dcrat | c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78

Analysis

max time kernel
117s
max time network
118s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
08-01-2025 07:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe
Size

1.3MB
MD5

f3041cba53d0b7300f3b4301f4debd38
SHA1

a629e35f972a00051cf86020f113be26ea95462c
SHA256

c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78
SHA512

8e285ceebeb6c3bde8cb240d3703b1d5744ca70d3b19ae6a44b03666293363a6122ab9dc58899693dda907c00813f09ee1d366901a1eea3dc15ea9ebfdd37c88
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjCR:UbA30GnzV/q+DnsXg3

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4556	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4604	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3176	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4560	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5012	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4412	3636	schtasks.exe	92
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	3636	schtasks.exe	92

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023c97-10.dat	dcrat
behavioral2/memory/3052-13-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2152	powershell.exe
3208	powershell.exe
2436	powershell.exe
3296	powershell.exe
3944	powershell.exe
2472	powershell.exe
1684	powershell.exe
1196	powershell.exe
2444	powershell.exe

Checks computer location settings 2 TTPs 15 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	cmd.exe

Executes dropped EXE 13 IoCs

pid	Process
3052	DllCommonsvc.exe
4588	DllCommonsvc.exe
1076	cmd.exe
2156	cmd.exe
4484	cmd.exe
2784	cmd.exe
4844	cmd.exe
396	cmd.exe
4868	cmd.exe
2704	cmd.exe
4064	cmd.exe
2532	cmd.exe
1412	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
44	raw.githubusercontent.com
45	raw.githubusercontent.com
55	raw.githubusercontent.com
39	raw.githubusercontent.com
40	raw.githubusercontent.com
43	raw.githubusercontent.com
46	raw.githubusercontent.com
53	raw.githubusercontent.com
54	raw.githubusercontent.com
22	raw.githubusercontent.com
23	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\unsecapp.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\29c1c3cc0f7685	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\es-ES\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\InputMethod\CHS\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\InputMethod\CHS\e978f868350d50	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4896	schtasks.exe
2976	schtasks.exe
4604	schtasks.exe
2716	schtasks.exe
2984	schtasks.exe
4412	schtasks.exe
60	schtasks.exe
3060	schtasks.exe
2996	schtasks.exe
3176	schtasks.exe
4760	schtasks.exe
2700	schtasks.exe
1744	schtasks.exe
1612	schtasks.exe
4556	schtasks.exe
4560	schtasks.exe
5012	schtasks.exe
2288	schtasks.exe
1596	schtasks.exe
1052	schtasks.exe
2656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
3052	DllCommonsvc.exe
3208	powershell.exe
1684	powershell.exe
2436	powershell.exe
1196	powershell.exe
3208	powershell.exe
1196	powershell.exe
4588	DllCommonsvc.exe
1684	powershell.exe
2436	powershell.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
4588	DllCommonsvc.exe
3944	powershell.exe
2444	powershell.exe
2444	powershell.exe
2472	powershell.exe
2472	powershell.exe
3296	powershell.exe
2152	powershell.exe
2152	powershell.exe
3296	powershell.exe
3296	powershell.exe
2444	powershell.exe
3944	powershell.exe
3944	powershell.exe
2472	powershell.exe
2152	powershell.exe
1076	cmd.exe
2156	cmd.exe
4484	cmd.exe
2784	cmd.exe
4844	cmd.exe
396	cmd.exe
4868	cmd.exe
2704	cmd.exe
4064	cmd.exe
2532	cmd.exe
1412	cmd.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	DllCommonsvc.exe
Token: SeDebugPrivilege	3208	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	4588	DllCommonsvc.exe
Token: SeDebugPrivilege	3944	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	3296	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1076	cmd.exe
Token: SeDebugPrivilege	2156	cmd.exe
Token: SeDebugPrivilege	4484	cmd.exe
Token: SeDebugPrivilege	2784	cmd.exe
Token: SeDebugPrivilege	4844	cmd.exe
Token: SeDebugPrivilege	396	cmd.exe
Token: SeDebugPrivilege	4868	cmd.exe
Token: SeDebugPrivilege	2704	cmd.exe
Token: SeDebugPrivilege	4064	cmd.exe
Token: SeDebugPrivilege	2532	cmd.exe
Token: SeDebugPrivilege	1412	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4060 wrote to memory of 2728	4060	c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe	83
PID 4060 wrote to memory of 2728	4060	c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe	83
PID 4060 wrote to memory of 2728	4060	c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe	83
PID 2728 wrote to memory of 2312	2728	WScript.exe	87
PID 2728 wrote to memory of 2312	2728	WScript.exe	87
PID 2728 wrote to memory of 2312	2728	WScript.exe	87
PID 2312 wrote to memory of 3052	2312	cmd.exe	90
PID 2312 wrote to memory of 3052	2312	cmd.exe	90
PID 3052 wrote to memory of 1196	3052	DllCommonsvc.exe	103
PID 3052 wrote to memory of 1196	3052	DllCommonsvc.exe	103
PID 3052 wrote to memory of 2436	3052	DllCommonsvc.exe	104
PID 3052 wrote to memory of 2436	3052	DllCommonsvc.exe	104
PID 3052 wrote to memory of 3208	3052	DllCommonsvc.exe	105
PID 3052 wrote to memory of 3208	3052	DllCommonsvc.exe	105
PID 3052 wrote to memory of 1684	3052	DllCommonsvc.exe	106
PID 3052 wrote to memory of 1684	3052	DllCommonsvc.exe	106
PID 3052 wrote to memory of 4588	3052	DllCommonsvc.exe	110
PID 3052 wrote to memory of 4588	3052	DllCommonsvc.exe	110
PID 4588 wrote to memory of 3296	4588	DllCommonsvc.exe	124
PID 4588 wrote to memory of 3296	4588	DllCommonsvc.exe	124
PID 4588 wrote to memory of 2472	4588	DllCommonsvc.exe	125
PID 4588 wrote to memory of 2472	4588	DllCommonsvc.exe	125
PID 4588 wrote to memory of 2152	4588	DllCommonsvc.exe	126
PID 4588 wrote to memory of 2152	4588	DllCommonsvc.exe	126
PID 4588 wrote to memory of 3944	4588	DllCommonsvc.exe	127
PID 4588 wrote to memory of 3944	4588	DllCommonsvc.exe	127
PID 4588 wrote to memory of 2444	4588	DllCommonsvc.exe	128
PID 4588 wrote to memory of 2444	4588	DllCommonsvc.exe	128
PID 4588 wrote to memory of 3080	4588	DllCommonsvc.exe	134
PID 4588 wrote to memory of 3080	4588	DllCommonsvc.exe	134
PID 3080 wrote to memory of 2588	3080	cmd.exe	136
PID 3080 wrote to memory of 2588	3080	cmd.exe	136
PID 3080 wrote to memory of 1076	3080	cmd.exe	144
PID 3080 wrote to memory of 1076	3080	cmd.exe	144
PID 1076 wrote to memory of 3948	1076	cmd.exe	146
PID 1076 wrote to memory of 3948	1076	cmd.exe	146
PID 3948 wrote to memory of 2200	3948	cmd.exe	148
PID 3948 wrote to memory of 2200	3948	cmd.exe	148
PID 3948 wrote to memory of 2156	3948	cmd.exe	150
PID 3948 wrote to memory of 2156	3948	cmd.exe	150
PID 2156 wrote to memory of 2160	2156	cmd.exe	152
PID 2156 wrote to memory of 2160	2156	cmd.exe	152
PID 2160 wrote to memory of 2568	2160	cmd.exe	154
PID 2160 wrote to memory of 2568	2160	cmd.exe	154
PID 2160 wrote to memory of 4484	2160	cmd.exe	159
PID 2160 wrote to memory of 4484	2160	cmd.exe	159
PID 4484 wrote to memory of 552	4484	cmd.exe	161
PID 4484 wrote to memory of 552	4484	cmd.exe	161
PID 552 wrote to memory of 180	552	cmd.exe	163
PID 552 wrote to memory of 180	552	cmd.exe	163
PID 552 wrote to memory of 2784	552	cmd.exe	165
PID 552 wrote to memory of 2784	552	cmd.exe	165
PID 2784 wrote to memory of 4760	2784	cmd.exe	167
PID 2784 wrote to memory of 4760	2784	cmd.exe	167
PID 4760 wrote to memory of 2388	4760	cmd.exe	169
PID 4760 wrote to memory of 2388	4760	cmd.exe	169
PID 4760 wrote to memory of 4844	4760	cmd.exe	171
PID 4760 wrote to memory of 4844	4760	cmd.exe	171
PID 4844 wrote to memory of 1976	4844	cmd.exe	174
PID 4844 wrote to memory of 1976	4844	cmd.exe	174
PID 1976 wrote to memory of 1484	1976	cmd.exe	176
PID 1976 wrote to memory of 1484	1976	cmd.exe	176
PID 1976 wrote to memory of 396	1976	cmd.exe	178
PID 1976 wrote to memory of 396	1976	cmd.exe	178

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe
"C:\Users\Admin\AppData\Local\Temp\c9fb18f99fe5ec760114c23a3645ceba3686687e88a795031ae982f51e657c78.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4060
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2728
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2312
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\unsecapp.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\InputMethod\CHS\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3944
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\cmd.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QgfazpYndg.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2588
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2200
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2568
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:180
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:4760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2388
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1484
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
        18⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1304
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat"
        20⤵
        
        PID:5056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1552
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        22⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3892
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        24⤵
        
        PID:3912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3816
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        26⤵
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1292
        
        C:\Recovery\WindowsRE\cmd.exe
        
        "C:\Recovery\WindowsRE\cmd.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
        28⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:4852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:60

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 10 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 10 /tr "'C:\providercommon\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\providercommon\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\es-ES\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 14 /tr "'C:\Windows\InputMethod\CHS\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\InputMethod\CHS\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\InputMethod\CHS\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recovery\WindowsRE\ebf1f9fa8afd6d

Filesize
325B

MD5
e930113f10a7c9de2cdec8dcae3ae53b

SHA1
1db403fe46332f60a82b9a2f5afe8ea69a28fb8c

SHA256
6ffbaff7669e7d3b9c9b643ee8d43b526c91af681219371ff7a4d61791633e5c

SHA512
c9dc96afc25a08ba41c7050a114688b10dec702ea993e19994fe7b2c9b8921559ba4d8e63d2012d022de3ce09c220a0894cd6e3fcea9d2d78eabc36eb514fbd1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\DllCommonsvc.exe.log

Filesize
1KB

MD5
7f3c0ae41f0d9ae10a8985a2c327b8fb

SHA1
d58622bf6b5071beacf3b35bb505bde2000983e3

SHA256
519fceae4d0dd4d09edd1b81bcdfa8aeab4b59eee77a4cd4b6295ce8e591a900

SHA512
8a8fd17eef071f86e672cba0d8fc2cfed6118aff816100b9d7c06eb96443c04c04bc5692259c8d7ecb1563e877921939c61726605af4f969e3f586f0913ed125

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\cmd.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
10890cda4b6eab618e926c4118ab0647

SHA1
1e1d63b73a0e6c7575f458b3c7917a9ce5ba776d

SHA256
00f8a035324d39bd62e6dee5e1b480069015471c487ebee4479e6990ea9ddb14

SHA512
a2ee84006c24a36f25e0bca0772430d64e3791f233da916aecdeae6712763e77d55bbbd00dc8f6b2b3887f3c26ab3980b96c5f46cc823e81e28abbbc5fc78221

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
ce4540390cc4841c8973eb5a3e9f4f7d

SHA1
2293f30a6f4c9538bc5b06606c10a50ab4ecef8e

SHA256
e834e1da338b9644d538cefd70176768816da2556939c1255d386931bd085105

SHA512
2a3e466cb5a81d2b65256053b768a98321eb3e65ff46353eefc9864f14a391748116f050e7482ddd73a51575bf0a6fc5c673023dade62dbd8b174442bae1cc6b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
493B

MD5
9aa700c5ef2d8380ed3636f625df9e2c

SHA1
944b8f68013b8b10491b21c9fb078e8961cd9b65

SHA256
6dd06c8afc7e93956c8a9fdc4bc5b5027886d92ff61e8c2d1f723273b9e3a0a8

SHA512
54e3288c80c02609a0ed3a563f08f63547d90ad6c1e8d79ff67a6a4769d95f9f59d28dbe7dcfc9c87d67563b786f421802f155ead30baf4be4abe5f6306ad4b3

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\16sHyqWYU0.bat

Filesize
194B

MD5
ef40e813577650c7a03e3fc09d256185

SHA1
b0fa632605d715d43db0f717e04bc1dbfb4cd37a

SHA256
c49f720837ea4a2339e7afe26d0a33b0eff50c42d59d413a916e98478c4ba037

SHA512
5bc94386d476296ce11cb18a30fcc6f4a0bb9b7f46cedd8c2cdd060f917245f9a42c410188ee9140f19447903d509aed36467fb97c1062757ed00d52e0e20352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
194B

MD5
66a105eb1137e984873dbdb3c27ae62b

SHA1
b885da9ff8fd6ce6da26c5b47dbe969d76760e68

SHA256
2fad6571b7c30c7a40db97005f6dfdf1b2054a891105323540710194b70b5613

SHA512
c80d67aec98c24204bdb055f70fda67671bd798fbf035efd421449446addf5eb657925a1b7b64b3b10779ec8eede5f532244e00f40cfddde3dccbcf3f361e8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

Filesize
194B

MD5
79e61f884f49bce7e4da0eea751946af

SHA1
d90d76d728dbd3f95c2fbb59af9bbe45e6c03d8e

SHA256
7ec5cc91557eb5eae4aca3d05efdfc01595ececf4706ef5cde1dc7d13adb52a5

SHA512
53c108e76fc7238103ea6d975220555488eefaaad13190ecc87a98518e0127733166758cd9359b1eb232355d7edb1b147258eb2360792bdfa1757f6b1ba4f4c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jobc5AEC9X.bat

Filesize
194B

MD5
a044ba51e98edfc26f1d3085da4f898c

SHA1
87d681ada2a3b99bd8d5e413207e8362baff2010

SHA256
40f4b47499b37f8881154a63063f539104859b5cb8fbcbd3dfabbee214ad1183

SHA512
f7f6d0d41ffcbbbbe8e81de09040bab253aaf01d09c26d996ecd638157d01083cc86b5a1c42072e78b12fa9873656eafa71a1cd4495e80e0538e023e5e446cce

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

Filesize
194B

MD5
aad375db23d8c59b1ada537c80a0f482

SHA1
d2fb4c31f651fb4fe5f67813f8801495573b81de

SHA256
97e0541eef7480b123c54ee5864051671e9865e0192a4af6eb4d3b2cea26427a

SHA512
7be579eada754dfc6f39d2083ee8b175170a05b83cf0613afb08a0a2b9ea781a2d29a99e1e694828bdcfbb46e9fcfdb41c4d1ce79c52861895799225b523a09b

Download Submit
C:\Users\Admin\AppData\Local\Temp\QgfazpYndg.bat

Filesize
194B

MD5
a39df35721e9e5541e51b6c0bc3ec0bf

SHA1
b0e63b564d4ef0f5db19a775874e7bd53c2db0a3

SHA256
1b8eac6a1040520d3fc09b518d53979a446a4c8462f87b221b2d00c0ddb3ad9c

SHA512
221b67661d98dce929bcdca2b4b727e543e32e326f4523b209655a290b156e031222db463d0591ef30f57d2ba839aea288d9d5778ffcaa3fc63bb97b0aadd275

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
194B

MD5
04d055ff3352b52c09375fd5767ee40b

SHA1
0f164f5034e1f159ce47f854820a84324e35597e

SHA256
71709e8f05adee58660945af9fbeb6108193a793b9d53c3c97a977c07ec72524

SHA512
f249d1966d2477ef96399687d15ce3ee949e9c7d28ed3b893e9881ce2fbaf9e11674a8e155261205554db7a60a4f547a8caa4cd1865fceb0420da4c689166efd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
194B

MD5
c108c2ad9d8a1bb3efdfd749c4fb00cc

SHA1
a14109865066b74b55db886f21370f3ae6c8ae83

SHA256
2c2a4855b4e6934711123013a3216ca3390c4f02c73c713f89fa66ccc7dd039a

SHA512
d5a95d143e395c176fa9f7f2295e39cfcdb81778b04e7339c5e0687786e36bf6436af5535b3d3bfb943fcf0a9048a708d0a12af2184673c299b8bed646b399b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ezzdhmnq.40o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

Filesize
194B

MD5
1e556dbd5ea5de99f9c04b769a86fd40

SHA1
3aa8e2504c4ae315a2f998ec61f6f5803e4d3ada

SHA256
65ad5439b9380885d772dbc550d1e9f6a35b3f2cbdc92ac8e0655ec7ad8e19e6

SHA512
d6c6a26ed0400ef4edfd52f2f8c3e2e204422341421af302a1e853319257faa9db3112931336dc958520ad500c8741171cfa20161f0790edf0be000aa1e9dc5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
194B

MD5
4926aefbfe69214e7393b6c5cd151ec5

SHA1
ecaca9b5f058b7bdd07dfc7be3385679aff10bd0

SHA256
08949a17bcfe5b0c561de2fd92cf4e2ca3ffd89dbdb3e873cd325ac96b431b96

SHA512
f25bf134c15c3c9a04379672e86651d27c22264f7ead3814f76a35ba9614302a7b79d33636ce3963b426d54e5c8064ab91413ad4f19eae88b71869a1f951b75f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1684-37-0x000001D071BF0000-0x000001D071C12000-memory.dmp

Filesize
136KB

Download
memory/2156-155-0x0000000000D20000-0x0000000000D32000-memory.dmp

Filesize
72KB

Download
memory/2532-205-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/2704-192-0x0000000000B60000-0x0000000000B72000-memory.dmp

Filesize
72KB

Download
memory/3052-16-0x0000000000BD0000-0x0000000000BDC000-memory.dmp

Filesize
48KB

Download
memory/3052-14-0x0000000000A60000-0x0000000000A72000-memory.dmp

Filesize
72KB

Download
memory/3052-13-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/3052-12-0x00007FFD0B3E3000-0x00007FFD0B3E5000-memory.dmp

Filesize
8KB

Download
memory/3052-15-0x0000000000BF0000-0x0000000000BFC000-memory.dmp

Filesize
48KB

Download
memory/3052-17-0x0000000000BE0000-0x0000000000BEC000-memory.dmp

Filesize
48KB

Download
memory/4588-64-0x0000000002700000-0x0000000002712000-memory.dmp

Filesize
72KB

Download