dcrat | 5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d

Analysis

max time kernel
147s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
23-12-2024 12:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
Size

1.3MB
MD5

c488e6672bd314af4c5a8bb757db815b
SHA1

f94aca6ce134471c1e9b3d9de017816419205bb8
SHA256

5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d
SHA512

7af03174d26e1b14c7be699b28d0dd8e6ba08166c07fb8850b03f95af7395c7241d7a9d8f5fb8d0e139fded403b82150e7c60cd049a4a8a2bcae59c8e5b9212d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3620	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3132	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4980	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3664	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3272	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1244	schtasks.exe	86
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4496	1244	schtasks.exe	86

DCRat payload 2 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral2/files/0x0007000000023cb5-10.dat	dcrat
behavioral2/memory/4848-13-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
928	powershell.exe
4732	powershell.exe
652	powershell.exe
696	powershell.exe
4184	powershell.exe
1236	powershell.exe
412	powershell.exe

Checks computer location settings 2 TTPs 16 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	WScript.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	DllCommonsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	sppsvc.exe

Executes dropped EXE 15 IoCs

pid	Process
4848	DllCommonsvc.exe
1464	sppsvc.exe
1336	sppsvc.exe
4912	sppsvc.exe
740	sppsvc.exe
2324	sppsvc.exe
3420	sppsvc.exe
4516	sppsvc.exe
3596	sppsvc.exe
2672	sppsvc.exe
1808	sppsvc.exe
1452	sppsvc.exe
1216	sppsvc.exe
4392	sppsvc.exe
1748	sppsvc.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 14 IoCs

Web Service

T1102

flow	ioc
41	raw.githubusercontent.com
42	raw.githubusercontent.com
47	raw.githubusercontent.com
55	raw.githubusercontent.com
13	raw.githubusercontent.com
27	raw.githubusercontent.com
40	raw.githubusercontent.com
43	raw.githubusercontent.com
14	raw.githubusercontent.com
19	raw.githubusercontent.com
48	raw.githubusercontent.com
54	raw.githubusercontent.com
56	raw.githubusercontent.com
57	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies registry class 14 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Local Settings	sppsvc.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2220	schtasks.exe
1500	schtasks.exe
2756	schtasks.exe
3620	schtasks.exe
1620	schtasks.exe
3664	schtasks.exe
2880	schtasks.exe
1168	schtasks.exe
2180	schtasks.exe
1616	schtasks.exe
3272	schtasks.exe
1920	schtasks.exe
4708	schtasks.exe
3132	schtasks.exe
1720	schtasks.exe
4980	schtasks.exe
888	schtasks.exe
4496	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
4848	DllCommonsvc.exe
412	powershell.exe
928	powershell.exe
4184	powershell.exe
696	powershell.exe
4732	powershell.exe
652	powershell.exe
4732	powershell.exe
1236	powershell.exe
1464	sppsvc.exe
412	powershell.exe
696	powershell.exe
652	powershell.exe
4184	powershell.exe
928	powershell.exe
1236	powershell.exe
1336	sppsvc.exe
4912	sppsvc.exe
740	sppsvc.exe
2324	sppsvc.exe
3420	sppsvc.exe
4516	sppsvc.exe
3596	sppsvc.exe
2672	sppsvc.exe
1808	sppsvc.exe
1452	sppsvc.exe
1216	sppsvc.exe
4392	sppsvc.exe
1748	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	4848	DllCommonsvc.exe
Token: SeDebugPrivilege	4732	powershell.exe
Token: SeDebugPrivilege	412	powershell.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	4184	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	1464	sppsvc.exe
Token: SeDebugPrivilege	1336	sppsvc.exe
Token: SeDebugPrivilege	4912	sppsvc.exe
Token: SeDebugPrivilege	740	sppsvc.exe
Token: SeDebugPrivilege	2324	sppsvc.exe
Token: SeDebugPrivilege	3420	sppsvc.exe
Token: SeDebugPrivilege	4516	sppsvc.exe
Token: SeDebugPrivilege	3596	sppsvc.exe
Token: SeDebugPrivilege	2672	sppsvc.exe
Token: SeDebugPrivilege	1808	sppsvc.exe
Token: SeDebugPrivilege	1452	sppsvc.exe
Token: SeDebugPrivilege	1216	sppsvc.exe
Token: SeDebugPrivilege	4392	sppsvc.exe
Token: SeDebugPrivilege	1748	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3232 wrote to memory of 3876	3232	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe	82
PID 3232 wrote to memory of 3876	3232	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe	82
PID 3232 wrote to memory of 3876	3232	JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe	82
PID 3876 wrote to memory of 3748	3876	WScript.exe	83
PID 3876 wrote to memory of 3748	3876	WScript.exe	83
PID 3876 wrote to memory of 3748	3876	WScript.exe	83
PID 3748 wrote to memory of 4848	3748	cmd.exe	85
PID 3748 wrote to memory of 4848	3748	cmd.exe	85
PID 4848 wrote to memory of 1236	4848	DllCommonsvc.exe	105
PID 4848 wrote to memory of 1236	4848	DllCommonsvc.exe	105
PID 4848 wrote to memory of 4732	4848	DllCommonsvc.exe	106
PID 4848 wrote to memory of 4732	4848	DllCommonsvc.exe	106
PID 4848 wrote to memory of 928	4848	DllCommonsvc.exe	107
PID 4848 wrote to memory of 928	4848	DllCommonsvc.exe	107
PID 4848 wrote to memory of 412	4848	DllCommonsvc.exe	108
PID 4848 wrote to memory of 412	4848	DllCommonsvc.exe	108
PID 4848 wrote to memory of 652	4848	DllCommonsvc.exe	109
PID 4848 wrote to memory of 652	4848	DllCommonsvc.exe	109
PID 4848 wrote to memory of 4184	4848	DllCommonsvc.exe	110
PID 4848 wrote to memory of 4184	4848	DllCommonsvc.exe	110
PID 4848 wrote to memory of 696	4848	DllCommonsvc.exe	111
PID 4848 wrote to memory of 696	4848	DllCommonsvc.exe	111
PID 4848 wrote to memory of 1464	4848	DllCommonsvc.exe	119
PID 4848 wrote to memory of 1464	4848	DllCommonsvc.exe	119
PID 1464 wrote to memory of 3536	1464	sppsvc.exe	120
PID 1464 wrote to memory of 3536	1464	sppsvc.exe	120
PID 3536 wrote to memory of 2328	3536	cmd.exe	122
PID 3536 wrote to memory of 2328	3536	cmd.exe	122
PID 3536 wrote to memory of 1336	3536	cmd.exe	127
PID 3536 wrote to memory of 1336	3536	cmd.exe	127
PID 1336 wrote to memory of 2880	1336	sppsvc.exe	128
PID 1336 wrote to memory of 2880	1336	sppsvc.exe	128
PID 2880 wrote to memory of 2732	2880	cmd.exe	130
PID 2880 wrote to memory of 2732	2880	cmd.exe	130
PID 2880 wrote to memory of 4912	2880	cmd.exe	133
PID 2880 wrote to memory of 4912	2880	cmd.exe	133
PID 4912 wrote to memory of 4132	4912	sppsvc.exe	134
PID 4912 wrote to memory of 4132	4912	sppsvc.exe	134
PID 4132 wrote to memory of 3572	4132	cmd.exe	136
PID 4132 wrote to memory of 3572	4132	cmd.exe	136
PID 4132 wrote to memory of 740	4132	cmd.exe	139
PID 4132 wrote to memory of 740	4132	cmd.exe	139
PID 740 wrote to memory of 1488	740	sppsvc.exe	140
PID 740 wrote to memory of 1488	740	sppsvc.exe	140
PID 1488 wrote to memory of 1112	1488	cmd.exe	142
PID 1488 wrote to memory of 1112	1488	cmd.exe	142
PID 1488 wrote to memory of 2324	1488	cmd.exe	143
PID 1488 wrote to memory of 2324	1488	cmd.exe	143
PID 2324 wrote to memory of 3564	2324	sppsvc.exe	144
PID 2324 wrote to memory of 3564	2324	sppsvc.exe	144
PID 3564 wrote to memory of 1912	3564	cmd.exe	146
PID 3564 wrote to memory of 1912	3564	cmd.exe	146
PID 3564 wrote to memory of 3420	3564	cmd.exe	147
PID 3564 wrote to memory of 3420	3564	cmd.exe	147
PID 3420 wrote to memory of 4716	3420	sppsvc.exe	148
PID 3420 wrote to memory of 4716	3420	sppsvc.exe	148
PID 4716 wrote to memory of 2848	4716	cmd.exe	150
PID 4716 wrote to memory of 2848	4716	cmd.exe	150
PID 4716 wrote to memory of 4516	4716	cmd.exe	151
PID 4716 wrote to memory of 4516	4716	cmd.exe	151
PID 4516 wrote to memory of 3708	4516	sppsvc.exe	152
PID 4516 wrote to memory of 3708	4516	sppsvc.exe	152
PID 3708 wrote to memory of 2868	3708	cmd.exe	154
PID 3708 wrote to memory of 2868	3708	cmd.exe	154

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5b5ee730e911900fd3ab1d46bd8882a833f20217243d7a1afa1bacd08a85c50d.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - Checks computer location settings
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3876
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3748
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\fontdrvhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OfficeClickToRun.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\WindowsRE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\unsecapp.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
    - - C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2328
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2732
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:4132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3572
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1112
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        14⤵
        Suspicious use of WriteProcessMemory
        
        PID:3564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1912
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat"
        16⤵
        Suspicious use of WriteProcessMemory
        
        PID:4716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2848
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        18⤵
        Suspicious use of WriteProcessMemory
        
        PID:3708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2868
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat"
        20⤵
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2212
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat"
        22⤵
        
        PID:4468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2456
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        24⤵
        
        PID:3800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:4600
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        26⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:4420
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat"
        28⤵
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1624
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Modifies registry class
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat"
        30⤵
        
        PID:3532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        31⤵
        
        PID:2948
        
        C:\Recovery\WindowsRE\sppsvc.exe
        
        "C:\Recovery\WindowsRE\sppsvc.exe"
        31⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 12 /tr "'C:\providercommon\fontdrvhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhost" /sc ONLOGON /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "fontdrvhostf" /sc MINUTE /mo 6 /tr "'C:\providercommon\fontdrvhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OfficeClickToRun.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRun" /sc ONLOGON /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OfficeClickToRunO" /sc MINUTE /mo 13 /tr "'C:\providercommon\OfficeClickToRun.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Recovery\WindowsRE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\unsecapp.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecapp" /sc ONLOGON /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "unsecappu" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\unsecapp.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:4496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

Filesize
2KB

MD5
d85ba6ff808d9e5444a4b369f5bc2730

SHA1
31aa9d96590fff6981b315e0b391b575e4c0804a

SHA256
84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

SHA512
8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\sppsvc.exe.log

Filesize
1KB

MD5
baf55b95da4a601229647f25dad12878

SHA1
abc16954ebfd213733c4493fc1910164d825cac8

SHA256
ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

SHA512
24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
d28a889fd956d5cb3accfbaf1143eb6f

SHA1
157ba54b365341f8ff06707d996b3635da8446f7

SHA256
21e5d7ccf80a293e6ba30ed728846ca19c929c52b96e2c8d34e27cd2234f1d45

SHA512
0b6d88deb9be85722e6a78d5886d49f2caf407a59e128d2b4ed74c1356f9928c40048a62731959f2460e9ff9d9feee311043d2a37abe3bb92c2b76a44281478c

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
6d42b6da621e8df5674e26b799c8e2aa

SHA1
ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

SHA256
5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

SHA512
53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
62623d22bd9e037191765d5083ce16a3

SHA1
4a07da6872672f715a4780513d95ed8ddeefd259

SHA256
95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010

SHA512
9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
944B

MD5
77d622bb1a5b250869a3238b9bc1402b

SHA1
d47f4003c2554b9dfc4c16f22460b331886b191b

SHA256
f97ff12a8abf4bf88bb6497bd2ac2da12628c8847a8ba5a9026bdbb76507cdfb

SHA512
d6789b5499f23c9035375a102271e17a8a82e57d6f5312fa24242e08a83efdeb8becb7622f55c4cf1b89c7d864b445df11f4d994cf7e2f87a900535bcca12fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\15yWIDpGaf.bat

Filesize
197B

MD5
c8d92b798ed4453c926e597948805d5e

SHA1
7908a28b7fabbfae6ea4e1a01869496d9acf1d89

SHA256
281476fd07229baee06f7a2952d26bea42977147eb07b9a94ccf0f7888b5f5b6

SHA512
760bc86b4bb42a480e720d0b5d995891b27731727b262959da4a3ce8583eedb014ef89de79b1e389a8da8413f53fcfd53585805f81f029a45da5e4534bafde52

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
197B

MD5
0eb472cc8fc855d9786e875156e9c57e

SHA1
7d76b2d23497e0e486a659a23e32dc64d82ef233

SHA256
b0d397a9c16529923da0a79991933cbf54f62126065b99d5748ae33f22425bce

SHA512
242628640f35c5f8c18397b7c88345f7f09c23b7a7e361b5ba6e76e8bfefcaefafca475038e1fde19d1378d596a6cb642b013c8a65a6b0d57de744e2dddd11b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\GrfoiSU1wP.bat

Filesize
197B

MD5
fdcc492285ce1863d497c2c434b98869

SHA1
afdd60192062e881f650a45b6d83ecd5c74fdb41

SHA256
53d7711da32f313826e672718e3c53ecdb98815e472e5eee72f313ba7a4e12ee

SHA512
0ede9e476dd1d481b76d11a862ff7b980f84342930c38add6e49dda665c6d03619968f9d1395c2e430f5c42b1f4da185e52436edb94721ad3b0514f112e13531

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
197B

MD5
d28ee2bc5bcce98a81035811ff3fbb33

SHA1
44d3965974f7b54dadd3fd391d13a396eaea4be3

SHA256
5c6e58c0d44dfb84bf8939f3308965802b5543ea0b8513f230483cc8ab81eb53

SHA512
574edcf3b4cdf02184688b91ea1edbe9d10eaf440281c702f474ae868c490cfe563dcf1c1d318c517e939206dce5b5300e8f5c047108ff1cbb6258afc52b11c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
197B

MD5
35ff497c3403f902ac1eaa25f6f5d517

SHA1
d15263523570752137c2724c1425823f59d4c62b

SHA256
45d5e8e30c38eadc651c19e183a48febb5523c0d45e0d24eddeda2be45713308

SHA512
adcf9bf6068c011c469633dbff13b28996befa5be3fe342bea1d14ca5da001f0d6e5f800b4bb29812b29955170d23c0c90894b9263f3c83377da1c5407e76962

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

Filesize
197B

MD5
e06ef4c7b209c9f878f58174192c2c95

SHA1
7db22e6b3e65628f6c3951d0e2579bbc64106a55

SHA256
1f2db31b7afe863a7edd4836c2f1dbeca0bfb444f572e0aa0d7eef78f9d6d38e

SHA512
3bafc235aadf770eb7b1feb8b77dd14b5a39d47e475f843a76e9d2097760ca8598353b8a3845e788aa99bb05399aca65a864738c6a63efed1e5c98f629fef8a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rae03xxh.rsi.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\dIJBhaqFKS.bat

Filesize
197B

MD5
f4d52b0a1e1ff680cd59e2b3957918ab

SHA1
2db33acb5ea31137df1a3732a4fbbd881e870032

SHA256
16a669a11630d5e131a04a87975753b59922825149d0b9ab351859da1c7f26db

SHA512
5f23d8a7ada9df404fd898e6e8d3f5bba75d376b696af8dff24f654686db00ae5e973e50dd3f94bf9b4f9d0c087b1f3e7435b50171dff24f196d755fed0e6a0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
197B

MD5
89d8528daf0bfedc2c1c0256c02ee32d

SHA1
409948fa85884147d8493ab72c5c351a0587cf81

SHA256
3cd4cb7425c2fccb1807ac47926f89ea19b42dc87e9d4d271f09b3f5e16270e0

SHA512
28e6694fefc8716fa2026fbc007aa2a3e75015ac0022767f7cec9cb0072833753da57dcebea5a9920648024fcffcf9847999c1b1d87932ce1368cdd973892a75

Download Submit
C:\Users\Admin\AppData\Local\Temp\pFKIY4EPZg.bat

Filesize
197B

MD5
039e49eef8d55feb5c429e1d2554756f

SHA1
e089e410455f5b4ceeb8d4ac08e8acf1bcd11bc8

SHA256
132c09a5ccd6c2e1f08537b3994cbf37430edf81d61e3d0e7375215e8a700b4b

SHA512
96fa3ae5688ca3becfcc72516a32d847fdd690065dcd020b16ddd6ac55698f9596ea98c02034f8a8a97251e833fbbd1d4789b68c0c8d36ddcfa231e4f6b9b0c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
197B

MD5
9a668d62ca8aae34a80a8f47aff029b4

SHA1
38f4d18942a6d8cf69c226962ae1990d9b4ee3a8

SHA256
a4cef9f0dfed15a220dbb2b05ec02bcfe3b63fb7a1d25941e6ae86248c40f75c

SHA512
029f4aa7d49c4648d0fa4f3860f5bc55700d7f1a919e7873f00a794250549075277c51ef18feec7c651d2d8ae28511549a34ba417ac6a556c3579b2f2a854b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\xEvQv3iUx6.bat

Filesize
197B

MD5
bb7d37aa5633912a40a680e17df4ce17

SHA1
4fdea6dc4ab9c94d05608fc80f0e5d9553f7b19e

SHA256
b59187ab40f8f3be4d08deb64477b314d6de9bc275a8b1262e5f5ced896e4dbb

SHA512
8d22da760cfa08d4c376b149497028ecec7bcac787994b48cb15ff56179efed1d6c2efdbffced4d2d8c556a66dae6c6db879f148136267ffebc43e41cc05dc8f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/412-50-0x000001DD7D820000-0x000001DD7D842000-memory.dmp

Filesize
136KB

Download
memory/740-149-0x000000001BCD0000-0x000000001BE79000-memory.dmp

Filesize
1.7MB

Download
memory/1216-200-0x00000000030A0000-0x00000000030B2000-memory.dmp

Filesize
72KB

Download
memory/1336-134-0x000000001C470000-0x000000001C5DA000-memory.dmp

Filesize
1.4MB

Download
memory/1464-105-0x00000000026B0000-0x00000000026C2000-memory.dmp

Filesize
72KB

Download
memory/1748-214-0x0000000003370000-0x0000000003382000-memory.dmp

Filesize
72KB

Download
memory/1808-187-0x0000000000B90000-0x0000000000BA2000-memory.dmp

Filesize
72KB

Download
memory/2324-155-0x000000001C7B0000-0x000000001C959000-memory.dmp

Filesize
1.7MB

Download
memory/2672-180-0x0000000002FF0000-0x0000000003002000-memory.dmp

Filesize
72KB

Download
memory/3420-163-0x000000001C810000-0x000000001C9B9000-memory.dmp

Filesize
1.7MB

Download
memory/3420-158-0x0000000002F30000-0x0000000002F42000-memory.dmp

Filesize
72KB

Download
memory/3596-177-0x000000001C7C0000-0x000000001C969000-memory.dmp

Filesize
1.7MB

Download
memory/4392-207-0x0000000001680000-0x0000000001692000-memory.dmp

Filesize
72KB

Download
memory/4516-170-0x000000001C940000-0x000000001CAE9000-memory.dmp

Filesize
1.7MB

Download
memory/4848-16-0x000000001BD70000-0x000000001BD7C000-memory.dmp

Filesize
48KB

Download
memory/4848-12-0x00007FFD37AC3000-0x00007FFD37AC5000-memory.dmp

Filesize
8KB

Download
memory/4848-13-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/4848-14-0x0000000002BC0000-0x0000000002BD2000-memory.dmp

Filesize
72KB

Download
memory/4848-15-0x000000001B650000-0x000000001B65C000-memory.dmp

Filesize
48KB

Download
memory/4848-17-0x000000001BD80000-0x000000001BD8C000-memory.dmp

Filesize
48KB

Download
memory/4912-141-0x000000001BB70000-0x000000001BC72000-memory.dmp

Filesize
1.0MB

Download
memory/4912-136-0x0000000000F40000-0x0000000000F52000-memory.dmp

Filesize
72KB

Download