dcrat | 3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

Analysis

max time kernel
149s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
11-01-2025 15:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WinPerfcommon.exe
Size

1.9MB
MD5

6b9554367a439d39a00a0dff9a08b123
SHA1

e1d22cde90c297c10f4fcba5b3980e5d551eb0b3
SHA256

3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9
SHA512

72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720
SSDEEP

49152:xh0kcmcdp/caMMlawkBXRInaKYRouPbWGQ2:xhbcmcfM/N1RSavoujWH

Score

10^/10

dcrat discovery execution infostealer persistence rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Searches\\WmiPrvSE.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Searches\\WmiPrvSE.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\services.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Searches\\WmiPrvSE.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\services.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WMIADAP.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Searches\\WmiPrvSE.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\services.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\dllhost.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Searches\\WmiPrvSE.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\services.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\dllhost.exe\", \"C:\\Users\\Default\\Templates\\System.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, \"C:\\Users\\Admin\\Searches\\WmiPrvSE.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\services.exe\", \"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WMIADAP.exe\", \"C:\\Program Files\\Windows Defender\\fr-FR\\dllhost.exe\", \"C:\\Users\\Default\\Templates\\System.exe\", \"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2732	schtasks.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2732	schtasks.exe	31

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2984	powershell.exe
2200	powershell.exe
2812	powershell.exe
2952	powershell.exe
2208	powershell.exe
1036	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
3012	System.exe
2404	System.exe
1244	System.exe
2232	System.exe
328	System.exe
2936	System.exe
2676	System.exe
1688	System.exe
1256	System.exe
1668	System.exe
328	System.exe
2428	System.exe

Adds Run key to start application 2 TTPs 12 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WMIADAP.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\Templates\\System.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WinPerfcommon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\Searches\\WmiPrvSE.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\services.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WMIADAP = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\WMIADAP.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\fr-FR\\dllhost.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\dllhost = "\"C:\\Program Files\\Windows Defender\\fr-FR\\dllhost.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\System = "\"C:\\Users\\Default\\Templates\\System.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinPerfcommon = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\WinPerfcommon.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WmiPrvSE = "\"C:\\Users\\Admin\\Searches\\WmiPrvSE.exe\""	WinPerfcommon.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\services = "\"C:\\Recovery\\1f276ee2-69f6-11ef-8b31-62cb582c238c\\services.exe\""	WinPerfcommon.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	\??\c:\Windows\System32\CSC5F26F417E7549B695B21BD9137011C.TMP	csc.exe
File created	\??\c:\Windows\System32\foda5r.exe	csc.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\fr-FR\dllhost.exe	WinPerfcommon.exe
File created	C:\Program Files\Windows Defender\fr-FR\5940a34987c991	WinPerfcommon.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 6 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2808	PING.EXE
1780	PING.EXE
1680	PING.EXE
796	PING.EXE
2676	PING.EXE
2524	PING.EXE

Runs ping.exe 1 TTPs 6 IoCs

Remote System Discovery

T1018

pid	Process
796	PING.EXE
2676	PING.EXE
2524	PING.EXE
2808	PING.EXE
1780	PING.EXE
1680	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1712	schtasks.exe
348	schtasks.exe
2988	schtasks.exe
2804	schtasks.exe
2844	schtasks.exe
2308	schtasks.exe
2640	schtasks.exe
1180	schtasks.exe
1548	schtasks.exe
1692	schtasks.exe
2000	schtasks.exe
2036	schtasks.exe
1928	schtasks.exe
2672	schtasks.exe
2392	schtasks.exe
2932	schtasks.exe
2352	schtasks.exe
2128	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe
2408	WinPerfcommon.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2408	WinPerfcommon.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2984	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	3012	System.exe
Token: SeDebugPrivilege	2404	System.exe
Token: SeDebugPrivilege	1244	System.exe
Token: SeDebugPrivilege	2232	System.exe
Token: SeDebugPrivilege	328	System.exe
Token: SeDebugPrivilege	2936	System.exe
Token: SeDebugPrivilege	2676	System.exe
Token: SeDebugPrivilege	1688	System.exe
Token: SeDebugPrivilege	1256	System.exe
Token: SeDebugPrivilege	1668	System.exe
Token: SeDebugPrivilege	328	System.exe
Token: SeDebugPrivilege	2428	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2772	2408	WinPerfcommon.exe	35
PID 2408 wrote to memory of 2772	2408	WinPerfcommon.exe	35
PID 2408 wrote to memory of 2772	2408	WinPerfcommon.exe	35
PID 2772 wrote to memory of 2636	2772	csc.exe	37
PID 2772 wrote to memory of 2636	2772	csc.exe	37
PID 2772 wrote to memory of 2636	2772	csc.exe	37
PID 2408 wrote to memory of 2984	2408	WinPerfcommon.exe	53
PID 2408 wrote to memory of 2984	2408	WinPerfcommon.exe	53
PID 2408 wrote to memory of 2984	2408	WinPerfcommon.exe	53
PID 2408 wrote to memory of 1036	2408	WinPerfcommon.exe	54
PID 2408 wrote to memory of 1036	2408	WinPerfcommon.exe	54
PID 2408 wrote to memory of 1036	2408	WinPerfcommon.exe	54
PID 2408 wrote to memory of 2208	2408	WinPerfcommon.exe	55
PID 2408 wrote to memory of 2208	2408	WinPerfcommon.exe	55
PID 2408 wrote to memory of 2208	2408	WinPerfcommon.exe	55
PID 2408 wrote to memory of 2200	2408	WinPerfcommon.exe	56
PID 2408 wrote to memory of 2200	2408	WinPerfcommon.exe	56
PID 2408 wrote to memory of 2200	2408	WinPerfcommon.exe	56
PID 2408 wrote to memory of 2952	2408	WinPerfcommon.exe	58
PID 2408 wrote to memory of 2952	2408	WinPerfcommon.exe	58
PID 2408 wrote to memory of 2952	2408	WinPerfcommon.exe	58
PID 2408 wrote to memory of 2812	2408	WinPerfcommon.exe	60
PID 2408 wrote to memory of 2812	2408	WinPerfcommon.exe	60
PID 2408 wrote to memory of 2812	2408	WinPerfcommon.exe	60
PID 2408 wrote to memory of 2588	2408	WinPerfcommon.exe	65
PID 2408 wrote to memory of 2588	2408	WinPerfcommon.exe	65
PID 2408 wrote to memory of 2588	2408	WinPerfcommon.exe	65
PID 2588 wrote to memory of 344	2588	cmd.exe	67
PID 2588 wrote to memory of 344	2588	cmd.exe	67
PID 2588 wrote to memory of 344	2588	cmd.exe	67
PID 2588 wrote to memory of 796	2588	cmd.exe	68
PID 2588 wrote to memory of 796	2588	cmd.exe	68
PID 2588 wrote to memory of 796	2588	cmd.exe	68
PID 2588 wrote to memory of 3012	2588	cmd.exe	69
PID 2588 wrote to memory of 3012	2588	cmd.exe	69
PID 2588 wrote to memory of 3012	2588	cmd.exe	69
PID 3012 wrote to memory of 2788	3012	System.exe	70
PID 3012 wrote to memory of 2788	3012	System.exe	70
PID 3012 wrote to memory of 2788	3012	System.exe	70
PID 2788 wrote to memory of 2620	2788	cmd.exe	72
PID 2788 wrote to memory of 2620	2788	cmd.exe	72
PID 2788 wrote to memory of 2620	2788	cmd.exe	72
PID 2788 wrote to memory of 2676	2788	cmd.exe	73
PID 2788 wrote to memory of 2676	2788	cmd.exe	73
PID 2788 wrote to memory of 2676	2788	cmd.exe	73
PID 2788 wrote to memory of 2404	2788	cmd.exe	74
PID 2788 wrote to memory of 2404	2788	cmd.exe	74
PID 2788 wrote to memory of 2404	2788	cmd.exe	74
PID 2404 wrote to memory of 1672	2404	System.exe	75
PID 2404 wrote to memory of 1672	2404	System.exe	75
PID 2404 wrote to memory of 1672	2404	System.exe	75
PID 1672 wrote to memory of 1116	1672	cmd.exe	77
PID 1672 wrote to memory of 1116	1672	cmd.exe	77
PID 1672 wrote to memory of 1116	1672	cmd.exe	77
PID 1672 wrote to memory of 2152	1672	cmd.exe	78
PID 1672 wrote to memory of 2152	1672	cmd.exe	78
PID 1672 wrote to memory of 2152	1672	cmd.exe	78
PID 1672 wrote to memory of 1244	1672	cmd.exe	79
PID 1672 wrote to memory of 1244	1672	cmd.exe	79
PID 1672 wrote to memory of 1244	1672	cmd.exe	79
PID 1244 wrote to memory of 2092	1244	System.exe	80
PID 1244 wrote to memory of 2092	1244	System.exe	80
PID 1244 wrote to memory of 2092	1244	System.exe	80
PID 2092 wrote to memory of 728	2092	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe
"C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe"
1⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tkwdsi01\tkwdsi01.cmdline"
  2⤵
  - Drops file in System32 directory
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESDCD7.tmp" "c:\Windows\System32\CSC5F26F417E7549B695B21BD9137011C.TMP"
    3⤵
    PID:2636
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\WmiPrvSE.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2208
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2200
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\System.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2952
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious use of AdjustPrivilegeToken
  PID:2812
- C:\Windows\System32\cmd.exe
  "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6RRXr44umF.bat"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\chcp.com
    chcp 65001
    3⤵
    PID:344
- - C:\Windows\system32\PING.EXE
    ping -n 10 localhost
    3⤵
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:796
- - C:\Users\Default\Templates\System.exe
    "C:\Users\Default\Templates\System.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3012
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Osft0y9e1S.bat"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2788
    - - C:\Windows\system32\chcp.com
        
        chcp 65001
        5⤵
        
        PID:2620
    - - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        5⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2676
    - - C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pDaBHOJJBp.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1672
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        7⤵
        
        PID:1116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2152
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IB3ybkF286.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2092
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        9⤵
        
        PID:728
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        9⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2524
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PEEvsyJdYA.bat"
        10⤵
        
        PID:1624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        11⤵
        
        PID:2852
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        11⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2808
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TCMSovEgtl.bat"
        12⤵
        
        PID:1408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        13⤵
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:796
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HImszzPBTt.bat"
        14⤵
        
        PID:2624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        15⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1292
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cg5rz6h3MO.bat"
        16⤵
        
        PID:2292
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        17⤵
        
        PID:2956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        17⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1780
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y9xm5D5TAc.bat"
        18⤵
        
        PID:2552
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        19⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2984
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat"
        20⤵
        
        PID:912
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        21⤵
        
        PID:3016
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        21⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1680
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat"
        22⤵
        
        PID:2960
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        23⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1556
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\emIYhhnueR.bat"
        24⤵
        
        PID:2616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        25⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2748
        
        C:\Users\Default\Templates\System.exe
        
        "C:\Users\Default\Templates\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Defender\fr-FR\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommon" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WinPerfcommonW" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\AppData\Local\Temp\WinPerfcommon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\6RRXr44umF.bat

Filesize
165B

MD5
3124b86c448ae0474513ef5ac1f969ab

SHA1
4b55bb980f3285c0d0f89ec6d0b583363f8a7cee

SHA256
2fc0c6084cf3b4bf182c66d9f3ba2e828d39223343a6a5a4855ee6782af82cea

SHA512
227f844353b12b4ab75217c51b86012c3d3623d4c45c13cfd09873bcbd783bccffe525f3aae99cc609cb5e68462fb0a4bd8674395645f12afb37049311ff26d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cg5rz6h3MO.bat

Filesize
165B

MD5
aea4837914b252ab6ef91e82e1f5733a

SHA1
b377355a1a29f948a19ca72dcf4ad56c57f9ca2d

SHA256
ffb8c9a2b0787a92af1bb640cf509ce63bd7717ba902ceddda35604167d27907

SHA512
a2031b8c28545ae49b30d30f52917f7727276bd031b35f72ad46fdc52a160a3b5cd881bbdf23d4a23f80d718a4ba8974852143418fd6297bf126fc4a079ebb96

Download Submit
C:\Users\Admin\AppData\Local\Temp\HImszzPBTt.bat

Filesize
213B

MD5
960070f80ba10f49244a4cd3b1d2dd72

SHA1
7313fb4566685ee9b30f6a806725dea3f903d218

SHA256
0500049333e531bfa74036e7dac660a7e8dcadcb8bf97c68c8cc847186f1e80d

SHA512
d9e6b393f3e571873aed1063166727dc57a5054ef62033322a1789bf70211cd8896636291ae076be647f5fd873c1e5f9b772bb718b80defd1777ea29eedd2def

Download Submit
C:\Users\Admin\AppData\Local\Temp\IB3ybkF286.bat

Filesize
165B

MD5
26de6d239baefa99b0c68ef5edf908d3

SHA1
d80b7e30efd834fd76c5d3c66ae060ea2a9812be

SHA256
e4e51cff1d4d324f8954fe9c187e4fad19cd44b0843633c5eebb9b3694ce5d07

SHA512
769c473f6cd566518d1b8bc8497e5ad854e42960755decd76c1e92367435251a0bf4fc0e459f2fd7b0ae95116ab91925581edadda044ff31a726831e16677590

Download Submit
C:\Users\Admin\AppData\Local\Temp\LHuPvvKEnU.bat

Filesize
165B

MD5
33c84d7cb170655eb5eac39ba4f77f20

SHA1
76e3f4678fca4cefe6d594436e00ccc66168810d

SHA256
2bdc090c731237d6ce8e603e06e51abf5dfd120764ac927f96df87493df4195d

SHA512
14dc9cc6e86fd6bccddf8f562a5839a7118b57ee803f4807807859fa02bb307f6611d620943de5ec1d1ad545597745cf02326cff3892ecaef5cebd8519635120

Download Submit
C:\Users\Admin\AppData\Local\Temp\Osft0y9e1S.bat

Filesize
165B

MD5
c813b047c8a5e56d7e91b22f01146f2d

SHA1
36857bcb93d5bb33a737873c96a57a23185890fc

SHA256
8838e9d17979b63e874b4bf0b4ccd05bf7cc85cbbd47752b2c34f1b757706a36

SHA512
5a7f0bd830ae99ba195b100db9f526bac4113880c12607885634d67ed2801cc38be5929bcb265167579f0a0b5cdba4bde1dd357323397e2504989cc38a032ce5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PEEvsyJdYA.bat

Filesize
165B

MD5
4dcb100f08a20bc2fc6b03e61786e571

SHA1
b6d331275a2719dc8571fab5cd3324f15127d2fb

SHA256
42c5d5c2d50bf209fadb56c7d06df7c3b51a96f6c4d056c2ab5091f5b7118a30

SHA512
4a15f0a6a8f6dddefe872ed2594dee4e0fadd80ce3d0a1f9e78a0561be33bbeea415d71b40b5f47b3abc8e1bff7063c2d5d2cf0bc1acf1b3fd2eb10fe1636a03

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESDCD7.tmp

Filesize
1KB

MD5
af793daadfbf87a4dbcd977c6b8383a0

SHA1
a6744e32e8aba61e30904bd0a83edf91ee2d1214

SHA256
28f879d3386578e4bb35bde81d7bed8868c12c5597d25f6c976cd0962dafca14

SHA512
b8b5c0e376f1f0339ce948eb804319e88363d3ca4e52d797a5410cd995c71018e8b5176b6abb47f210498f009787f0ff7d3ef3a0ea6cb380cf42799053589fec

Download Submit
C:\Users\Admin\AppData\Local\Temp\TCMSovEgtl.bat

Filesize
213B

MD5
a60c01786e3aa39988242a6dcea62832

SHA1
e7e888c50b47602982937f631054407c30e36d8e

SHA256
8f524d63aecac12a0a0d435bb8ce5690e58f72823d202df750f02744638249e6

SHA512
5a4a0716c397cbece4108e50e4b74a2fe8c281c0b02728440d760dc7496805d916c8f7e02311bbd54a45be67eed41a38f3fab2d997981247b49c4e082beb3674

Download Submit
C:\Users\Admin\AppData\Local\Temp\emIYhhnueR.bat

Filesize
213B

MD5
43752aa71d1e1e9ed82f39a72e79259a

SHA1
d45655312fd5a9bb126f75676d8c4bf471fb00c0

SHA256
c9f8831914a909b6566a747cfce4b8830fcebe450927281605a903e5f5ded4b6

SHA512
3c5617e840812b729a3305720e0e57380ad1695a094f476a494f8d61e44e47e42fcd7fb80245d77ec69d976fe0b8d1b8e9498ab4bee27141f5caa9d9c2b691d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\pDaBHOJJBp.bat

Filesize
213B

MD5
ea30fc286116e86748b550d630faea49

SHA1
d4f59c8bf7e8fd11f3489ad05c6107a106435ae0

SHA256
c4a4aeeea9456771ef4293c9c899ff8aa0dfbe05c36f743cdc3430d06e8c3d92

SHA512
fa68da5f3f236714815e487ed020d641bd03279911515bffa002e160351952da44293318582035b6a0b48f5f4b14a6dfb0a7ba210d9d6d72974af673e5acecf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\wWOI1HKPNj.bat

Filesize
213B

MD5
fd2a55b5bb34f4bc0d819ce0f488ae12

SHA1
c0a7c497cb481eb78da8a9eb51585f0ff3a69302

SHA256
1362c90080ecf9f01fc7f7f0b67b58eb2d9c24b8157a235cd2e56ab80f038c6a

SHA512
f421c6bdf28252783b21ce3e757aa94bc2e3d72b08410fbf534dd4565c1d391c7861eeba3167c9adc94c950597c37f8cb8bd000fa09f011385fa0e7ee5e577fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\y9xm5D5TAc.bat

Filesize
213B

MD5
86314f50642e075b7f4fc3ab117ca5c8

SHA1
060441a2d61ab573521b4235ee5ffaae3a961a98

SHA256
89de98a727c59f4e3b95533142faec3e45d6817bb40f15f61803acd24a6e68ae

SHA512
faf8611cc80728ee465592c750221e6ede5efa2d362085a1b760c539ba163c5e659dddb5c63a95ffbb58cd23658108b01a59399f24cc2b0d1ad791fcf76a7b95

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e671193022b8ce5878b249771e62c6ba

SHA1
5603c8eeebee9c36922987e04840e04ad230e508

SHA256
3ccf9a7fe1c71c6565639db32c3243a8247ecaa2976aef3fa8874f527b4f8d12

SHA512
f9474359f05728fe504a493f64664179501a4a2643b3093ad663a147412e31762c71a824e0bfb2fe46a404f0091cc58c27c349fb7de27d32c707fd8ddb996ba6

Download Submit
C:\Users\Admin\Searches\WmiPrvSE.exe

Filesize
1.9MB

MD5
6b9554367a439d39a00a0dff9a08b123

SHA1
e1d22cde90c297c10f4fcba5b3980e5d551eb0b3

SHA256
3332277b9e53375e998ccf981cdb0519fea7721b5e79a3d7a60b83f448f6c0a9

SHA512
72ffbca1a2aa7cd2bb6b963d97b43d7d5eab9a11d09c647c7679e71877927b8c021e28cd1e28ae9ac5300c8621ba97aae6699e1abddc58be89c9bb3e84d1c720

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkwdsi01\tkwdsi01.0.cs

Filesize
368B

MD5
462f9c469891bcaa77f51baac30ffbce

SHA1
87078e508ea029791d578470df2a1d29f40c2edf

SHA256
7b535b6bc53de43a20cc43158b9170013b07dee2766551a008199fba76645cf1

SHA512
81892f337ddb529225a614f7ac5d3be03380c2a9630afb32e5c0b8850b321aa88cff3e04f99bc9b921aaee11906f582b76837682e8f9ec3d8733d646b2c7a6bf

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\tkwdsi01\tkwdsi01.cmdline

Filesize
235B

MD5
54bd0e48ee65660a751b45140dc842b6

SHA1
d3b6235131c90f0cd67da353ccd1f926eab41107

SHA256
45f2597e233575aef9d3bca6d18bcc6eb3ec6224561be50d6e8b999ecb889a69

SHA512
d66c71dab369061e12a57c6f82d1b1c9bead3c8549d87ac390b95d20b775a7391add48256b566755d85ae758f2d1c87927d62b7712f6871b801a078ec9524f1e

Download Submit
\??\c:\Windows\System32\CSC5F26F417E7549B695B21BD9137011C.TMP

Filesize
1KB

MD5
02b6f6024c0f35b2dfb735e30d40ea59

SHA1
9e28d1d16523aab5845e09fdecf27759375f9b5a

SHA256
17491f9c7a135563b4c9dd20e2113e934070166146005e0f97ab301f4a5ef4aa

SHA512
a8a734f3d0f4d6a8904a8faa5638db91e9034c55306f153fdf321731cdfaaa58847d731ee64b226df0bd6cd4b8e6ed6d2ed1af77f510e079755f7159af433672

Download Submit
memory/328-143-0x0000000000E50000-0x0000000001044000-memory.dmp

Filesize
2.0MB

Download
memory/328-225-0x00000000002C0000-0x00000000004B4000-memory.dmp

Filesize
2.0MB

Download
memory/1244-115-0x0000000000050000-0x0000000000244000-memory.dmp

Filesize
2.0MB

Download
memory/1688-185-0x0000000001240000-0x0000000001434000-memory.dmp

Filesize
2.0MB

Download
memory/2208-80-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/2208-75-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2232-129-0x0000000000150000-0x0000000000344000-memory.dmp

Filesize
2.0MB

Download
memory/2408-0-0x000007FEF6723000-0x000007FEF6724000-memory.dmp

Filesize
4KB

Download
memory/2408-22-0x0000000000410000-0x000000000041C000-memory.dmp

Filesize
48KB

Download
memory/2408-12-0x00000000001B0000-0x00000000001C8000-memory.dmp

Filesize
96KB

Download
memory/2408-10-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-14-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2408-25-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-23-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-15-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-19-0x00000000003F0000-0x00000000003FE000-memory.dmp

Filesize
56KB

Download
memory/2408-8-0x0000000000190000-0x00000000001AC000-memory.dmp

Filesize
112KB

Download
memory/2408-85-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-1-0x00000000010C0000-0x00000000012B4000-memory.dmp

Filesize
2.0MB

Download
memory/2408-17-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2408-9-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-20-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-6-0x0000000000180000-0x000000000018E000-memory.dmp

Filesize
56KB

Download
memory/2408-24-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-4-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-3-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2408-2-0x000007FEF6720000-0x000007FEF710C000-memory.dmp

Filesize
9.9MB

Download
memory/2428-239-0x0000000001070000-0x0000000001264000-memory.dmp

Filesize
2.0MB

Download
memory/2676-171-0x0000000000EE0000-0x00000000010D4000-memory.dmp

Filesize
2.0MB

Download
memory/3012-88-0x0000000000A00000-0x0000000000BF4000-memory.dmp

Filesize
2.0MB

Download