dcrat | 89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103

Analysis

max time kernel
146s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22-12-2024 18:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe
Size

1.3MB
MD5

645ab551c763aa01332c51b878141953
SHA1

99d22ecfd11c4d63d032724076133ed8560ad336
SHA256

89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103
SHA512

6b1dbecbfe56d88ad25fc1be2857c5b2103d16155271f90f09e0451d4268ec36523cc81b7c20b338d97b0aeae6974692a33ccde118bf5e446847d17ec7fd3851
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4832	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5076	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5100	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4052	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3900	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5020	2404	schtasks.exe	88
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2404	schtasks.exe	88

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x000a000000023b8b-10.dat	dcrat
behavioral2/memory/876-13-0x0000000000A00000-0x0000000000B10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3664	powershell.exe
4160	powershell.exe
3348	powershell.exe
456	powershell.exe
2600	powershell.exe
3732	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 14 IoCs

pid	Process
876	DllCommonsvc.exe
632	smss.exe
3376	smss.exe
2932	smss.exe
5080	smss.exe
5108	smss.exe
2208	smss.exe
1600	smss.exe
1148	smss.exe
4008	smss.exe
1560	smss.exe
2628	smss.exe
3364	smss.exe
3996	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
43	raw.githubusercontent.com
44	raw.githubusercontent.com
50	raw.githubusercontent.com
15	raw.githubusercontent.com
16	raw.githubusercontent.com
36	raw.githubusercontent.com
38	raw.githubusercontent.com
42	raw.githubusercontent.com
53	raw.githubusercontent.com
23	raw.githubusercontent.com
39	raw.githubusercontent.com
51	raw.githubusercontent.com
52	raw.githubusercontent.com
49	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\sihost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\66fc9ff0ee96c2	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Sun\Java\Deployment\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Sun\Java\Deployment\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2972	schtasks.exe
2036	schtasks.exe
4832	schtasks.exe
1316	schtasks.exe
888	schtasks.exe
5076	schtasks.exe
5100	schtasks.exe
5020	schtasks.exe
4732	schtasks.exe
5104	schtasks.exe
1660	schtasks.exe
2660	schtasks.exe
1200	schtasks.exe
3900	schtasks.exe
4052	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
876	DllCommonsvc.exe
2600	powershell.exe
4160	powershell.exe
3348	powershell.exe
3664	powershell.exe
456	powershell.exe
3732	powershell.exe
632	smss.exe
2600	powershell.exe
4160	powershell.exe
3664	powershell.exe
456	powershell.exe
3348	powershell.exe
3732	powershell.exe
3376	smss.exe
2932	smss.exe
5080	smss.exe
5108	smss.exe
2208	smss.exe
1600	smss.exe
1148	smss.exe
4008	smss.exe
1560	smss.exe
2628	smss.exe
3364	smss.exe
3996	smss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	876	DllCommonsvc.exe
Token: SeDebugPrivilege	3348	powershell.exe
Token: SeDebugPrivilege	2600	powershell.exe
Token: SeDebugPrivilege	4160	powershell.exe
Token: SeDebugPrivilege	3664	powershell.exe
Token: SeDebugPrivilege	456	powershell.exe
Token: SeDebugPrivilege	632	smss.exe
Token: SeDebugPrivilege	3732	powershell.exe
Token: SeDebugPrivilege	3376	smss.exe
Token: SeDebugPrivilege	2932	smss.exe
Token: SeDebugPrivilege	5080	smss.exe
Token: SeDebugPrivilege	5108	smss.exe
Token: SeDebugPrivilege	2208	smss.exe
Token: SeDebugPrivilege	1600	smss.exe
Token: SeDebugPrivilege	1148	smss.exe
Token: SeDebugPrivilege	4008	smss.exe
Token: SeDebugPrivilege	1560	smss.exe
Token: SeDebugPrivilege	2628	smss.exe
Token: SeDebugPrivilege	3364	smss.exe
Token: SeDebugPrivilege	3996	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 4744	1672	JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe	83
PID 1672 wrote to memory of 4744	1672	JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe	83
PID 1672 wrote to memory of 4744	1672	JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe	83
PID 4744 wrote to memory of 3516	4744	WScript.exe	85
PID 4744 wrote to memory of 3516	4744	WScript.exe	85
PID 4744 wrote to memory of 3516	4744	WScript.exe	85
PID 3516 wrote to memory of 876	3516	cmd.exe	87
PID 3516 wrote to memory of 876	3516	cmd.exe	87
PID 876 wrote to memory of 3732	876	DllCommonsvc.exe	105
PID 876 wrote to memory of 3732	876	DllCommonsvc.exe	105
PID 876 wrote to memory of 3664	876	DllCommonsvc.exe	106
PID 876 wrote to memory of 3664	876	DllCommonsvc.exe	106
PID 876 wrote to memory of 4160	876	DllCommonsvc.exe	107
PID 876 wrote to memory of 4160	876	DllCommonsvc.exe	107
PID 876 wrote to memory of 3348	876	DllCommonsvc.exe	108
PID 876 wrote to memory of 3348	876	DllCommonsvc.exe	108
PID 876 wrote to memory of 456	876	DllCommonsvc.exe	109
PID 876 wrote to memory of 456	876	DllCommonsvc.exe	109
PID 876 wrote to memory of 2600	876	DllCommonsvc.exe	110
PID 876 wrote to memory of 2600	876	DllCommonsvc.exe	110
PID 876 wrote to memory of 632	876	DllCommonsvc.exe	116
PID 876 wrote to memory of 632	876	DllCommonsvc.exe	116
PID 632 wrote to memory of 1512	632	smss.exe	124
PID 632 wrote to memory of 1512	632	smss.exe	124
PID 1512 wrote to memory of 3668	1512	cmd.exe	126
PID 1512 wrote to memory of 3668	1512	cmd.exe	126
PID 1512 wrote to memory of 3376	1512	cmd.exe	134
PID 1512 wrote to memory of 3376	1512	cmd.exe	134
PID 3376 wrote to memory of 4452	3376	smss.exe	136
PID 3376 wrote to memory of 4452	3376	smss.exe	136
PID 4452 wrote to memory of 3128	4452	cmd.exe	138
PID 4452 wrote to memory of 3128	4452	cmd.exe	138
PID 4452 wrote to memory of 2932	4452	cmd.exe	142
PID 4452 wrote to memory of 2932	4452	cmd.exe	142
PID 2932 wrote to memory of 2692	2932	smss.exe	145
PID 2932 wrote to memory of 2692	2932	smss.exe	145
PID 2692 wrote to memory of 3472	2692	cmd.exe	147
PID 2692 wrote to memory of 3472	2692	cmd.exe	147
PID 2692 wrote to memory of 5080	2692	cmd.exe	149
PID 2692 wrote to memory of 5080	2692	cmd.exe	149
PID 5080 wrote to memory of 3724	5080	smss.exe	151
PID 5080 wrote to memory of 3724	5080	smss.exe	151
PID 3724 wrote to memory of 2296	3724	cmd.exe	153
PID 3724 wrote to memory of 2296	3724	cmd.exe	153
PID 3724 wrote to memory of 5108	3724	cmd.exe	155
PID 3724 wrote to memory of 5108	3724	cmd.exe	155
PID 5108 wrote to memory of 3144	5108	smss.exe	157
PID 5108 wrote to memory of 3144	5108	smss.exe	157
PID 3144 wrote to memory of 928	3144	cmd.exe	159
PID 3144 wrote to memory of 928	3144	cmd.exe	159
PID 3144 wrote to memory of 2208	3144	cmd.exe	161
PID 3144 wrote to memory of 2208	3144	cmd.exe	161
PID 2208 wrote to memory of 2012	2208	smss.exe	163
PID 2208 wrote to memory of 2012	2208	smss.exe	163
PID 2012 wrote to memory of 724	2012	cmd.exe	165
PID 2012 wrote to memory of 724	2012	cmd.exe	165
PID 2012 wrote to memory of 1600	2012	cmd.exe	167
PID 2012 wrote to memory of 1600	2012	cmd.exe	167
PID 1600 wrote to memory of 2324	1600	smss.exe	169
PID 1600 wrote to memory of 2324	1600	smss.exe	169
PID 2324 wrote to memory of 4944	2324	cmd.exe	171
PID 2324 wrote to memory of 4944	2324	cmd.exe	171
PID 2324 wrote to memory of 1148	2324	cmd.exe	173
PID 2324 wrote to memory of 1148	2324	cmd.exe	173

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_89b9c503da3b5887a67e6a1b65bfa74cb8ecd77922c4cd56fe8ef6f61ea47103.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1672
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4744
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3516
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Sun\Java\Deployment\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\sihost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
    - - C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:632
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3668
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3128
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3472
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:3724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2296
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:928
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:724
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:4944
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        20⤵
        
        PID:4148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2240
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat"
        22⤵
        
        PID:4704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3524
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat"
        24⤵
        
        PID:4272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4384
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        26⤵
        
        PID:3172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:448
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"
        28⤵
        
        PID:3376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2464
        
        C:\Recovery\WindowsRE\smss.exe
        
        "C:\Recovery\WindowsRE\smss.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        30⤵
        
        PID:3272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:4440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Windows\Sun\Java\Deployment\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\WindowsRE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\sihost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Updates\Apply\FilesInUse\934B6514-B3DC-4B8F-82EB-F1681BAEB6A9\sihost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:5020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
64B

MD5
2d45daa9e9acea96d8a2cadfd38aeb47

SHA1
a1d49dfe3b7ff32a914f4e5c6fca696878d7227c

SHA256
96341c1835589a0a0075c7cae08feb06a96c1a125fdbc650effc39b8ae36fbf5

SHA512
b6228fa8931b8a5bb5fba99ff706bb77aa21cfc03248c5d208c24e2a141c8cb79b4988eadf985441fa9d02e9525589ab69335315d604994a33ec92fe640731f1

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
195B

MD5
65ba4d1436c482ae14deaac2b423dc69

SHA1
f4142ac49b2cf37c4a089813ef6306bba5489d90

SHA256
6baf3b3ab49c748da3b632c602959e252809ccbd0d43a7a918c43c6be5a6fdcd

SHA512
6ccc8f43a2f0ce116134e6c78cdfc2c9bbe5c10eb1337051c9a78bcbaa3b019d913611f49212bf3257b174332267de6f0e72785b7fd0d3c5bfb8c06338e31fcc

Download Submit
C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat

Filesize
195B

MD5
33d6a6c09754a5fb2253652e39f75bab

SHA1
b8f21f3b8e18f769f6e530d941369871d77c3d14

SHA256
8e60e5c36b97a9f284168f887d879e77583db6ecab01ee8c5b1946ac0dd67777

SHA512
09cb9ffe96d96eb5ce9539d77a46f5f95f9baa9bcfd314aed5f0467d4b198c27e5687145927f245dabf41a55dac27858340377d819fd00e0b7d7ef8c7c00c529

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
195B

MD5
e4e47bb7de231592cfe6d27c2d2b9987

SHA1
bd0f70146dd6a90b19b22ac5edcaa919055bc430

SHA256
8effa9d6e52589ff50322fdb82cc26d4c434dd8a188627f84ae2e1926375d5fa

SHA512
f4c3d57eaca239fa424b447126dbeb7d6fe81a42a0e6cdf58122f5d3bb251f1f0d540fce553d55930f0ee081e3932ad692f527623daf40a025289da650c93bcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mv8e4zbUuN.bat

Filesize
195B

MD5
6e8b51064c88d149ad7935de6de6fc94

SHA1
3096352b69ee1a6f222402fd7cabe165323f1192

SHA256
9163ccde0a88b659c822eebe92705279aab1e066b4960e92a0af7758561596e9

SHA512
68b4fc532c384d28c90b7307cf59a5917808f47280e05bbabe2741dcfb170fbe29e9eb2957c3de79b60264653f59a6700da32c4b3bdaac4ce0bd2922d51a9509

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
195B

MD5
8d3135f76100cacdebdddde335daa8c1

SHA1
04b1bbc40007bfdec8c85734004aecd786f3920c

SHA256
9bd18ac9316691649a9f601473842362f425c88050c674463c3fca57014408c1

SHA512
bfaae6c4d142d4d92f33d959a2649121c0d9625ed622cad8605d06a0dd3db5caaa5508e738a2754b8ee5605b5890daee5dbc5930d084c9616b70eb104f904f2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_kl3dlthw.jlz.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
195B

MD5
d6f833f7db1bd8f3966696072405ccef

SHA1
a2617ea8f3ac753ca733c7aae025b59f5921eebc

SHA256
7cc7f479b197ae25333b8c7a52af306d1a3e3419c64d95a8a450be995b7ca03a

SHA512
f5d00860bffbbf044517f6ef03784bb3a60b0e2c7effedc8aa4c1f4d78209a00a2edf8c47220cacf4c5e0ce8709137b2d09e0aa83d995049a694a581428b9bad

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
195B

MD5
c575f5ae1b901c86f644229d7ffd138a

SHA1
4ed141e799a487824f3948fb318bf11d29dc0b8f

SHA256
586208f25cf3100c047ff3e6e1e46c419f78a788886678f7cd0ade39c95edaa6

SHA512
b5101c252c103abc04e5e0cfe09f9ee4fd6f0a1e74cac3a5b7d63d6c31a883fc8a1d0469ac74ac0dafabd240bf91fee26d72da4358b6baff56c49475f779e291

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
195B

MD5
480167ecddce82b74ecc769bbf1657bf

SHA1
af2fdf0b6ebc6bb7916b09ab7d0f19efda239cd1

SHA256
8a24a846aacf6638901418803f4a9b2940e7eadf813aa7597a25fdef29da7a43

SHA512
d77c565d8018b550cec7b0a7c23e33124f535643e1f4ac1b5072b82e82a8b15b2a47e9ff5b9c692bc6a2df7336057cdaa750feb4d8ed32e789c2642d7c873191

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
195B

MD5
6871259f90e5836aa7c632a743df112a

SHA1
21938c8082e33dc296946ab561a4ecc2edf7c168

SHA256
91008b2fc1c04d6d43444f18bf075fb54380c602960b637ac912a5dd40278cdb

SHA512
059be8250cab4580263c043eede8b1b3ad0127f230aea03bc739a2bd4a369930ea67eb963743f2466e679b1eaaf34d51745807a61efba188233faa3f0c50f63b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat

Filesize
195B

MD5
2b9feb837c71ae3f6d8a15c050e81aad

SHA1
e5ec709673543a205d6c9821ff647dc81e976924

SHA256
27050b1fe1640af8ac7c11e3ec2e8b0ea1f0b646d527668471842182ff4ed7cc

SHA512
d10c9196f6f2fce12690729638c43792097eeba53650b7243227c25146d31fc1bbf855c43c5816de94136524b7f21b356835b0c04a96818dad8a5af227673a9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\paq62miIo8.bat

Filesize
195B

MD5
8b2a73180f8c2efa3c93bd36b679f038

SHA1
256a8793f197106a8f5c7a271a995aeb99ea1d64

SHA256
02c07bd92090d85c77d70354e34218f8a633858c7dbc180b129c36d06f9623b8

SHA512
056183cca773bd48e6c3856e5739471d5e488b0fe1cba3632308d857331f6c28451322a0c566af0ef5978f423f293dd290e3c75eb19920c3f9821b6f54c929ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQKAuQiBIV.bat

Filesize
195B

MD5
7b87eb319975c7973d77aa37b5eeac78

SHA1
a09bba30078422997b83938f4027b55cdbf88db9

SHA256
c73a13ae65410bbc65dac8add85886380d501d54df268d2fc47cae8e00fa0a21

SHA512
b5a6cdfa27075c11df27fa91a40bdafb22ab03bbef08987e83fd7479b4bab838314fddead53b4559e7746a0361ce94fa7466efa4dc02f082dbbea29ed8a1d29c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/632-85-0x000000001BFD0000-0x000000001BFE2000-memory.dmp

Filesize
72KB

Download
memory/876-16-0x0000000001440000-0x000000000144C000-memory.dmp

Filesize
48KB

Download
memory/876-14-0x0000000001320000-0x0000000001332000-memory.dmp

Filesize
72KB

Download
memory/876-13-0x0000000000A00000-0x0000000000B10000-memory.dmp

Filesize
1.1MB

Download
memory/876-15-0x0000000002D40000-0x0000000002D4C000-memory.dmp

Filesize
48KB

Download
memory/876-12-0x00007FFCC1863000-0x00007FFCC1865000-memory.dmp

Filesize
8KB

Download
memory/876-17-0x0000000002D60000-0x0000000002D6C000-memory.dmp

Filesize
48KB

Download
memory/2600-44-0x00000230F6620000-0x00000230F6642000-memory.dmp

Filesize
136KB

Download