8342827cfc83f5b038b88fb4d62849f139fd30ae

SHA256
97cfa291847eb24df6bc9018ee7cd5b93e88bb7291c84be794494513c6667d28

SHA512
0bd15d293be78245202687429800dabf4713eb5ebcd762e1bf1994d69418dca6b02a19c4266fed34c9837c515ae009712b2c824750c14fe245fb9292949bfc22

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fjlrcdb3.ooq.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

Filesize
203B

MD5
2dc83397b3a221f96da6fc4b7d56386e

SHA1
a2c73041a53eea55589c5906bad7c5b381ce1d7f

SHA256
56b13275b3a26b562bcfd144d1149faf6e21be946b78c037bd57e1c1b388351c

SHA512
24c85489a3c97e5da5cf91cc070a07dbbf7258b57edd91d6fc0e487de9293ec03966fa3a6ac73f085aa82dde7db12ce8d2eab35d109da0aa1b2a668569d78b61

Download Submit
C:\Users\Admin\AppData\Local\Temp\pfQX3KyWWk.bat

Filesize
203B

MD5
4b89e693ee52ef0f0fa6d533c9c294f9

SHA1
e5227e52fde957be64df0b6573985b8e08880fd4

SHA256
a95f17f24d45ebc05b6fcd1e3072396485c89939d4c943c32a3f455df715df0c

SHA512
58b736377e9dfddb7d26b04c4cad8d4b1921afd914fb885e457348846adc270490a8884db9c5ecbedbc99a1fd662cb8923d84630c3664ab9a23ce9cd3ed3529a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
203B

MD5
7d4e756a8773db318dd94a5e5683cf12

SHA1
798a2158b35217de41017c83b7e14ff5ac77dfaa

SHA256
2592e9950f61cccb93c486285e4359a87a84a75c808d67b9ad09b9d371268bfb

SHA512
809362c4173adb827616161ef08d0582eacffd62032214ad2bc83777ceb3abc1516dc8e25b109736068119eaa9a3a3cf21c0577b3cbd3c7da50ea91f1af814b1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/368-171-0x0000000001340000-0x0000000001352000-memory.dmp

Filesize
72KB

Download
memory/388-210-0x0000000002D40000-0x0000000002D52000-memory.dmp

Filesize
72KB

Download
memory/452-178-0x0000000003190000-0x00000000031A2000-memory.dmp

Filesize
72KB

Download
memory/1988-15-0x000000001B040000-0x000000001B04C000-memory.dmp

Filesize
48KB

Download
memory/1988-14-0x0000000002740000-0x0000000002752000-memory.dmp

Filesize
72KB

Download
memory/1988-13-0x0000000000420000-0x0000000000530000-memory.dmp

Filesize
1.1MB

Download
memory/1988-12-0x00007FFEE9563000-0x00007FFEE9565000-memory.dmp

Filesize
8KB

Download
memory/1988-16-0x000000001B030000-0x000000001B03C000-memory.dmp

Filesize
48KB

Download
memory/1988-17-0x000000001B050000-0x000000001B05C000-memory.dmp

Filesize
48KB

Download
memory/2028-64-0x00000223EFC50000-0x00000223EFC72000-memory.dmp

Filesize
136KB

Download
memory/2540-185-0x0000000001600000-0x0000000001612000-memory.dmp

Filesize
72KB

Download
memory/4576-217-0x00000000024B0000-0x00000000024C2000-memory.dmp

Filesize
72KB

Download
memory/4656-131-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/4916-140-0x0000000002330000-0x0000000002342000-memory.dmp

Filesize
72KB

Download