dcrat | 7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6

Analysis

max time kernel
146s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 21:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe
Size

1.3MB
MD5

b80be84bec484f9e9f2eb97d3d3c6e74
SHA1

86e3589a318d90def838a97617b71942a5b137d4
SHA256

7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6
SHA512

03e46991d0ee64d702486cdb46af23eac91d3041e94779f09490b691904484afd0e4cbc2f29cab4341b7476096dca1cf034b91fd2fde649a856f900befc95389
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4792	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4036	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4540	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	720	180	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4156	180	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b32-10.dat	dcrat
behavioral2/memory/1556-13-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2340	powershell.exe
2152	powershell.exe
1504	powershell.exe
760	powershell.exe
1688	powershell.exe
1424	powershell.exe
3740	powershell.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	services.exe

Executes dropped EXE 12 IoCs

pid	Process
1556	DllCommonsvc.exe
3684	services.exe
836	services.exe
4340	services.exe
848	services.exe
1588	services.exe
3860	services.exe
1740	services.exe
2252	services.exe
2580	services.exe
2284	services.exe
2604	services.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
46	raw.githubusercontent.com
53	raw.githubusercontent.com
55	raw.githubusercontent.com
14	raw.githubusercontent.com
31	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
43	raw.githubusercontent.com
50	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\uk-UA\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 13 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	services.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4792	schtasks.exe
4156	schtasks.exe
4036	schtasks.exe
1100	schtasks.exe
4332	schtasks.exe
2352	schtasks.exe
1816	schtasks.exe
2620	schtasks.exe
704	schtasks.exe
4480	schtasks.exe
4896	schtasks.exe
720	schtasks.exe
444	schtasks.exe
4540	schtasks.exe
4920	schtasks.exe
2852	schtasks.exe
3076	schtasks.exe
2428	schtasks.exe

Suspicious behavior: EnumeratesProcesses 35 IoCs

pid	Process
1556	DllCommonsvc.exe
1556	DllCommonsvc.exe
1556	DllCommonsvc.exe
1688	powershell.exe
1424	powershell.exe
3740	powershell.exe
3740	powershell.exe
2340	powershell.exe
2340	powershell.exe
760	powershell.exe
760	powershell.exe
2152	powershell.exe
2152	powershell.exe
1504	powershell.exe
1504	powershell.exe
3740	powershell.exe
1688	powershell.exe
1688	powershell.exe
2340	powershell.exe
1424	powershell.exe
1424	powershell.exe
760	powershell.exe
2152	powershell.exe
1504	powershell.exe
3684	services.exe
836	services.exe
4340	services.exe
848	services.exe
1588	services.exe
3860	services.exe
1740	services.exe
2252	services.exe
2580	services.exe
2284	services.exe
2604	services.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1556	DllCommonsvc.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	3740	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	3684	services.exe
Token: SeDebugPrivilege	836	services.exe
Token: SeDebugPrivilege	4340	services.exe
Token: SeDebugPrivilege	848	services.exe
Token: SeDebugPrivilege	1588	services.exe
Token: SeDebugPrivilege	3860	services.exe
Token: SeDebugPrivilege	1740	services.exe
Token: SeDebugPrivilege	2252	services.exe
Token: SeDebugPrivilege	2580	services.exe
Token: SeDebugPrivilege	2284	services.exe
Token: SeDebugPrivilege	2604	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 64 wrote to memory of 4676	64	JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe	83
PID 64 wrote to memory of 4676	64	JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe	83
PID 64 wrote to memory of 4676	64	JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe	83
PID 4676 wrote to memory of 2684	4676	WScript.exe	84
PID 4676 wrote to memory of 2684	4676	WScript.exe	84
PID 4676 wrote to memory of 2684	4676	WScript.exe	84
PID 2684 wrote to memory of 1556	2684	cmd.exe	86
PID 2684 wrote to memory of 1556	2684	cmd.exe	86
PID 1556 wrote to memory of 3740	1556	DllCommonsvc.exe	107
PID 1556 wrote to memory of 3740	1556	DllCommonsvc.exe	107
PID 1556 wrote to memory of 1424	1556	DllCommonsvc.exe	108
PID 1556 wrote to memory of 1424	1556	DllCommonsvc.exe	108
PID 1556 wrote to memory of 2152	1556	DllCommonsvc.exe	109
PID 1556 wrote to memory of 2152	1556	DllCommonsvc.exe	109
PID 1556 wrote to memory of 2340	1556	DllCommonsvc.exe	110
PID 1556 wrote to memory of 2340	1556	DllCommonsvc.exe	110
PID 1556 wrote to memory of 1688	1556	DllCommonsvc.exe	111
PID 1556 wrote to memory of 1688	1556	DllCommonsvc.exe	111
PID 1556 wrote to memory of 760	1556	DllCommonsvc.exe	112
PID 1556 wrote to memory of 760	1556	DllCommonsvc.exe	112
PID 1556 wrote to memory of 1504	1556	DllCommonsvc.exe	114
PID 1556 wrote to memory of 1504	1556	DllCommonsvc.exe	114
PID 1556 wrote to memory of 1160	1556	DllCommonsvc.exe	121
PID 1556 wrote to memory of 1160	1556	DllCommonsvc.exe	121
PID 1160 wrote to memory of 4456	1160	cmd.exe	123
PID 1160 wrote to memory of 4456	1160	cmd.exe	123
PID 1160 wrote to memory of 3684	1160	cmd.exe	124
PID 1160 wrote to memory of 3684	1160	cmd.exe	124
PID 3684 wrote to memory of 2952	3684	services.exe	135
PID 3684 wrote to memory of 2952	3684	services.exe	135
PID 2952 wrote to memory of 1336	2952	cmd.exe	138
PID 2952 wrote to memory of 1336	2952	cmd.exe	138
PID 2952 wrote to memory of 836	2952	cmd.exe	142
PID 2952 wrote to memory of 836	2952	cmd.exe	142
PID 836 wrote to memory of 1996	836	services.exe	144
PID 836 wrote to memory of 1996	836	services.exe	144
PID 1996 wrote to memory of 1420	1996	cmd.exe	146
PID 1996 wrote to memory of 1420	1996	cmd.exe	146
PID 1996 wrote to memory of 4340	1996	cmd.exe	148
PID 1996 wrote to memory of 4340	1996	cmd.exe	148
PID 4340 wrote to memory of 2932	4340	services.exe	151
PID 4340 wrote to memory of 2932	4340	services.exe	151
PID 2932 wrote to memory of 4940	2932	cmd.exe	153
PID 2932 wrote to memory of 4940	2932	cmd.exe	153
PID 2932 wrote to memory of 848	2932	cmd.exe	155
PID 2932 wrote to memory of 848	2932	cmd.exe	155
PID 848 wrote to memory of 2284	848	services.exe	157
PID 848 wrote to memory of 2284	848	services.exe	157
PID 2284 wrote to memory of 4900	2284	cmd.exe	159
PID 2284 wrote to memory of 4900	2284	cmd.exe	159
PID 2284 wrote to memory of 1588	2284	cmd.exe	161
PID 2284 wrote to memory of 1588	2284	cmd.exe	161
PID 1588 wrote to memory of 4416	1588	services.exe	163
PID 1588 wrote to memory of 4416	1588	services.exe	163
PID 4416 wrote to memory of 4652	4416	cmd.exe	165
PID 4416 wrote to memory of 4652	4416	cmd.exe	165
PID 4416 wrote to memory of 3860	4416	cmd.exe	167
PID 4416 wrote to memory of 3860	4416	cmd.exe	167
PID 3860 wrote to memory of 1508	3860	services.exe	169
PID 3860 wrote to memory of 1508	3860	services.exe	169
PID 1508 wrote to memory of 3308	1508	cmd.exe	171
PID 1508 wrote to memory of 3308	1508	cmd.exe	171
PID 1508 wrote to memory of 1740	1508	cmd.exe	173
PID 1508 wrote to memory of 1740	1508	cmd.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7a458f5bbee90c6e7fba8a9f0fc9d6b4d8280af77d8a0d3e3ca2376cf3d51dd6.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:64
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4676
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\upfc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Templates\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\uk-UA\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AbHAxMDrDz.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1160
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:4456
      - C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1336
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1420
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:4940
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4900
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4652
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3308
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
        19⤵
        
        PID:1044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:3700
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat"
        21⤵
        
        PID:468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2192
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        23⤵
        
        PID:3596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3508
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat"
        25⤵
        
        PID:4748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3044
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
        27⤵
        
        PID:4848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 7 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Recovery\WindowsRE\upfc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Admin\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Media Player\uk-UA\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\services.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
cadef9abd087803c630df65264a6c81c

SHA1
babbf3636c347c8727c35f3eef2ee643dbcc4bd2

SHA256
cce65b73cdfe9304bcd5207913e8b60fb69faa20cd3b684f2b0343b755b99438

SHA512
7278aa87124abb382d9024a645e881e7b7cf1b84e8894943b36e018dbf0399e6858392f77980b599fa5488e2e21bf757a0702fe6419417edac93b68e0c2ec085

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
59d97011e091004eaffb9816aa0b9abd

SHA1
1602a56b01dd4b7c577ca27d3117e4bcc1aa657b

SHA256
18f381e0db020a763b8c515c346ef58679ab9c403267eacfef5359e272f7e71d

SHA512
d9ca49c1a17580981e2c1a50d73c0eecaa7a62f8514741512172e395af2a3d80aeb0f71c58bc7f52c18246d57ba67af09b6bff4776877d6cc6f0245c30e092d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3HNGHapxv4.bat

Filesize
233B

MD5
48240094b1715076ac7426a1ae0fa70d

SHA1
549072f7b81d631f1f1b7b57bedb7a59f1047afa

SHA256
9b1739e3b736a80d776e4059bb8e37ad76eca11df51be8ea827defab3c99d70c

SHA512
1bfdbcaf58e2856b80392cb57470dc0d59e16ba644a7a8f4874b81827bfa6440e23b21e771e7f2e7c69034f6c8fc74496862b158f64c6a6ef1c69da6521decd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\AbHAxMDrDz.bat

Filesize
233B

MD5
db195281c6f0d04925d4e2b5dbf87b35

SHA1
190e7232a06e650a9c26f0815b0243f9b1d23d78

SHA256
b471938df336eb9d0721e9c657edf41bc0cfe07d1fe9a5eb7eaaa0d271ac9163

SHA512
f20223fde461e0e858657ecf7639ab98a0a44898ae7cc0925588e541c5e950e943b549746e6b3d7219eb2390f69b5bbd4e2176eee4d8490453db390b6a7a30b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

Filesize
233B

MD5
d1162e6c1c5f7c5a46396231824b898a

SHA1
7b77a48d2d8b82577a7edc38489f9c45c262c9ee

SHA256
74c0a383325ce44f8929f8e71d37c26c8f5b47ee50cf37c1fdb709a5d03377e6

SHA512
75d59b5c715863576c6926f96ed8fe4503ba4f9e884c551b9e6351e0f1fa30936047de5774c9006ba8f4a91aa1ca7db6424cfefb5351908a7c70fc347bebccf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
233B

MD5
fe035f62e24f57f340bf63a7afbb7048

SHA1
9960b2253abdb37b9a82a09879d3584ea08657f8

SHA256
a845239e5d095aba65a0fed2938f1c92b59350aa8928f0954e3fa5cf29219707

SHA512
f60681eab1fabf8dee0d18b0f1810ead8397a37d2fad955151f81584733f8f86183001ce4356b70d3b6752341164c64916183ebad3868f02459c2fda3743dacb

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
233B

MD5
c270673908b48b2b18c701ccb5494d3a

SHA1
16988bb8b6e5e7e8f06444fb91b751d9213c03aa

SHA256
796e781da662b69fc78f204c7bf7e8e9ddf02240adfdfab108bac0a3715a8cca

SHA512
5c260aab35e625104a7a609bf9e808a53089da79ea573199e525fb7ddca5633db55c53a3c0f3260b34e8b9024a6482815105561f9c35875929f6111f9012bd11

Download Submit
C:\Users\Admin\AppData\Local\Temp\OxVZsORhRP.bat

Filesize
233B

MD5
4027c8dffb1e69367a15139a1902c7d7

SHA1
6233f8af45ec0e59cf041b8ad1fecfebf88db8d8

SHA256
6674da0078baad0ff1c94874ce2810f1b91d3b3b7f03b504bbff97920b65d0e5

SHA512
ab37039315ae862a609332346073c137f1c0ca97f4f3a45562e913544e2d89fd331369a61313d18a915b6ea4944da79377c168b78596fe30d4574a58a1df302b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Re4gxnF4du.bat

Filesize
233B

MD5
26e2387a9fc1044051eca8d830b0319f

SHA1
6acb92c7ad1d1010af786bb26d25cc0f4411bfe2

SHA256
7b03d89be22c07ca3af7bee61b67e4da484a0922229f6b9cd1489b48cb48955c

SHA512
973c9f1fde5b813678ff2d203c4c8d0719bdcd9fb0cdb3ea5f795c3d5d5e721fec57f9949904fc892418fc3d46a5b4717c59dfafce0a415c9bb38e3d3aa8ef2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
233B

MD5
9b734a251c3a0197c3fc1d841d2a7561

SHA1
5037a24dbdcda557031a5f9a3ba63bb19f160e74

SHA256
c017dd3fd28a34064b3178bb1b6af498ffc34cd2d899b3c8324e2084baa46b6c

SHA512
14f577e968a6357455545b04ed310fad20963fc5ddc446c09567c4390f4e411119824c9a1cce90ebcfb7ea4661d85746dd09f3a8884458e1c0046354c8895722

Download Submit
C:\Users\Admin\AppData\Local\Temp\VlbjwdcMOl.bat

Filesize
233B

MD5
b4f674de1bed3fbd4443a2bc3313f219

SHA1
5c59cfde769384d889515d36daa4e954e5437eff

SHA256
83879ac22e817782a76d9b5e9df2407dc76de6a8d91854481b8ac85d38f5e526

SHA512
d8b20528a9052b28931a48b73e53c918323c17e21fcb5992383f100a3e5bbcb0f36d8e74ae5d079de9787e1dd803d0a798bd1f40e9f3b439279a83f950ed8ab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_cv5wgbns.1e5.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

Filesize
233B

MD5
7330e7a4163983cd1009b18950b74545

SHA1
5996dcc7c573014a638163fd61fe0af4cba04d85

SHA256
917744e77b6d77b617de14766eecf8a3ac4e04cbe9fa08eb654480f619ea2146

SHA512
e14311f878cf522430bc1835d6aa8ce41895595e2f96ec700025d4d8c6dbe78b4be75ad1dfd425c38df8648664fdfc25ea1d8ac60a64cfe7d283888f74d042a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\nKCzYbro9F.bat

Filesize
233B

MD5
b761ca2c9c59e46fbc3e854198fb23f8

SHA1
501c6f08a018b1715f33323426df0f63b8e52fe8

SHA256
a18de33f34b548da73829d9259fa587a0428594befc44246c2055b3b91594b78

SHA512
267d8ec6bf0519a4666015473b1f52f296effe13b664c7edfe4f71ad671a079fdfa0c391a47351c8d8c04ce52225cd6c2ae59ab7da7b0b6ea1f87572b04d30da

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
233B

MD5
547dd633d243c83a135d2147c714ca79

SHA1
0af0b6f0cbd8cc6e86431ce979e051316e6e9d49

SHA256
fdca7e467e2926ea3e5d8e32bf599440d29b3d1db14df3a48c41824522c3fcbd

SHA512
b6d2dc256094e817cb24d45ad22806240406c51d32e4c0a4d5835d8c3cc1eb6e894e0154e2feaac6430a848db5850fe24d2572af93dcaeb0a2154acb1246362a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1556-17-0x0000000002EB0000-0x0000000002EBC000-memory.dmp

Filesize
48KB

Download
memory/1556-16-0x0000000002EA0000-0x0000000002EAC000-memory.dmp

Filesize
48KB

Download
memory/1556-15-0x0000000002DF0000-0x0000000002DFC000-memory.dmp

Filesize
48KB

Download
memory/1556-14-0x0000000002DE0000-0x0000000002DF2000-memory.dmp

Filesize
72KB

Download
memory/1556-13-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/1556-12-0x00007FFD50353000-0x00007FFD50355000-memory.dmp

Filesize
8KB

Download
memory/1688-40-0x000002BAD9210000-0x000002BAD9232000-memory.dmp

Filesize
136KB

Download