dcrat | e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f

Analysis

max time kernel
146s
max time network
144s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
02-02-2023 19:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exe
Size

1.3MB
MD5

f33280bdae3cb4338f1df2a45fb2320e
SHA1

53c377cea276531bb6005b92a9c348870b04296b
SHA256

e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f
SHA512

2cedc5e89ab05a8331434c72277b4528d639b5ea5507f6034ad33d66b1e77111893176e3618833ef41911b8de039f41dfca321c46847b9842f5981666ae48d8b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat

Process spawned unexpected child process 9 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	4924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	4924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4456	4924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3948	4924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4020	4924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	4924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	4924	schtasks.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	4924	schtasks.exe

DCRat payload 18 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

Processes:

resource	yara_rule
C:\providercommon\DllCommonsvc.exe	dcrat
C:\providercommon\DllCommonsvc.exe	dcrat
behavioral1/memory/1284-139-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat
C:\Windows\IdentityCRL\INT\smss.exe	dcrat

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

smss.exesmss.exesmss.exee933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exesmss.exesmss.exesmss.exesmss.exesmss.exeDllCommonsvc.exesmss.exesmss.exesmss.exeWScript.exesmss.exesmss.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 15 IoCs

Processes:

DllCommonsvc.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
1284	DllCommonsvc.exe
4232	smss.exe
4724	smss.exe
3768	smss.exe
1768	smss.exe
5092	smss.exe
116	smss.exe
624	smss.exe
2072	smss.exe
4884	smss.exe
4768	smss.exe
3244	smss.exe
4072	smss.exe
4004	smss.exe
4716	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102

Drops file in Windows directory 2 IoCs

Processes:

DllCommonsvc.exe

description	ioc	process
File created	C:\Windows\IdentityCRL\INT\smss.exe	DllCommonsvc.exe
File created	C:\Windows\IdentityCRL\INT\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Creates scheduled task(s) 1 TTPs 9 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5004	schtasks.exe
3164	schtasks.exe
4456	schtasks.exe
4020	schtasks.exe
2992	schtasks.exe
4684	schtasks.exe
2480	schtasks.exe
3948	schtasks.exe
2376	schtasks.exe

Modifies registry class 14 IoCs

Processes:

smss.exesmss.exesmss.exesmss.exesmss.exee933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000_Classes\Local Settings	smss.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

pid	process
1284	DllCommonsvc.exe
1284	DllCommonsvc.exe
1284	DllCommonsvc.exe
3528	powershell.exe
1112	powershell.exe
4696	powershell.exe
4216	powershell.exe
4232	smss.exe
3528	powershell.exe
1112	powershell.exe
4696	powershell.exe
4216	powershell.exe
4724	smss.exe
3768	smss.exe
1768	smss.exe
5092	smss.exe
116	smss.exe
624	smss.exe
2072	smss.exe
4884	smss.exe
4768	smss.exe
3244	smss.exe
4072	smss.exe
4004	smss.exe
4716	smss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

DllCommonsvc.exepowershell.exepowershell.exepowershell.exepowershell.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exesmss.exe

description	pid	process
Token: SeDebugPrivilege	1284	DllCommonsvc.exe
Token: SeDebugPrivilege	3528	powershell.exe
Token: SeDebugPrivilege	4696	powershell.exe
Token: SeDebugPrivilege	1112	powershell.exe
Token: SeDebugPrivilege	4216	powershell.exe
Token: SeDebugPrivilege	4232	smss.exe
Token: SeDebugPrivilege	4724	smss.exe
Token: SeDebugPrivilege	3768	smss.exe
Token: SeDebugPrivilege	1768	smss.exe
Token: SeDebugPrivilege	5092	smss.exe
Token: SeDebugPrivilege	116	smss.exe
Token: SeDebugPrivilege	624	smss.exe
Token: SeDebugPrivilege	2072	smss.exe
Token: SeDebugPrivilege	4884	smss.exe
Token: SeDebugPrivilege	4768	smss.exe
Token: SeDebugPrivilege	3244	smss.exe
Token: SeDebugPrivilege	4072	smss.exe
Token: SeDebugPrivilege	4004	smss.exe
Token: SeDebugPrivilege	4716	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exeWScript.execmd.exeDllCommonsvc.exesmss.execmd.exesmss.execmd.exesmss.execmd.exesmss.execmd.exesmss.execmd.exesmss.execmd.exesmss.execmd.exesmss.execmd.exe

description	pid	process	target process
PID 476 wrote to memory of 4376	476	e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exe	WScript.exe
PID 476 wrote to memory of 4376	476	e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exe	WScript.exe
PID 476 wrote to memory of 4376	476	e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exe	WScript.exe
PID 4376 wrote to memory of 4676	4376	WScript.exe	cmd.exe
PID 4376 wrote to memory of 4676	4376	WScript.exe	cmd.exe
PID 4376 wrote to memory of 4676	4376	WScript.exe	cmd.exe
PID 4676 wrote to memory of 1284	4676	cmd.exe	DllCommonsvc.exe
PID 4676 wrote to memory of 1284	4676	cmd.exe	DllCommonsvc.exe
PID 1284 wrote to memory of 4696	1284	DllCommonsvc.exe	powershell.exe
PID 1284 wrote to memory of 4696	1284	DllCommonsvc.exe	powershell.exe
PID 1284 wrote to memory of 3528	1284	DllCommonsvc.exe	powershell.exe
PID 1284 wrote to memory of 3528	1284	DllCommonsvc.exe	powershell.exe
PID 1284 wrote to memory of 4216	1284	DllCommonsvc.exe	powershell.exe
PID 1284 wrote to memory of 4216	1284	DllCommonsvc.exe	powershell.exe
PID 1284 wrote to memory of 1112	1284	DllCommonsvc.exe	powershell.exe
PID 1284 wrote to memory of 1112	1284	DllCommonsvc.exe	powershell.exe
PID 1284 wrote to memory of 4232	1284	DllCommonsvc.exe	smss.exe
PID 1284 wrote to memory of 4232	1284	DllCommonsvc.exe	smss.exe
PID 4232 wrote to memory of 996	4232	smss.exe	cmd.exe
PID 4232 wrote to memory of 996	4232	smss.exe	cmd.exe
PID 996 wrote to memory of 3328	996	cmd.exe	w32tm.exe
PID 996 wrote to memory of 3328	996	cmd.exe	w32tm.exe
PID 996 wrote to memory of 4724	996	cmd.exe	smss.exe
PID 996 wrote to memory of 4724	996	cmd.exe	smss.exe
PID 4724 wrote to memory of 2248	4724	smss.exe	cmd.exe
PID 4724 wrote to memory of 2248	4724	smss.exe	cmd.exe
PID 2248 wrote to memory of 3688	2248	cmd.exe	w32tm.exe
PID 2248 wrote to memory of 3688	2248	cmd.exe	w32tm.exe
PID 2248 wrote to memory of 3768	2248	cmd.exe	smss.exe
PID 2248 wrote to memory of 3768	2248	cmd.exe	smss.exe
PID 3768 wrote to memory of 4212	3768	smss.exe	cmd.exe
PID 3768 wrote to memory of 4212	3768	smss.exe	cmd.exe
PID 4212 wrote to memory of 2400	4212	cmd.exe	w32tm.exe
PID 4212 wrote to memory of 2400	4212	cmd.exe	w32tm.exe
PID 4212 wrote to memory of 1768	4212	cmd.exe	smss.exe
PID 4212 wrote to memory of 1768	4212	cmd.exe	smss.exe
PID 1768 wrote to memory of 5068	1768	smss.exe	cmd.exe
PID 1768 wrote to memory of 5068	1768	smss.exe	cmd.exe
PID 5068 wrote to memory of 2976	5068	cmd.exe	w32tm.exe
PID 5068 wrote to memory of 2976	5068	cmd.exe	w32tm.exe
PID 5068 wrote to memory of 5092	5068	cmd.exe	smss.exe
PID 5068 wrote to memory of 5092	5068	cmd.exe	smss.exe
PID 5092 wrote to memory of 5024	5092	smss.exe	cmd.exe
PID 5092 wrote to memory of 5024	5092	smss.exe	cmd.exe
PID 5024 wrote to memory of 4452	5024	cmd.exe	w32tm.exe
PID 5024 wrote to memory of 4452	5024	cmd.exe	w32tm.exe
PID 5024 wrote to memory of 116	5024	cmd.exe	smss.exe
PID 5024 wrote to memory of 116	5024	cmd.exe	smss.exe
PID 116 wrote to memory of 3512	116	smss.exe	cmd.exe
PID 116 wrote to memory of 3512	116	smss.exe	cmd.exe
PID 3512 wrote to memory of 3496	3512	cmd.exe	w32tm.exe
PID 3512 wrote to memory of 3496	3512	cmd.exe	w32tm.exe
PID 3512 wrote to memory of 624	3512	cmd.exe	smss.exe
PID 3512 wrote to memory of 624	3512	cmd.exe	smss.exe
PID 624 wrote to memory of 4128	624	smss.exe	cmd.exe
PID 624 wrote to memory of 4128	624	smss.exe	cmd.exe
PID 4128 wrote to memory of 4812	4128	cmd.exe	w32tm.exe
PID 4128 wrote to memory of 4812	4128	cmd.exe	w32tm.exe
PID 4128 wrote to memory of 2072	4128	cmd.exe	smss.exe
PID 4128 wrote to memory of 2072	4128	cmd.exe	smss.exe
PID 2072 wrote to memory of 400	2072	smss.exe	cmd.exe
PID 2072 wrote to memory of 400	2072	smss.exe	cmd.exe
PID 400 wrote to memory of 3552	400	cmd.exe	w32tm.exe
PID 400 wrote to memory of 3552	400	cmd.exe	w32tm.exe

C:\Users\Admin\AppData\Local\Temp\e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exe
"C:\Users\Admin\AppData\Local\Temp\e933cf29544e0406adad6e3e93a11130f240187ece16c3edc84af3f9a27e5b5f.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:476

C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4376

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
3⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
4⤵
- Checks computer location settings
- Executes dropped EXE
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1284

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4696

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\odt\sihost.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4216

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IdentityCRL\INT\smss.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1112

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'
5⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3528

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
5⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
6⤵
- Suspicious use of WriteProcessMemory
PID:996

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
7⤵
PID:3328

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
7⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4724

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
8⤵
- Suspicious use of WriteProcessMemory
PID:2248

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
9⤵
PID:3688

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
9⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
10⤵
- Suspicious use of WriteProcessMemory
PID:4212

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
11⤵
PID:2400

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
11⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
12⤵
- Suspicious use of WriteProcessMemory
PID:5068

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
13⤵
PID:2976

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
13⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5092

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
14⤵
- Suspicious use of WriteProcessMemory
PID:5024

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
15⤵
PID:4452

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
15⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:116

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
16⤵
- Suspicious use of WriteProcessMemory
PID:3512

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
17⤵
PID:3496

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
17⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:624

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
18⤵
- Suspicious use of WriteProcessMemory
PID:4128

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
19⤵
PID:4812

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
19⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
20⤵
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
21⤵
PID:3552

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
21⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4884

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
22⤵
PID:908

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
23⤵
PID:4620

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
23⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4768

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
24⤵
PID:2012

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
25⤵
PID:4564

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
25⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3244

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat"
26⤵
PID:3544

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
27⤵
PID:4524

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
27⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4072

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
28⤵
PID:4572

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
29⤵
PID:2996

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
29⤵
- Checks computer location settings
- Executes dropped EXE
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4004

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
30⤵
PID:5068

C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
31⤵
PID:2348

C:\Windows\IdentityCRL\INT\smss.exe
"C:\Windows\IdentityCRL\INT\smss.exe"
31⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:5004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\odt\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:3948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\odt\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\IdentityCRL\INT\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\IdentityCRL\INT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Windows\IdentityCRL\INT\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Creates scheduled task(s)
PID:4684

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Web Service

T1102

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
200B

MD5
09f9ad42dd6b011420bb2db45b324c49

SHA1
9ceabc16655d9e0e7eb720c6dc7b203441cedcc1

SHA256
aadd02fefa248fccdb2c9d5289c87f51bf4ef847614094b4ddd6355ec112263c

SHA512
23f1f0729cb29fe52250cbfb8fd992cebf537992ca8ba93e62b0c27354308b4e27ebe6a350bbefa4b7c772b63e53077ef79b63752e7c366263db8ef52545f6e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
200B

MD5
e8f298e06d83c8a95b5792d5b344e403

SHA1
3ed2689f3d2e685552fb4b1413b387785a5af2cd

SHA256
07b9e4561a0efaf9e7350ec0c9e3bbffb54d8617da90da28f659a8df58957945

SHA512
05927d53b1ea2d98c89c5b0a1826e9dea46558136038293259f8eabd1628873e33e19ca3ac0a2032fc37a34751cd4169e19ec2e725ac5d085cc528dca92bdda7

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
200B

MD5
0ca487440ab7b748efe0d97bed88611a

SHA1
6a77538b39a6aa062f0e4b2f79863799f5e24c0d

SHA256
5455a222bb8d4761e8c7c3e05326079cabc99133907d218e78053d87cca14598

SHA512
a99e2ba632788cea3fe0130319d3ab766e6edf6e4305adb7dbcede1c2968fb0b79095dae6cb12f40767203e1d45a5a9abe7e0e3cda1aeef134f53a0a983bebc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

Filesize
200B

MD5
c9d4a969b9ccb60f244076bdbfedffc9

SHA1
8d06c6a3dfb51f5deeec4641c6b6cae07817cf41

SHA256
668cb7d3b1902bb8ff9446b51a19b8763917d34e5d667a232084eadf16d493ec

SHA512
c12c9ba901f40d12245753018be19728f4dbd451c3485a01ab15477db5df007f4f831ff0089cf6f8b663576cb39ce62cddd893909a97dd43fdef784d4baec9f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
200B

MD5
e1001b84cce38218639f4383ff5ccc47

SHA1
a9a8d626bcf525a6deb847b99043d60635fb27fb

SHA256
a2b1dbf6f1e7329cce349b4df9ab4b34f35e3a96aa9eb6115805ed05261e98d0

SHA512
748aeb0562696f571c39857d8c2e7f69c711689ba48b8545b7b63edb09e9d95b3b73cd603c50a1b62d8175a54cc5b4a3286b81a25dc16b517d646105405b2d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
200B

MD5
e1001b84cce38218639f4383ff5ccc47

SHA1
a9a8d626bcf525a6deb847b99043d60635fb27fb

SHA256
a2b1dbf6f1e7329cce349b4df9ab4b34f35e3a96aa9eb6115805ed05261e98d0

SHA512
748aeb0562696f571c39857d8c2e7f69c711689ba48b8545b7b63edb09e9d95b3b73cd603c50a1b62d8175a54cc5b4a3286b81a25dc16b517d646105405b2d17

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

Filesize
200B

MD5
496aee01d82831fbce4559a22df51d1f

SHA1
f9a87d0914d9d22fb601f3f28b9140427999afd9

SHA256
80702d25ad283f4f1690065a57ccebce419e50eef084a417abe5b9790d5f8c28

SHA512
fdaadb986bdbb68fdf5508c02a999e4ca7da6adca5d144b288795ef60a36766ccd524de7c136401ddbc42fe4bc0ee8034fdadc1bacc57e5a3ec66ddcfa415b7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

Filesize
200B

MD5
55901a1be07afd5893ff778f2d66a381

SHA1
4e988fa3cc651544af19405f6254717d22fc04c1

SHA256
902d2d19f7a5b40449c61e41d681402c1f7bdb0f7e4e232d2781c32b7afb4df6

SHA512
354d7e3d2b17536b73fa73a7bbbd67ca54b8379ebb2cf7363be7c41fc14548667b0ed64eb154fbe6ce2043fda1567071067d808d19e409f43063972269e4f8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
200B

MD5
fd44c0b4a8267c6a3aba40e3c1b226d3

SHA1
ff712e6b8826dbb07d661860b5746b6e9e32adbb

SHA256
e8b209c73dc0ef817ebac72276fa59ac402f08d720ec697ffa318616a81dff09

SHA512
ebdfe73b39669a1f7f9ba60475b4cc88ab11ea7303e17da1d1330cb0d777e5b587674783694fbed80786f72dc38fe1c99a2fcf4205b3fd63caf9d8f8b4676c1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
200B

MD5
5568f554f06463d41fa9bcc2ed396fcc

SHA1
7cb4cd747a70c964e524ecbcde63dfbf3cd056ec

SHA256
44295fa5a37830be8c893fd8e9c5c14d8369e8f6c27851725902131f603b9ba2

SHA512
187cb7a77ecbc6c0cf6f3c6601209255c80d9cfedebc57c1a98d7f62cf44ed27c5afc36c218aa70efdd5fc222b3c59de22fd46047a586c5bb912c98237342632

Download Submit
C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat

Filesize
200B

MD5
449fdc802affd5252c77e02279f471b2

SHA1
6ed6aab9ca1cc859c47a5280eca91a1349821ace

SHA256
f6415ca5cf9fc3e6488b608250a79ea3ede8b9d5b003b69abf9d2ee30d19d59c

SHA512
6fb98a4ae9c108817974c706e1b0b980cbfa24b6e857d350552ee1e2b9e969e3d80f6b62618d86fce37747c9633ec69280c6121f4a2f9cf45a9fd5b7037af9bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

Filesize
200B

MD5
fac61c0819c96faeb3f1686612b047f3

SHA1
75f20cf7736b96671fab8547b7b24f284414c9ea

SHA256
e6040b196176bcd4846611869c01082c008267c9914ceafc2666c813dea85984

SHA512
5a9c8e04c2399013bde9acb7a0ac869abcaa7d13fe8a47427e94e0add9a6cb274295164758adfb59744bd9c4047d477a183f8c53d34c720e84f44664321a9c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

Filesize
200B

MD5
e1fb170d51071cd0d714a08e7477f97e

SHA1
4ffb493d97fc9047d5d3c23ea82ba7754eab2f92

SHA256
c3e3c2802b9bc64a7e67c6b079e92719c12a589de65d73c69fcf44b7e437062f

SHA512
ec47fd4f0557dba406d34e805498da15e2f5ef335f36880a8a0aa590ec3eb45a3878eaa74979cc0ca366a93ca4d8cac206f4c4d23a1408085c3a6f38557ca30d

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\Windows\IdentityCRL\INT\smss.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/116-196-0x0000000000000000-mapping.dmp

Download
memory/116-198-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/116-202-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/400-213-0x0000000000000000-mapping.dmp

Download
memory/624-203-0x0000000000000000-mapping.dmp

Download
memory/624-209-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/624-205-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/908-220-0x0000000000000000-mapping.dmp

Download
memory/996-162-0x0000000000000000-mapping.dmp

Download
memory/1112-159-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-152-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/1112-144-0x0000000000000000-mapping.dmp

Download
memory/1284-136-0x0000000000000000-mapping.dmp

Download
memory/1284-139-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/1284-140-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/1284-148-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/1768-184-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/1768-188-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/1768-182-0x0000000000000000-mapping.dmp

Download
memory/2012-227-0x0000000000000000-mapping.dmp

Download
memory/2072-216-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2072-212-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/2072-210-0x0000000000000000-mapping.dmp

Download
memory/2248-171-0x0000000000000000-mapping.dmp

Download
memory/2348-250-0x0000000000000000-mapping.dmp

Download
memory/2400-180-0x0000000000000000-mapping.dmp

Download
memory/2976-187-0x0000000000000000-mapping.dmp

Download
memory/2996-243-0x0000000000000000-mapping.dmp

Download
memory/3244-231-0x0000000000000000-mapping.dmp

Download
memory/3244-237-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3244-233-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/3328-165-0x0000000000000000-mapping.dmp

Download
memory/3496-201-0x0000000000000000-mapping.dmp

Download
memory/3512-199-0x0000000000000000-mapping.dmp

Download
memory/3528-142-0x0000000000000000-mapping.dmp

Download
memory/3528-158-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/3528-149-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/3544-234-0x0000000000000000-mapping.dmp

Download
memory/3552-215-0x0000000000000000-mapping.dmp

Download
memory/3688-173-0x0000000000000000-mapping.dmp

Download
memory/3768-177-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/3768-175-0x0000000000000000-mapping.dmp

Download
memory/3768-181-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-251-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4004-245-0x0000000000000000-mapping.dmp

Download
memory/4004-247-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-240-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4072-238-0x0000000000000000-mapping.dmp

Download
memory/4072-244-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4128-206-0x0000000000000000-mapping.dmp

Download
memory/4212-178-0x0000000000000000-mapping.dmp

Download
memory/4216-143-0x0000000000000000-mapping.dmp

Download
memory/4216-163-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/4216-153-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/4232-166-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/4232-145-0x0000000000000000-mapping.dmp

Download
memory/4232-154-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/4376-132-0x0000000000000000-mapping.dmp

Download
memory/4452-194-0x0000000000000000-mapping.dmp

Download
memory/4524-236-0x0000000000000000-mapping.dmp

Download
memory/4564-229-0x0000000000000000-mapping.dmp

Download
memory/4572-241-0x0000000000000000-mapping.dmp

Download
memory/4620-222-0x0000000000000000-mapping.dmp

Download
memory/4676-135-0x0000000000000000-mapping.dmp

Download
memory/4696-160-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-151-0x00007FFC47A10000-0x00007FFC484D1000-memory.dmp

Filesize
10.8MB

Download
memory/4696-150-0x000002BFEC8F0000-0x000002BFEC912000-memory.dmp

Filesize
136KB

Download
memory/4696-141-0x0000000000000000-mapping.dmp

Download
memory/4716-254-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4716-252-0x0000000000000000-mapping.dmp

Download
memory/4724-167-0x0000000000000000-mapping.dmp

Download
memory/4724-174-0x00007FFC47310000-0x00007FFC47DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4724-170-0x00007FFC47310000-0x00007FFC47DD1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-230-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4768-224-0x0000000000000000-mapping.dmp

Download
memory/4768-226-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4812-208-0x0000000000000000-mapping.dmp

Download
memory/4884-217-0x0000000000000000-mapping.dmp

Download
memory/4884-219-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/4884-223-0x00007FFC47030000-0x00007FFC47AF1000-memory.dmp

Filesize
10.8MB

Download
memory/5024-192-0x0000000000000000-mapping.dmp

Download
memory/5068-185-0x0000000000000000-mapping.dmp

Download
memory/5068-248-0x0000000000000000-mapping.dmp

Download
memory/5092-189-0x0000000000000000-mapping.dmp

Download
memory/5092-191-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download
memory/5092-195-0x00007FFC46F10000-0x00007FFC479D1000-memory.dmp

Filesize
10.8MB

Download