dcrat | 5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
22/12/2024, 20:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
Size

1.3MB
MD5

c488e6672bd314af4c5a8bb757db815b
SHA1

f94aca6ce134471c1e9b3d9de017816419205bb8
SHA256

5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d
SHA512

7af03174d26e1b14c7be699b28d0dd8e6ba08166c07fb8850b03f95af7395c7241d7a9d8f5fb8d0e139fded403b82150e7c60cd049a4a8a2bcae59c8e5b9212d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4076	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3136	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3864	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3168	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3004	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	3004	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0008000000023bb7-10.dat	dcrat
behavioral2/memory/4608-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 5 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
5056	powershell.exe
3432	powershell.exe
4084	powershell.exe
3420	powershell.exe
1988	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	smss.exe

Executes dropped EXE 15 IoCs

pid	Process
4608	DllCommonsvc.exe
2920	smss.exe
3404	smss.exe
440	smss.exe
3968	smss.exe
3988	smss.exe
1872	smss.exe
4524	smss.exe
3552	smss.exe
3304	smss.exe
4748	smss.exe
3208	smss.exe
2792	smss.exe
216	smss.exe
4760	smss.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
51	raw.githubusercontent.com
56	raw.githubusercontent.com
23	raw.githubusercontent.com
46	raw.githubusercontent.com
54	raw.githubusercontent.com
55	raw.githubusercontent.com
40	raw.githubusercontent.com
41	raw.githubusercontent.com
57	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com
53	raw.githubusercontent.com
36	raw.githubusercontent.com
44	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\TextInputHost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\22eafd247d37c3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\9e8d7a4ca61bd9	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	DllCommonsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe
Key created	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000_Classes\Local Settings	smss.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 12 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1504	schtasks.exe
3864	schtasks.exe
1144	schtasks.exe
3168	schtasks.exe
780	schtasks.exe
4076	schtasks.exe
3136	schtasks.exe
2420	schtasks.exe
1492	schtasks.exe
4984	schtasks.exe
3000	schtasks.exe
2196	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4608	DllCommonsvc.exe
4608	DllCommonsvc.exe
4608	DllCommonsvc.exe
4608	DllCommonsvc.exe
4608	DllCommonsvc.exe
3420	powershell.exe
4084	powershell.exe
5056	powershell.exe
1988	powershell.exe
3432	powershell.exe
4084	powershell.exe
3420	powershell.exe
3432	powershell.exe
5056	powershell.exe
1988	powershell.exe
2920	smss.exe
3404	smss.exe
440	smss.exe
3968	smss.exe
3988	smss.exe
1872	smss.exe
4524	smss.exe
3552	smss.exe
3304	smss.exe
4748	smss.exe
3208	smss.exe
2792	smss.exe
216	smss.exe
4760	smss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	4608	DllCommonsvc.exe
Token: SeDebugPrivilege	3420	powershell.exe
Token: SeDebugPrivilege	4084	powershell.exe
Token: SeDebugPrivilege	5056	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	3432	powershell.exe
Token: SeDebugPrivilege	2920	smss.exe
Token: SeDebugPrivilege	3404	smss.exe
Token: SeDebugPrivilege	440	smss.exe
Token: SeDebugPrivilege	3968	smss.exe
Token: SeDebugPrivilege	3988	smss.exe
Token: SeDebugPrivilege	1872	smss.exe
Token: SeDebugPrivilege	4524	smss.exe
Token: SeDebugPrivilege	3552	smss.exe
Token: SeDebugPrivilege	3304	smss.exe
Token: SeDebugPrivilege	4748	smss.exe
Token: SeDebugPrivilege	3208	smss.exe
Token: SeDebugPrivilege	2792	smss.exe
Token: SeDebugPrivilege	216	smss.exe
Token: SeDebugPrivilege	4760	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4880 wrote to memory of 220	4880	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe	82
PID 4880 wrote to memory of 220	4880	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe	82
PID 4880 wrote to memory of 220	4880	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe	82
PID 220 wrote to memory of 2660	220	WScript.exe	83
PID 220 wrote to memory of 2660	220	WScript.exe	83
PID 220 wrote to memory of 2660	220	WScript.exe	83
PID 2660 wrote to memory of 4608	2660	cmd.exe	85
PID 2660 wrote to memory of 4608	2660	cmd.exe	85
PID 4608 wrote to memory of 3432	4608	DllCommonsvc.exe	99
PID 4608 wrote to memory of 3432	4608	DllCommonsvc.exe	99
PID 4608 wrote to memory of 4084	4608	DllCommonsvc.exe	100
PID 4608 wrote to memory of 4084	4608	DllCommonsvc.exe	100
PID 4608 wrote to memory of 5056	4608	DllCommonsvc.exe	101
PID 4608 wrote to memory of 5056	4608	DllCommonsvc.exe	101
PID 4608 wrote to memory of 1988	4608	DllCommonsvc.exe	102
PID 4608 wrote to memory of 1988	4608	DllCommonsvc.exe	102
PID 4608 wrote to memory of 3420	4608	DllCommonsvc.exe	103
PID 4608 wrote to memory of 3420	4608	DllCommonsvc.exe	103
PID 4608 wrote to memory of 624	4608	DllCommonsvc.exe	108
PID 4608 wrote to memory of 624	4608	DllCommonsvc.exe	108
PID 624 wrote to memory of 3140	624	cmd.exe	111
PID 624 wrote to memory of 3140	624	cmd.exe	111
PID 624 wrote to memory of 2920	624	cmd.exe	115
PID 624 wrote to memory of 2920	624	cmd.exe	115
PID 2920 wrote to memory of 3244	2920	smss.exe	117
PID 2920 wrote to memory of 3244	2920	smss.exe	117
PID 3244 wrote to memory of 2528	3244	cmd.exe	119
PID 3244 wrote to memory of 2528	3244	cmd.exe	119
PID 3244 wrote to memory of 3404	3244	cmd.exe	122
PID 3244 wrote to memory of 3404	3244	cmd.exe	122
PID 3404 wrote to memory of 1144	3404	smss.exe	123
PID 3404 wrote to memory of 1144	3404	smss.exe	123
PID 1144 wrote to memory of 4008	1144	cmd.exe	125
PID 1144 wrote to memory of 4008	1144	cmd.exe	125
PID 1144 wrote to memory of 440	1144	cmd.exe	127
PID 1144 wrote to memory of 440	1144	cmd.exe	127
PID 440 wrote to memory of 4352	440	smss.exe	128
PID 440 wrote to memory of 4352	440	smss.exe	128
PID 4352 wrote to memory of 3560	4352	cmd.exe	130
PID 4352 wrote to memory of 3560	4352	cmd.exe	130
PID 4352 wrote to memory of 3968	4352	cmd.exe	132
PID 4352 wrote to memory of 3968	4352	cmd.exe	132
PID 3968 wrote to memory of 1964	3968	smss.exe	133
PID 3968 wrote to memory of 1964	3968	smss.exe	133
PID 1964 wrote to memory of 2880	1964	cmd.exe	135
PID 1964 wrote to memory of 2880	1964	cmd.exe	135
PID 1964 wrote to memory of 3988	1964	cmd.exe	136
PID 1964 wrote to memory of 3988	1964	cmd.exe	136
PID 3988 wrote to memory of 2788	3988	smss.exe	137
PID 3988 wrote to memory of 2788	3988	smss.exe	137
PID 2788 wrote to memory of 3736	2788	cmd.exe	139
PID 2788 wrote to memory of 3736	2788	cmd.exe	139
PID 2788 wrote to memory of 1872	2788	cmd.exe	140
PID 2788 wrote to memory of 1872	2788	cmd.exe	140
PID 1872 wrote to memory of 4968	1872	smss.exe	141
PID 1872 wrote to memory of 4968	1872	smss.exe	141
PID 4968 wrote to memory of 1824	4968	cmd.exe	143
PID 4968 wrote to memory of 1824	4968	cmd.exe	143
PID 4968 wrote to memory of 4524	4968	cmd.exe	144
PID 4968 wrote to memory of 4524	4968	cmd.exe	144
PID 4524 wrote to memory of 4476	4524	smss.exe	145
PID 4524 wrote to memory of 4476	4524	smss.exe	145
PID 4476 wrote to memory of 4480	4476	cmd.exe	147
PID 4476 wrote to memory of 4480	4476	cmd.exe	147

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2660
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Drops file in Program Files directory
      Modifies registry class
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\StartMenuExperienceHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\TextInputHost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3420
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TaDWmTaCOV.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:624
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3140
      - C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2528
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:4008
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:4352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3560
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2880
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3736
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        17⤵
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1824
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
        19⤵
        Suspicious use of WriteProcessMemory
        
        PID:4476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:4480
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        21⤵
        
        PID:1776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2080
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        23⤵
        
        PID:644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1692
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        25⤵
        
        PID:4716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:4464
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        26⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
        27⤵
        
        PID:4884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2496
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat"
        29⤵
        
        PID:4988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2212
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        31⤵
        
        PID:1956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:1180
        
        C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe
        
        "C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHost" /sc ONLOGON /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "StartMenuExperienceHostS" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\StartMenuExperienceHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\microsoft shared\ClickToRun\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\TextInputHost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\TextInputHost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\RuntimeBroker.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\smss.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
2e907f77659a6601fcc408274894da2e

SHA1
9f5b72abef1cd7145bf37547cdb1b9254b4efe9d

SHA256
385da35673330e21ac02545220552fe301fe54dedefbdafc097ac4342a295233

SHA512
34fa0fff24f6550f55f828541aaefe5d75c86f8f0842d54b50065e9746f9662bb7209c74c9a9571540b9855bb3851f01db613190024e89b198d485bb5dc07721

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
231B

MD5
84e605fac3e02154628d1fe62fa45b4b

SHA1
c2162f43b161295a6f33a3b36d8612b2c00131c3

SHA256
2da0a476cb83e522811471cbb0fa50e4113eab9581898bc1f82526f2cb7e0460

SHA512
ba3dc424291e28735764bd7e171a51dfdd2828815514573b94c52b08b6545a07c5c1f0b1cf56ca72147e062af73d97c7408f95cee6e6ba42651950e0f0e92fb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\2XkxZsmkwh.bat

Filesize
231B

MD5
e12b5cdb51cf23080360228525e1d2f5

SHA1
2f8b3b10a094aa0a64eb251166b836ce118dbea9

SHA256
aa6cede018325cb072be4239675394554d9d3b84c014010774b6920924215877

SHA512
e879b962ec9b35b1fd931be6d0c8efedf2f8e102cb821781fb24e2300e724b27852003407df76ec1e0535c32b2288c37c136f51658195f8043e019c00d7333d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\DCuC0H4DXb.bat

Filesize
231B

MD5
5a7c68b681c2dd4743e205b62cddff36

SHA1
da194086c0e1d1921722fa0ec859e735e31e889f

SHA256
fe63b60a171d926ca6bf560ec673873e6d4e40a254b39d669abe53d4c69c7602

SHA512
b632a2b2275313f1ef42b6f78d9ed8da7dee868842560855c47a4d2621ce9616fb95be9483e0a573c8240432bafe77631c607743dd7efe36093391fb547bb810

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

Filesize
231B

MD5
d3d73e0bd2ed76acfc5b3f00b0113086

SHA1
d307daaa1e8416287a93568dea9ceb02b00b36d5

SHA256
17afdfa55b605b2761ad34b602db923f7dc8053fd662457ba06894e2804600a7

SHA512
8d461dbcf4b88d4bceec5fb38daf4cdc24718000bda9aa9fcd953612339be3470b766bd5f9c03fd4c3bf7f587781e5f15512cf74d3876f2da77bc10f421f7b11

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
231B

MD5
9aa0f9e13a3599a5d322b9dfbcedca64

SHA1
f3f5afbad6c157046fa7da78bafdfe04f6b1b039

SHA256
9c743f4d643282117056065ef321141572ac6a478d572b64664ec8c5a005e4fb

SHA512
1be21f7042523440eccfde3c97f8c97cb7b0795e16985a9233f1e1e9500316e089762b4412798636b95d9fe3775ef7f960fa19d209d2ac9c61cac3c334426d0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
231B

MD5
661914a44aa03bacb1d860aff938e88f

SHA1
ed51a894d4f297cff3f6d627dae8191a09bcce95

SHA256
a837be27d29eb60002f9a438df66ee7ac89dca0c0b2c25f0e0d21ca4a89cb414

SHA512
1cf5c4add404db0b7bf0823a3e9ad75d5e049f5391c1181094c601d689a260f562fa13971e16df575f3de121370511bc1ba3c0cf37569b554d6ab57952d6ef1e

Download Submit
C:\Users\Admin\AppData\Local\Temp\M2NHsv551y.bat

Filesize
231B

MD5
e1b92d09d7b8da2e559dc8b3e5a1fa6e

SHA1
d7323dd46e55d8b065ec883a18ce81d3a2b0f00b

SHA256
5e30b9495af8bd82ce0de561ff6e2b743d5832e972fb34c0becb67e1c64df1b8

SHA512
c6bebc8e0b82a177378342ac764636b60dec93da64abc94d5bb34772e42126fec6c014ba0f6212662cbd054ba2c92d9631fab327b41a4ad87ee83608c45a3d49

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
231B

MD5
90ea4eb6046934625c0d9420d87a4301

SHA1
1a26904f250ed5dcb83e8352d61033668d4bbd9a

SHA256
42f4faf5e50c0b23793536fdc29e189c205efb0b8ffe5dab2d71e5a621623fd9

SHA512
fc8da33a7f5fa35490cee4721b57d096a42d3c624cf371b9af4cdf977dd0427bedd100c2c63887795e5e021d07cd60b13d4c67439bf1b46826cce27133994106

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

Filesize
231B

MD5
8bfc95a794b9934f4522c59a673fabec

SHA1
40b5696b0b3dbc1a2a13bfdc5131a078a8133124

SHA256
680f85f6e4e26f3804c4dc23b5c09fa395e69821f7a240ad0f840072c5f90765

SHA512
a05c4e56a4e3bc28b5609cf169fc92bef970673334ab70462f2693fe484c6967bf21cc37b7f0e0b6427e1aa9aab66a32e18a30c2bc06e6931daab50985f0c2e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TaDWmTaCOV.bat

Filesize
231B

MD5
a7ee23d81b6858720c4e83046cfd7384

SHA1
2ecf2f673b51f7c8e3f499c53752c8f87e762005

SHA256
2e35843f80f4bffed7acecfdf0e113017e19496a14d25e34457e1e6c498a53cc

SHA512
3192cb2c4f665da26507029fec663876b8fa8d1bf120c9db3c6371a272baa8529f3b42468917a38c373e77ce48e11da7902ce9df3d724cc1b44008ec0f3da6ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_da4va1dl.1wt.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
231B

MD5
a3351fd02556df814c225f2c27fcb996

SHA1
57c131b7d03959c8d5cf72d91d75ff1ebb0e1da3

SHA256
7b95fe790544f70108c0be03680f9df1d84e9052f7218a0c3b7fae366e92d4bb

SHA512
e43b0801952e5a05b2773af6603e5bd2fcb79a6720efc0f014cb3575475ed103f521060af52ed485eb28d646abc7f1ceb11996378efa8103bb4826eec7a0f75e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
231B

MD5
565d678f59473f58ceb1bcd290463234

SHA1
dfe496423ee918412df0abc1cc3ee6b4b71ca9b5

SHA256
8a55ed6b78f8adc59ec9a83b2ea10ee748b218afe5c9ed7c516b295a92e85212

SHA512
8f4c766e18030f8a4c475c86630ada70acb617ab095e361b421c7603a106ed0e25c089e00a4db092ff3357f232a4dda247ac2f418cb266399cb7a009933f09a5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/440-106-0x00000000013F0000-0x0000000001402000-memory.dmp

Filesize
72KB

Download
memory/3420-36-0x000001F6D71C0000-0x000001F6D71E2000-memory.dmp

Filesize
136KB

Download
memory/3988-119-0x000000001ADF0000-0x000000001AE02000-memory.dmp

Filesize
72KB

Download
memory/4608-15-0x0000000002E10000-0x0000000002E1C000-memory.dmp

Filesize
48KB

Download
memory/4608-12-0x00007FFCECF73000-0x00007FFCECF75000-memory.dmp

Filesize
8KB

Download
memory/4608-13-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/4608-14-0x0000000002E00000-0x0000000002E12000-memory.dmp

Filesize
72KB

Download
memory/4608-17-0x0000000002E40000-0x0000000002E4C000-memory.dmp

Filesize
48KB

Download
memory/4608-16-0x0000000002E30000-0x0000000002E3C000-memory.dmp

Filesize
48KB

Download