dcrat | 32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b

Analysis

max time kernel
145s
max time network
148s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 06:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe
Size

1.3MB
MD5

0d3860e8ed0da285b8d00a1b82dd31e3
SHA1

17dc615d1ea7babdf6c168c2378657797031e885
SHA256

32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b
SHA512

f424de1f57b408967b5827e0766e8e07ff294657ff35c889323e5e9007651a3a8683ceef5d94651e0eabb02566f7a3f6c9294229f5da98ac2b5ffe842c26a7f5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5044	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4768	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4932	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3076	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3204	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4760	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4080	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	4024	schtasks.exe	87
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	4024	schtasks.exe	87

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b7a-10.dat	dcrat
behavioral2/memory/2256-13-0x0000000000600000-0x0000000000710000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1676	powershell.exe
4152	powershell.exe
4708	powershell.exe
2680	powershell.exe
312	powershell.exe
3884	powershell.exe
4732	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe
Key value queried	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation	lsass.exe

Executes dropped EXE 14 IoCs

pid	Process
2256	DllCommonsvc.exe
3492	lsass.exe
1788	lsass.exe
4992	lsass.exe
3876	lsass.exe
1828	lsass.exe
856	lsass.exe
3884	lsass.exe
2528	lsass.exe
2004	lsass.exe
1100	lsass.exe
3052	lsass.exe
2788	lsass.exe
4864	lsass.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
49	raw.githubusercontent.com
37	raw.githubusercontent.com
43	raw.githubusercontent.com
53	raw.githubusercontent.com
23	raw.githubusercontent.com
39	raw.githubusercontent.com
44	raw.githubusercontent.com
52	raw.githubusercontent.com
21	raw.githubusercontent.com
38	raw.githubusercontent.com
50	raw.githubusercontent.com
51	raw.githubusercontent.com
54	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\hrtfs\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Web\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Web\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\debug\services.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\debug\services.exe	DllCommonsvc.exe
File created	C:\Windows\debug\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe
Key created	\REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000_Classes\Local Settings	lsass.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
4768	schtasks.exe
3204	schtasks.exe
4760	schtasks.exe
4080	schtasks.exe
1396	schtasks.exe
5044	schtasks.exe
3076	schtasks.exe
1632	schtasks.exe
2820	schtasks.exe
1352	schtasks.exe
2744	schtasks.exe
2468	schtasks.exe
2400	schtasks.exe
2544	schtasks.exe
2496	schtasks.exe
4932	schtasks.exe
4968	schtasks.exe
1948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 41 IoCs

pid	Process
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
3884	powershell.exe
312	powershell.exe
4152	powershell.exe
2680	powershell.exe
2680	powershell.exe
4732	powershell.exe
4732	powershell.exe
4708	powershell.exe
4708	powershell.exe
1676	powershell.exe
1676	powershell.exe
4708	powershell.exe
3884	powershell.exe
3884	powershell.exe
4152	powershell.exe
4152	powershell.exe
312	powershell.exe
312	powershell.exe
2680	powershell.exe
4732	powershell.exe
1676	powershell.exe
3492	lsass.exe
1788	lsass.exe
4992	lsass.exe
3876	lsass.exe
1828	lsass.exe
856	lsass.exe
3884	lsass.exe
2528	lsass.exe
2004	lsass.exe
1100	lsass.exe
3052	lsass.exe
2788	lsass.exe
4864	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	DllCommonsvc.exe
Token: SeDebugPrivilege	3884	powershell.exe
Token: SeDebugPrivilege	312	powershell.exe
Token: SeDebugPrivilege	4152	powershell.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	4708	powershell.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	3492	lsass.exe
Token: SeDebugPrivilege	1788	lsass.exe
Token: SeDebugPrivilege	4992	lsass.exe
Token: SeDebugPrivilege	3876	lsass.exe
Token: SeDebugPrivilege	1828	lsass.exe
Token: SeDebugPrivilege	856	lsass.exe
Token: SeDebugPrivilege	3884	lsass.exe
Token: SeDebugPrivilege	2528	lsass.exe
Token: SeDebugPrivilege	2004	lsass.exe
Token: SeDebugPrivilege	1100	lsass.exe
Token: SeDebugPrivilege	3052	lsass.exe
Token: SeDebugPrivilege	2788	lsass.exe
Token: SeDebugPrivilege	4864	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2296 wrote to memory of 3180	2296	JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe	83
PID 2296 wrote to memory of 3180	2296	JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe	83
PID 2296 wrote to memory of 3180	2296	JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe	83
PID 3180 wrote to memory of 3008	3180	WScript.exe	84
PID 3180 wrote to memory of 3008	3180	WScript.exe	84
PID 3180 wrote to memory of 3008	3180	WScript.exe	84
PID 3008 wrote to memory of 2256	3008	cmd.exe	86
PID 3008 wrote to memory of 2256	3008	cmd.exe	86
PID 2256 wrote to memory of 1676	2256	DllCommonsvc.exe	107
PID 2256 wrote to memory of 1676	2256	DllCommonsvc.exe	107
PID 2256 wrote to memory of 4152	2256	DllCommonsvc.exe	108
PID 2256 wrote to memory of 4152	2256	DllCommonsvc.exe	108
PID 2256 wrote to memory of 4708	2256	DllCommonsvc.exe	109
PID 2256 wrote to memory of 4708	2256	DllCommonsvc.exe	109
PID 2256 wrote to memory of 2680	2256	DllCommonsvc.exe	110
PID 2256 wrote to memory of 2680	2256	DllCommonsvc.exe	110
PID 2256 wrote to memory of 312	2256	DllCommonsvc.exe	111
PID 2256 wrote to memory of 312	2256	DllCommonsvc.exe	111
PID 2256 wrote to memory of 3884	2256	DllCommonsvc.exe	112
PID 2256 wrote to memory of 3884	2256	DllCommonsvc.exe	112
PID 2256 wrote to memory of 4732	2256	DllCommonsvc.exe	113
PID 2256 wrote to memory of 4732	2256	DllCommonsvc.exe	113
PID 2256 wrote to memory of 4752	2256	DllCommonsvc.exe	121
PID 2256 wrote to memory of 4752	2256	DllCommonsvc.exe	121
PID 4752 wrote to memory of 3668	4752	cmd.exe	123
PID 4752 wrote to memory of 3668	4752	cmd.exe	123
PID 4752 wrote to memory of 3492	4752	cmd.exe	130
PID 4752 wrote to memory of 3492	4752	cmd.exe	130
PID 3492 wrote to memory of 2108	3492	lsass.exe	138
PID 3492 wrote to memory of 2108	3492	lsass.exe	138
PID 2108 wrote to memory of 1104	2108	cmd.exe	140
PID 2108 wrote to memory of 1104	2108	cmd.exe	140
PID 2108 wrote to memory of 1788	2108	cmd.exe	142
PID 2108 wrote to memory of 1788	2108	cmd.exe	142
PID 1788 wrote to memory of 2276	1788	lsass.exe	144
PID 1788 wrote to memory of 2276	1788	lsass.exe	144
PID 2276 wrote to memory of 972	2276	cmd.exe	146
PID 2276 wrote to memory of 972	2276	cmd.exe	146
PID 2276 wrote to memory of 4992	2276	cmd.exe	151
PID 2276 wrote to memory of 4992	2276	cmd.exe	151
PID 4992 wrote to memory of 5020	4992	lsass.exe	153
PID 4992 wrote to memory of 5020	4992	lsass.exe	153
PID 5020 wrote to memory of 2708	5020	cmd.exe	155
PID 5020 wrote to memory of 2708	5020	cmd.exe	155
PID 5020 wrote to memory of 3876	5020	cmd.exe	157
PID 5020 wrote to memory of 3876	5020	cmd.exe	157
PID 3876 wrote to memory of 3076	3876	lsass.exe	159
PID 3876 wrote to memory of 3076	3876	lsass.exe	159
PID 3076 wrote to memory of 4952	3076	cmd.exe	161
PID 3076 wrote to memory of 4952	3076	cmd.exe	161
PID 3076 wrote to memory of 1828	3076	cmd.exe	163
PID 3076 wrote to memory of 1828	3076	cmd.exe	163
PID 1828 wrote to memory of 4740	1828	lsass.exe	165
PID 1828 wrote to memory of 4740	1828	lsass.exe	165
PID 4740 wrote to memory of 4028	4740	cmd.exe	167
PID 4740 wrote to memory of 4028	4740	cmd.exe	167
PID 4740 wrote to memory of 856	4740	cmd.exe	170
PID 4740 wrote to memory of 856	4740	cmd.exe	170
PID 856 wrote to memory of 2788	856	lsass.exe	172
PID 856 wrote to memory of 2788	856	lsass.exe	172
PID 2788 wrote to memory of 3704	2788	cmd.exe	174
PID 2788 wrote to memory of 3704	2788	cmd.exe	174
PID 2788 wrote to memory of 3884	2788	cmd.exe	176
PID 2788 wrote to memory of 3884	2788	cmd.exe	176

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32aaf70a01554664cfba01bef8e2429cbcafa7ca9a670220736fa18c6b56a58b.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2296
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3180
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Fzf1z4kKN2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4752
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3668
      - C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1104
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:972
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:5020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2708
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:3076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:4952
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:4740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:4028
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3704
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        19⤵
        
        PID:5068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2396
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        21⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:432
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        23⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:4720
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
        25⤵
        
        PID:4464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1128
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
        27⤵
        
        PID:1288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2576
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        29⤵
        
        PID:1804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:468
        
        C:\Windows\Web\lsass.exe
        
        "C:\Windows\Web\lsass.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        31⤵
        
        PID:464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:3224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\hrtfs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Web\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\Web\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\lsass.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
189B

MD5
1125b092caf495417e964b42ab1a34ff

SHA1
5c5c6b4dff3d9dc79f5bf9f8ef70a5f8584d7dc5

SHA256
cb93815e31d34d151b39dde05d1e0f4c10da2e1cf55908932fc4f37052dbbc2d

SHA512
36a04747ce59a12b3a529444f6ddc914195f3237499a88b28560def039d125c8e5c2f5fe9c7493c6c4ab44d76e10361b5b2ccf2886a9e558c3307eb627bb9e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

Filesize
189B

MD5
dc466da8aaba62721163b2a6fa0f14c4

SHA1
2947f9dd62e9288a8ee585052e20acbdbf7e6cbc

SHA256
85390a13dc204a1df54cd1b2c82bf9ea0e28711d0514836a4f57a4573d3d2996

SHA512
308f0775683d8bfdf960c5ec72fff8931eb9d1c4368d342bb4f50061d8458e7443a4bc70fdb7949f8e46d34c593bc3ceecb071de0d352689c1a43682099f077b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Fzf1z4kKN2.bat

Filesize
189B

MD5
4710eb4ce216f6bf28e77844872ef532

SHA1
a85e2d3f348f5967d27b78a11bc0e61f0053aaa0

SHA256
6590793c50ce6ca601f3048b078180059af43d963df83d2747b7a5e1bc86cf88

SHA512
eb99fec3d45cf56bdcf7e6ca936d85b2bfcf20c93f42f778568a0eb488fff60374725a0833b93bff2df753faae3ee6d2cb8c0e70de388b463aae3b54b9494d2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
189B

MD5
fc6d5366d2bf835a5302f46953440bf6

SHA1
daa8f4950bdb9b036772ffd738d00ba4323d4c33

SHA256
e640a822ff68f56feebe3b7d0aa6106e2635d91d6f553709c50ac3ef07fc02b2

SHA512
7e7cf67c14037635534b05216a806f8f5f503db398a4d2fd3327e5b0dae4ae183aa07eb664ff691a1ea095707af44259c2346ce24d50cd647ad2cd393497fa39

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
189B

MD5
c8ca0ce3865b314a5c9f3479e868fefc

SHA1
6c921a106649b216a79b4ff23d5ea7ec9926b168

SHA256
c40e1c122f48eb986e755ed0dba624416ab7ae6986ea1bdd182f96ac15ac5fd9

SHA512
a70e4006dfdf5980ae2e53f87a9e0af23532b60b18b2a6e458adc3db8ea1fc1035f7b76d4e6d1a760c8713cc4c925cbf383e3d1f790519aec7ae866f1cc14657

Download Submit
C:\Users\Admin\AppData\Local\Temp\LnIbptgF5R.bat

Filesize
189B

MD5
d907f0bab8b2155a9b39b0249759efad

SHA1
75a1eb27b0f39460d228cfdbb1147b1d28374429

SHA256
ccf392a092aaec6fe06818007bd9c87715433eb01d123eb7adb037c2921ec2a7

SHA512
e96bf1905563428df07d645fd94856cd99c5dc6f460e1c118a519e1feeca1d033b3364acc21d13b0abf51b024b30504296bc435505ee236977e5a0dd84319413

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
189B

MD5
0ede35e087c90df67d66541282ce42ce

SHA1
83a9aa7ba49284bf96612f5c79524317189d3f28

SHA256
5ec166cdf010dbecca4364c1ad98712fa462cce8727091cc949977eeda10d4c5

SHA512
5eac304c0647c368e5e3e21bdd119bcfea0bb571bae9bafb3f27d40a0c2b05c8e3cc7ce7ba62e314c7b19cb5cf776264a85491d1dafcfe4dbefe328e04bced05

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
189B

MD5
0343611125ce65b82dec65957f9d0be5

SHA1
611ff15e2f99a8cead4af629175b73a10a629e5c

SHA256
7c6b8b6831f8b4916cc46df190aa27ea513b65891fa57eccab816cdbeab0c061

SHA512
d0b9569dfbcfe3a9c98d8f6973dcdf00021c42dd2daa558c3b62f8d06be9068392073c96f73c8807396170adbba68244cbf61aac6e7dceafac1acc114f4cac0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vsxulsb0.gjv.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
189B

MD5
922e84fb5ead443c5f8e248946727116

SHA1
ef27a82702614f6e444ea7a8b4d44a41753edede

SHA256
422a950ee3f9afd1986433e5c5231b0ef40be07b921299d204e7496f82a4ef68

SHA512
6edf8844577a0851a0a2f35114fdbe3d6ec9effc6ce037b4d5aff82ae509882f79deb67899ce241bf33511fffcb9e8d756be10eb34a6454cd12ef23bb6fd51f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
189B

MD5
82434096ec504152b774e73054030c3c

SHA1
8fa38dda45e8fbe1fcdac2f06d6b087673e3b353

SHA256
ed4ddf858c94079d8956658137741fcc7b459e5fd5799eb2587bf58117425ded

SHA512
32067549a0f476283a62476c863d8a405c2c4d8ad90f3980751010c832c25ea5ec4d1d1651de9dc5ebe087c4f410c4a79fbd1cd451ec20b8188e3e0ef23d6a82

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

Filesize
189B

MD5
f4a0644bb17555db44f8c73f4c2a16a9

SHA1
6b15971d1c6152e638df815ce47531b516829150

SHA256
9502278d06c022f8433a6b0e418855761304a20caadb737878086955189ec200

SHA512
f42af9e2710566618e9b6a529848b30a526047b833e5db69481f5700669bfa0acd7c282fc9c86f1f7578733632d1b9de8411f850ad35d4782246daead1e8e9d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
189B

MD5
6a5cc2bcf92fc4815fbe5786d9046b64

SHA1
c243fe62d4bd2eb7fc63a130c56a2dd5a9907ea0

SHA256
0b2f8b7a4c446de12ff01d1476176b5c46af00604f44c443f778c48dac62a77e

SHA512
b34ab757e27bd6cea7dbdcacb9c425da2812ec4d48b41a0467978b5e61dfcd39f25e73b64564ba42bd0b0bda2eb49e7f62d77b3e3e1a0df391cf095d7db3c4e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
189B

MD5
95754c4ac2422fcb48d47a818ea38891

SHA1
ddcb34acdf4bc915b4d0315c8a46a0161ac697df

SHA256
897e6a78658a35ff14668b9c27edf4560b1af1538edb25735d5750460d626f5f

SHA512
2b41cc431bafc89a621abf97c02d01c7b5d758ecda23a2e4a1e55fe81a229f10d155627b9d7f55a40b19bd871bdc92b8ae891beff4e52cea40a5abf9a16063f5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1100-173-0x000000001B9F0000-0x000000001BA02000-memory.dmp

Filesize
72KB

Download
memory/2256-17-0x0000000002950000-0x000000000295C000-memory.dmp

Filesize
48KB

Download
memory/2256-16-0x0000000002940000-0x000000000294C000-memory.dmp

Filesize
48KB

Download
memory/2256-15-0x0000000002930000-0x000000000293C000-memory.dmp

Filesize
48KB

Download
memory/2256-14-0x0000000000F20000-0x0000000000F32000-memory.dmp

Filesize
72KB

Download
memory/2256-13-0x0000000000600000-0x0000000000710000-memory.dmp

Filesize
1.1MB

Download
memory/2256-12-0x00007FFC727F3000-0x00007FFC727F5000-memory.dmp

Filesize
8KB

Download
memory/2528-161-0x000000001C5F0000-0x000000001C602000-memory.dmp

Filesize
72KB

Download
memory/3492-116-0x000000001BFA0000-0x000000001BFB2000-memory.dmp

Filesize
72KB

Download
memory/3884-39-0x000001C5A77B0000-0x000001C5A77D2000-memory.dmp

Filesize
136KB

Download