dcrat | 49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf

Analysis

max time kernel
148s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf.exe
Size

1.3MB
MD5

c5ce2536abe6c3e9192673fb8033576a
SHA1

6361e43d1fc5aaeff2b47e2261e123ccc352d1c9
SHA256

49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf
SHA512

1a5ac2e4b80fe81193739d92dbefa17006c36dfeebac48905764050a1ce2a98bc9bcba0f91c081617f17badee0d06eae3a41c60b7d47ab09df7ca05e3cbd058f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2744	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2744	schtasks.exe	33

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000019394-9.dat	dcrat
behavioral1/memory/2944-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp	dcrat
behavioral1/memory/2500-101-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/2068-280-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/1144-340-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/1936-400-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/2252-460-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat
behavioral1/memory/1200-579-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1668	powershell.exe
1828	powershell.exe
1840	powershell.exe
1284	powershell.exe
2056	powershell.exe
2388	powershell.exe
704	powershell.exe
2644	powershell.exe
2724	powershell.exe
1372	powershell.exe
1500	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2944	DllCommonsvc.exe
2500	csrss.exe
2208	csrss.exe
860	csrss.exe
2068	csrss.exe
1144	csrss.exe
1936	csrss.exe
2252	csrss.exe
2920	csrss.exe
1200	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
3004	cmd.exe
3004	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe
2692	schtasks.exe
2220	schtasks.exe
2532	schtasks.exe
2068	schtasks.exe
2008	schtasks.exe
1176	schtasks.exe
2200	schtasks.exe
908	schtasks.exe
2172	schtasks.exe
2144	schtasks.exe
2128	schtasks.exe
2420	schtasks.exe
2260	schtasks.exe
2228	schtasks.exe
1540	schtasks.exe
1744	schtasks.exe
1896	schtasks.exe
1684	schtasks.exe
2340	schtasks.exe
2836	schtasks.exe
2284	schtasks.exe
2436	schtasks.exe
1624	schtasks.exe
1968	schtasks.exe
2296	schtasks.exe
612	schtasks.exe
592	schtasks.exe
2136	schtasks.exe
2160	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2944	DllCommonsvc.exe
2644	powershell.exe
1668	powershell.exe
2056	powershell.exe
1500	powershell.exe
1840	powershell.exe
2388	powershell.exe
704	powershell.exe
1372	powershell.exe
1284	powershell.exe
1828	powershell.exe
2724	powershell.exe
2500	csrss.exe
2208	csrss.exe
860	csrss.exe
2068	csrss.exe
1144	csrss.exe
1936	csrss.exe
2252	csrss.exe
2920	csrss.exe
1200	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2944	DllCommonsvc.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2500	csrss.exe
Token: SeDebugPrivilege	2208	csrss.exe
Token: SeDebugPrivilege	860	csrss.exe
Token: SeDebugPrivilege	2068	csrss.exe
Token: SeDebugPrivilege	1144	csrss.exe
Token: SeDebugPrivilege	1936	csrss.exe
Token: SeDebugPrivilege	2252	csrss.exe
Token: SeDebugPrivilege	2920	csrss.exe
Token: SeDebugPrivilege	1200	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2936 wrote to memory of 2960	2936	49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf.exe	29
PID 2936 wrote to memory of 2960	2936	49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf.exe	29
PID 2936 wrote to memory of 2960	2936	49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf.exe	29
PID 2936 wrote to memory of 2960	2936	49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf.exe	29
PID 2960 wrote to memory of 3004	2960	WScript.exe	30
PID 2960 wrote to memory of 3004	2960	WScript.exe	30
PID 2960 wrote to memory of 3004	2960	WScript.exe	30
PID 2960 wrote to memory of 3004	2960	WScript.exe	30
PID 3004 wrote to memory of 2944	3004	cmd.exe	32
PID 3004 wrote to memory of 2944	3004	cmd.exe	32
PID 3004 wrote to memory of 2944	3004	cmd.exe	32
PID 3004 wrote to memory of 2944	3004	cmd.exe	32
PID 2944 wrote to memory of 1668	2944	DllCommonsvc.exe	64
PID 2944 wrote to memory of 1668	2944	DllCommonsvc.exe	64
PID 2944 wrote to memory of 1668	2944	DllCommonsvc.exe	64
PID 2944 wrote to memory of 704	2944	DllCommonsvc.exe	65
PID 2944 wrote to memory of 704	2944	DllCommonsvc.exe	65
PID 2944 wrote to memory of 704	2944	DllCommonsvc.exe	65
PID 2944 wrote to memory of 1828	2944	DllCommonsvc.exe	66
PID 2944 wrote to memory of 1828	2944	DllCommonsvc.exe	66
PID 2944 wrote to memory of 1828	2944	DllCommonsvc.exe	66
PID 2944 wrote to memory of 1840	2944	DllCommonsvc.exe	68
PID 2944 wrote to memory of 1840	2944	DllCommonsvc.exe	68
PID 2944 wrote to memory of 1840	2944	DllCommonsvc.exe	68
PID 2944 wrote to memory of 2056	2944	DllCommonsvc.exe	69
PID 2944 wrote to memory of 2056	2944	DllCommonsvc.exe	69
PID 2944 wrote to memory of 2056	2944	DllCommonsvc.exe	69
PID 2944 wrote to memory of 2644	2944	DllCommonsvc.exe	70
PID 2944 wrote to memory of 2644	2944	DllCommonsvc.exe	70
PID 2944 wrote to memory of 2644	2944	DllCommonsvc.exe	70
PID 2944 wrote to memory of 1284	2944	DllCommonsvc.exe	72
PID 2944 wrote to memory of 1284	2944	DllCommonsvc.exe	72
PID 2944 wrote to memory of 1284	2944	DllCommonsvc.exe	72
PID 2944 wrote to memory of 2724	2944	DllCommonsvc.exe	73
PID 2944 wrote to memory of 2724	2944	DllCommonsvc.exe	73
PID 2944 wrote to memory of 2724	2944	DllCommonsvc.exe	73
PID 2944 wrote to memory of 1500	2944	DllCommonsvc.exe	74
PID 2944 wrote to memory of 1500	2944	DllCommonsvc.exe	74
PID 2944 wrote to memory of 1500	2944	DllCommonsvc.exe	74
PID 2944 wrote to memory of 2388	2944	DllCommonsvc.exe	75
PID 2944 wrote to memory of 2388	2944	DllCommonsvc.exe	75
PID 2944 wrote to memory of 2388	2944	DllCommonsvc.exe	75
PID 2944 wrote to memory of 1372	2944	DllCommonsvc.exe	79
PID 2944 wrote to memory of 1372	2944	DllCommonsvc.exe	79
PID 2944 wrote to memory of 1372	2944	DllCommonsvc.exe	79
PID 2944 wrote to memory of 2988	2944	DllCommonsvc.exe	86
PID 2944 wrote to memory of 2988	2944	DllCommonsvc.exe	86
PID 2944 wrote to memory of 2988	2944	DllCommonsvc.exe	86
PID 2988 wrote to memory of 2120	2988	cmd.exe	88
PID 2988 wrote to memory of 2120	2988	cmd.exe	88
PID 2988 wrote to memory of 2120	2988	cmd.exe	88
PID 2988 wrote to memory of 2500	2988	cmd.exe	89
PID 2988 wrote to memory of 2500	2988	cmd.exe	89
PID 2988 wrote to memory of 2500	2988	cmd.exe	89
PID 2500 wrote to memory of 2404	2500	csrss.exe	90
PID 2500 wrote to memory of 2404	2500	csrss.exe	90
PID 2500 wrote to memory of 2404	2500	csrss.exe	90
PID 2404 wrote to memory of 1660	2404	cmd.exe	92
PID 2404 wrote to memory of 1660	2404	cmd.exe	92
PID 2404 wrote to memory of 1660	2404	cmd.exe	92
PID 2404 wrote to memory of 2208	2404	cmd.exe	93
PID 2404 wrote to memory of 2208	2404	cmd.exe	93
PID 2404 wrote to memory of 2208	2404	cmd.exe	93
PID 2208 wrote to memory of 2396	2208	csrss.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf.exe
"C:\Users\Admin\AppData\Local\Temp\49a7cebdd5432ae98bbb25fd91ce5db982c4dda0bf56d29f777c91c707899acf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2936
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3004
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\47Z0vkOQT8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2120
      - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1660
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        9⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1184
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat"
        11⤵
        
        PID:760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2544
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        13⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1204
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
        15⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:940
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat"
        17⤵
        
        PID:364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1108
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        19⤵
        
        PID:2204
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2792
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
        21⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:692
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\AppPatch\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\AppPatch\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\AppPatch\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a579c37dd25ea7343c4a64097841c7f

SHA1
80e2be2d56879052db7225bcd78c63acb3f4a4ea

SHA256
26fd067567e64ef4e4f496f962c02adf4c0e13e6494ed2204ef49df6ee1c9fe2

SHA512
1b8366f076a0ab52f7627f2376cfc0b937d4c6c2ccee9fc550724cd5b0e5aca3f0c9f58c700afd7bbd1e4c1a074bcb545b2f951102a0094cfd4d30b4d0cab44d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4ea7f3d4658d69d09851f67bb132939

SHA1
922b646cb21777f6af5976d0d0a4ea0cea629bf0

SHA256
ce9a49014cf16a46526b3adcf62fc6d2d88c5ccdaaf060c2fa48df707003c478

SHA512
a8173148faf3bc9174f5683a0d255af8431f1f7a039c8ed88f2fa88160b776556c515e0306756c88c41acd3fadf9cae449ac434bb8d34d394bd3658cf285c21d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c0db34b06a4f8b1ff6df1dd8573222d4

SHA1
67741dfb9b46ff8a06c1cecaa48a7d840d57703c

SHA256
365c39e2929d5bd4baaeac5744abf0ae259cf0caa5fd170d637c7851f7e7720a

SHA512
ae939d0bacf655fc99b0e3a833fcd0b3906af8934279c428ad45fd069d2ccf9c4c617407bc140f1b68934cf729d8157678d033879dae47945c6c9af32cd6ad22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a628e797221998034c604e06f92f72f8

SHA1
c565d5169f5e6c28b3a17f71c76eebf3ed5615af

SHA256
90c73c5ba49beb5c8eb60253178958cdac418a90d53b16b46393e6044c5de657

SHA512
4eaca5ede3bc514fbdb45073ec4ccf2fcc8d78d7e2be5ab739fe39473f8e9521186bba74be552e325127639f5e6a4c48f22e647baa17b85fce4f549f69eb17ec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdc919b0a63c23ff0aa9ddd4ff81aaeb

SHA1
c4bc71e054cbc8fd27bd473d8852002a2f23a9d4

SHA256
ea0aa4c2710f42f47bdb57e0b1ab596a8232ba781e0000d302a990c7f0f4691a

SHA512
154d1caebf0a09e1e9da59cde8c064029b71e603d017947c0e16a4b25b25f3016f2ca5321b0744dbea8172c365ca12c5acfb6b7c498f52ed893f27c02fe59b94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0139b05bef0baa484c9a036d4d25c3e

SHA1
006a315c12cc600a1f8bc626b7adc2a924761937

SHA256
963049ca481401624a845398adce8c6a1080403338b0adc0e48a6483e07bb780

SHA512
658451e02fa0d24efb73608fff2d2d7bb33dcdc46981329d56bde04bccb68dde3309ac4df5b07d7bd70cff7ae041de17f3214a47da285bfa1ffc33a399e9b13b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c26f48333e2168db1acf58e8eed9c0cd

SHA1
d4be2827317ec0c7b7f381e27212acb320d9b332

SHA256
cf84e9ea15990fc7b0ae100a267843f97f440a252b34c138a3c31e870724abb2

SHA512
30e260c851dbce07215930b091fcce77a14950a4c3b3d682a3108014916eddfb39e5f1fb221476dff83943d38e09ca8664c54fd1b367524a0767fb49b7384934

Download Submit
C:\Users\Admin\AppData\Local\Temp\47Z0vkOQT8.bat

Filesize
237B

MD5
8e9a269b331162dc671fbbd43eb70670

SHA1
986e803681cef9090f75e3c7c7f646354d6f0655

SHA256
e9d7994bdf4f8fa59a05566c0440d25d905d6df43a42f683a22c9da74ab9041b

SHA512
a54523730291046d53964e6823e66eb3c1e989539795ed5260cb2b269da87e0355ffb7c81e0da2c9a446b267cd96b58a7038524f018f3da72550a696eb1589b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5092.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

Filesize
237B

MD5
c02e1c91d2b8a13772c8c7b2b1600571

SHA1
ee8a140fe3159d00135382bbd9316bcd8d29cb85

SHA256
064eb41552ddf33da29cd9d497ebdbb049c69d47e52587e2977697ecbb2fc721

SHA512
325086239591054446220bb9b7dd6bf9e7062f00099690f4081a2d1607ee1efd9b7189928bb9a0487413539ceec6566c32153b8892e11c7355009be2cc05f1a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
237B

MD5
0ac3463ab664402dc5b527ca00ac4aed

SHA1
f66e04853efd63302933e07ec08b863c09029e1c

SHA256
6ff1bcad4b2011b0384e5f61d5045af331dbe9dfafaaa2b7c83351935830b140

SHA512
1351e9ffb4959927040628be54e206099b98c8c5d63fc42269830da87bf7ab4d82dc91e6e628b1df71a73a590386eb69dc2e16678b0efb309d4d11de22ac5ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\SQTB2Yz9K3.bat

Filesize
237B

MD5
3357d537cc2e63d5fe70c5c7475233ae

SHA1
ff683f318b0f8896b3d6c6760df3d6ec57d5a41c

SHA256
09eb37fb8b9035a0f6a291bbaa12e87eb06dbe7b7539a47e5da6698545cbedcc

SHA512
598a65f45b84195876ffefe97177acb4b5a204e5be2a5542961565d97d0caf5dabb6dc31fc06ef96e78fd43681b77130e745718acfb25704686db6f33bda0de8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar50C4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UWQnaEvoMY.bat

Filesize
237B

MD5
8cfe190e7f70951c32766fcb84cbc90c

SHA1
380944f59ec2f8b1e538e37f014a9ed7a57366e7

SHA256
9928797a1971bdedea19daee4e8e3689dcf63a406c0da1a9c9d789ca2ae9a0c5

SHA512
ee5d49e99b49cd128ed5391693dac345833c925a64706acfb9a2cd7fe7333bd7d50965d815ccdea0390bc3cc0817beb0c6a06ced89fc21f7cc5685e013e3f497

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
237B

MD5
e4c870026ceb1edcdd39f5069d7d7c6f

SHA1
c256d02c58cb74799eb2572afb19cd22e1d0af58

SHA256
a8a4e19c1cfef409e2ae3e29937bfa4afca52038db39265c9998f8e3ebc6bdcd

SHA512
1c72e7deabdcf56bcb22a53610f45b49a32fcdaacf029d424fcc51df31172ae244bea161afabbd6f5797370721177c21814df38381e48b747b42115bb6a95096

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
237B

MD5
b1f6e851ffadf22cb969a81f0b89d1c4

SHA1
a278c59ff5b0dd798d44b08303a7961a61fad602

SHA256
443d3da80c755d57e7ac926d9833fe3b2701cad9cb6ece4bc761a3e2d6090ccc

SHA512
b4d75b19906a2e4242e4c93775063ec12d9a13d6f25416cda4fe0dbe54d1f2c1362265803f2cb0699cf3c52eff35a8563dd2ac09d757c62c2b4363213192ce41

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
237B

MD5
fd5027a57937b144e2636bbfdcd0aa25

SHA1
f107108ba373845147a77e23e473539baa1ef712

SHA256
183b4768b4f30daddc9d5d7388f23217fd4de61c2b222252bc1e0b6c3701062c

SHA512
ada15977adcfc48257e563d8cd66e888e8fb0e8da394477679786172f305037ddb1764940651db892a1833833835e73311c3cd1da6e57368e18d5520fb77b333

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

Filesize
237B

MD5
977d1da01c71321cdf01a9333a95269a

SHA1
62a1bf167f786c144b7f1abfbc813724757afad2

SHA256
11527a7f86bddaac5906a4da04d635a294e22dd6da3a0c126925fc2db7b538c4

SHA512
6e9811722683d35ff0843d19a6c89998d2d7c1e5f9a8bf5cc5a8d70214c30b4d4ed9a72547b2b2395d7f7a7aa69eeca03a918e1fa36dc10bfb9488c3f510f116

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
08de84a0b65f29ab056eedd8600dd1f8

SHA1
7bc202ffb4339e8ff52b8c0fc5071ce2b90d4f3e

SHA256
ee26add96c6e690ff3400594e6b8f9ad7ff575b9655a6c8cabf259a50557024d

SHA512
782c80565197926e4fed671c771a5bbc380b4e4f0d1b8a101ec9d431976b89a76255cd81a4a679cf51bd4228b5dec4246ffff7d34a9b26cd233ba2e7fe63be85

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/860-220-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1144-340-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/1200-580-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1200-579-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1936-400-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2068-280-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2252-460-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/2500-102-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2500-101-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2644-57-0x0000000001E50000-0x0000000001E58000-memory.dmp

Filesize
32KB

Download
memory/2644-51-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2944-13-0x0000000000CD0000-0x0000000000DE0000-memory.dmp

Filesize
1.1MB

Download
memory/2944-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2944-15-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2944-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2944-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download