dcrat | 34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73.exe
Size

1.3MB
MD5

d02686d4b2a1c61c07b98db0504b5504
SHA1

2d58d7061214cf8ff1cffe28bf78ce16756c334a
SHA256

34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73
SHA512

145c4079006b073a9591383fac1ea30ed89e8c33f6e71b792a543a8cc325a8e9c7ba504786b1c10dfbcdbe6d4fce323df6eb2029f7f4a5e49976dd3e33c30209
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	640	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2616	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2616	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016edc-11.dat	dcrat
behavioral1/memory/2808-13-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/1244-44-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/556-145-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/632-502-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2760-562-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/1036-622-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2004-683-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1036	powershell.exe
2924	powershell.exe
2532	powershell.exe
2928	powershell.exe
2408	powershell.exe
1776	powershell.exe
2468	powershell.exe
1236	powershell.exe
2196	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2808	DllCommonsvc.exe
1244	conhost.exe
556	conhost.exe
1340	conhost.exe
2864	conhost.exe
2516	conhost.exe
800	conhost.exe
2396	conhost.exe
632	conhost.exe
2760	conhost.exe
1036	conhost.exe
2004	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2836	cmd.exe
2836	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system\services.exe	DllCommonsvc.exe
File created	C:\Windows\system\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\Globalization\ELS\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\ELS\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2980	schtasks.exe
2876	schtasks.exe
1504	schtasks.exe
1040	schtasks.exe
2124	schtasks.exe
2920	schtasks.exe
2432	schtasks.exe
2536	schtasks.exe
2652	schtasks.exe
1980	schtasks.exe
1284	schtasks.exe
580	schtasks.exe
1756	schtasks.exe
1132	schtasks.exe
1964	schtasks.exe
1972	schtasks.exe
2888	schtasks.exe
352	schtasks.exe
640	schtasks.exe
2988	schtasks.exe
864	schtasks.exe
1620	schtasks.exe
568	schtasks.exe
1992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2808	DllCommonsvc.exe
2928	powershell.exe
2532	powershell.exe
2468	powershell.exe
2924	powershell.exe
2408	powershell.exe
1036	powershell.exe
1776	powershell.exe
1236	powershell.exe
2196	powershell.exe
1244	conhost.exe
556	conhost.exe
1340	conhost.exe
2864	conhost.exe
2516	conhost.exe
800	conhost.exe
2396	conhost.exe
632	conhost.exe
2760	conhost.exe
1036	conhost.exe
2004	conhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2808	DllCommonsvc.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	1236	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	1244	conhost.exe
Token: SeDebugPrivilege	556	conhost.exe
Token: SeDebugPrivilege	1340	conhost.exe
Token: SeDebugPrivilege	2864	conhost.exe
Token: SeDebugPrivilege	2516	conhost.exe
Token: SeDebugPrivilege	800	conhost.exe
Token: SeDebugPrivilege	2396	conhost.exe
Token: SeDebugPrivilege	632	conhost.exe
Token: SeDebugPrivilege	2760	conhost.exe
Token: SeDebugPrivilege	1036	conhost.exe
Token: SeDebugPrivilege	2004	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3048 wrote to memory of 2744	3048	34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73.exe	30
PID 3048 wrote to memory of 2744	3048	34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73.exe	30
PID 3048 wrote to memory of 2744	3048	34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73.exe	30
PID 3048 wrote to memory of 2744	3048	34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73.exe	30
PID 2744 wrote to memory of 2836	2744	WScript.exe	31
PID 2744 wrote to memory of 2836	2744	WScript.exe	31
PID 2744 wrote to memory of 2836	2744	WScript.exe	31
PID 2744 wrote to memory of 2836	2744	WScript.exe	31
PID 2836 wrote to memory of 2808	2836	cmd.exe	33
PID 2836 wrote to memory of 2808	2836	cmd.exe	33
PID 2836 wrote to memory of 2808	2836	cmd.exe	33
PID 2836 wrote to memory of 2808	2836	cmd.exe	33
PID 2808 wrote to memory of 2928	2808	DllCommonsvc.exe	59
PID 2808 wrote to memory of 2928	2808	DllCommonsvc.exe	59
PID 2808 wrote to memory of 2928	2808	DllCommonsvc.exe	59
PID 2808 wrote to memory of 2532	2808	DllCommonsvc.exe	60
PID 2808 wrote to memory of 2532	2808	DllCommonsvc.exe	60
PID 2808 wrote to memory of 2532	2808	DllCommonsvc.exe	60
PID 2808 wrote to memory of 2924	2808	DllCommonsvc.exe	61
PID 2808 wrote to memory of 2924	2808	DllCommonsvc.exe	61
PID 2808 wrote to memory of 2924	2808	DllCommonsvc.exe	61
PID 2808 wrote to memory of 2196	2808	DllCommonsvc.exe	63
PID 2808 wrote to memory of 2196	2808	DllCommonsvc.exe	63
PID 2808 wrote to memory of 2196	2808	DllCommonsvc.exe	63
PID 2808 wrote to memory of 1036	2808	DllCommonsvc.exe	65
PID 2808 wrote to memory of 1036	2808	DllCommonsvc.exe	65
PID 2808 wrote to memory of 1036	2808	DllCommonsvc.exe	65
PID 2808 wrote to memory of 1236	2808	DllCommonsvc.exe	66
PID 2808 wrote to memory of 1236	2808	DllCommonsvc.exe	66
PID 2808 wrote to memory of 1236	2808	DllCommonsvc.exe	66
PID 2808 wrote to memory of 2468	2808	DllCommonsvc.exe	67
PID 2808 wrote to memory of 2468	2808	DllCommonsvc.exe	67
PID 2808 wrote to memory of 2468	2808	DllCommonsvc.exe	67
PID 2808 wrote to memory of 1776	2808	DllCommonsvc.exe	68
PID 2808 wrote to memory of 1776	2808	DllCommonsvc.exe	68
PID 2808 wrote to memory of 1776	2808	DllCommonsvc.exe	68
PID 2808 wrote to memory of 2408	2808	DllCommonsvc.exe	69
PID 2808 wrote to memory of 2408	2808	DllCommonsvc.exe	69
PID 2808 wrote to memory of 2408	2808	DllCommonsvc.exe	69
PID 2808 wrote to memory of 1244	2808	DllCommonsvc.exe	77
PID 2808 wrote to memory of 1244	2808	DllCommonsvc.exe	77
PID 2808 wrote to memory of 1244	2808	DllCommonsvc.exe	77
PID 1244 wrote to memory of 1248	1244	conhost.exe	78
PID 1244 wrote to memory of 1248	1244	conhost.exe	78
PID 1244 wrote to memory of 1248	1244	conhost.exe	78
PID 1248 wrote to memory of 2108	1248	cmd.exe	80
PID 1248 wrote to memory of 2108	1248	cmd.exe	80
PID 1248 wrote to memory of 2108	1248	cmd.exe	80
PID 1248 wrote to memory of 556	1248	cmd.exe	81
PID 1248 wrote to memory of 556	1248	cmd.exe	81
PID 1248 wrote to memory of 556	1248	cmd.exe	81
PID 556 wrote to memory of 1280	556	conhost.exe	82
PID 556 wrote to memory of 1280	556	conhost.exe	82
PID 556 wrote to memory of 1280	556	conhost.exe	82
PID 1280 wrote to memory of 1608	1280	cmd.exe	84
PID 1280 wrote to memory of 1608	1280	cmd.exe	84
PID 1280 wrote to memory of 1608	1280	cmd.exe	84
PID 1280 wrote to memory of 1340	1280	cmd.exe	85
PID 1280 wrote to memory of 1340	1280	cmd.exe	85
PID 1280 wrote to memory of 1340	1280	cmd.exe	85
PID 1340 wrote to memory of 2380	1340	conhost.exe	86
PID 1340 wrote to memory of 2380	1340	conhost.exe	86
PID 1340 wrote to memory of 2380	1340	conhost.exe	86
PID 2380 wrote to memory of 3064	2380	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73.exe
"C:\Users\Admin\AppData\Local\Temp\34b0b26326a10b9a3a18323ab9ec85d77110cea4135ca1e9c902aba4f2226e73.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2744
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2836
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\ELS\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1244
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2108
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1608
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3064
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        12⤵
        
        PID:1700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2832
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
        14⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1224
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
        16⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1084
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        18⤵
        
        PID:532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2680
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        20⤵
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2588
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat"
        22⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1604
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat"
        24⤵
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2220
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat"
        26⤵
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\system\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\system\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Windows\system\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Media Player\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Media Player\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Globalization\ELS\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\CrashReports\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
117a42e37ebfdf0e76cb272721976ff7

SHA1
2bf3f4f0041f117b81844d35dd43e8553dc303c5

SHA256
118430ab6b9c3fd300c103c21d85a5e4bc8db56b3408345641f33438e65ec85c

SHA512
3285f9c9dfba88a490614e9158f11ea98302a30d8df28ad8e9fe4c838510288ba7f860c5991d8cbf9bb7efc54ec9fa3d607d9e9889c8a80407485393a5b2aad5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f1bf4174b39eda3dfeb23da81183835

SHA1
36a4f874b1a9033c93ea491d0428a5b3453397e1

SHA256
3bf984fd1e97fa0069d2dc2e34c34099864792364c2548715c61f840a51eb7ca

SHA512
ab787d3c26ad8db1e2098390e0aaead187f55ae07c8f85f2448ed3d22bce559b4e6250663284160d83552f162eb538341a7d7cc97a33eca11b7ae158487c7f3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
293b9744ae8a1eda74718351df7f0567

SHA1
09397ae12a5fca5e98b4974c0dcbc7f2268393ef

SHA256
aa37edf569128ca3d2ad18c6717f7021651bae197f5ab41f6977509cbf25161c

SHA512
a55e3bb01ccf6c90ed588fb3cec00c5173d16258aa0db8a9eb21102dfa92399fe5267b0a4151eac927f39c3fcf1262919a01c815c901faf157f64beb73d438d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7d05645d1291d386039d14fdd9c91c7

SHA1
64e1686f7cd204d9cda4424713119c2f24f6595f

SHA256
c1fedfd908f0e68a98a05769383df6e70c9b4aea3f556e0493abc314d446718c

SHA512
f76c78a5aa10a62d22350eccbb3288a4b7895b466359bad8a9cd6c2269cafe00abffa4edd36baf348742dfec6b903dd17a77df809ae7ce6e8fcd91d89df2d06c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
266476491d0e245415948b1ad15619e7

SHA1
7e478dea178c8b78687ba2232a2c9b7540465c92

SHA256
e8263787f2af5802e7f61157a0f0ecc446e3b4e0da3b16577612c40047670222

SHA512
6906fbee53291adeb580734deedf5cdd38342ba2e9e2886aac92bae8da825aee30f41443a50b75bf5cf56d6836c6c2b748ec771c42ac879f19f9f78e973ec2d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a011faec48200b2776ad37560c522f38

SHA1
7758e754e065a43beaf17f9298865835ca4fb1a5

SHA256
9ff30cfff3b58f43e27a5300e7b3ed5def0364ca2adb021b25e90a7fed01b5b6

SHA512
76586de2cbfbd530c0d565c6286a6ad08c645692010b14f084f6dd1050b28245c6ed8811f1ba2841b190d83121b75d1e9fc0def48f4ace575c2d6a3b7e4cd539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be85f004b2ec63d0667d8195b04e3c4f

SHA1
4388e750c2f8fd637e65fb4c2bca3adac3f9e722

SHA256
fa501ded01aab989dae2cf662d2aba069f457c202e8051c1770e7eaef28e879c

SHA512
f512a8eaaaad79fa800da3ab4eb87d503a5665be1887920c57bd0f89afcff352372631a5be1e2b401dd7d14af8ac11fb4da32dd781a57334f0dee0ff53af05c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dee4222025ceb800aeb17c94d4d73423

SHA1
6d0a19bfebc739967c8a79f6e2bdee5c44e844f1

SHA256
c859c6230d998f54f2c0803fb8a2102128325d04df793bfc61999d1549e743ec

SHA512
78b61a7032db77576942f886fcdabe827cf018f5c691ac2cd954cccf28c9522ba5f38ffe2abead476fc13ae97f9e3280a7038dad5248d137dae1c6904d99bce9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b080185389e1841552e3eb96795c6f1

SHA1
d5a3bf4e9e35913446b977e7f534ac0414e8fbfe

SHA256
58bcb145f0f6d5bc321fe46eb7ab25d11bc0e0299492f1c250c6cd4067c2eefa

SHA512
1836d24118b412e8fc9ca0989e63572ac13cdbd34ffb38ed93b2c0775097e12980fe5fd779a59748f7a0946528eecb54e9128728c965642281befd1a8005a5f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7bd458e1c4e4e480e9d95ae4cb866c7

SHA1
66d36b104b24899e2fe4f032e8ab14241c4a0da6

SHA256
95120c62ae0e8e8fb62331e832cae5c077e16911bd68fbdb15d0575305a39955

SHA512
fe03294d54d95e6c4ac0991aff6ca743f03275737e1803297e10f7a01f059a8cfd561dcb197fef7d6c20cbc3964ef9532994b37bef98712d46b7579c8e86a6a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

Filesize
239B

MD5
3e0d48e9d42e62bce495d1cc1f5c9ff1

SHA1
8d44614ee64ce37de904bc88bf6d6b0e5b3b055b

SHA256
5d1cdcebf62ca47a8408afb42ca1f141c034a4d015a42e48d0dec03c4040dc58

SHA512
73dfb7c741fa34d11e7bd0115802800adc9688912902411748aab0d1002b40b6bf1450e23f65becee2cfacfc58ba9d0fe69b1ee44b798449a10b648687c3c050

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
239B

MD5
1766346519f0eeff69f87856c64e1601

SHA1
41fe5e9f8aee573b0dca26d72797d1a4bf06338d

SHA256
cb0f755c231b8d07d2eba87b90648a150027e7c2df70c73a038edfb00b63247d

SHA512
322e53a313de0352eaa60daca2a577ba9adcc4f4b5989997dce4bf6c45eeb6eb8ba408c01f2b111e7ed9c67c3b4b95ae43abba64f52b70a8dfb2273b6d95a11b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
239B

MD5
c9880c1e2e7f9e87dbe034765d1b148e

SHA1
7b097b18126f0a7a2e981031a6bc63c96b9961c5

SHA256
0cbf4b69d3715a99ef052efdbbe802e1734579349a902d8ee67bd373fdc1a3f9

SHA512
25f1899dab2e014f15a56181f0d36a80bdd188472745f81554aa4423f20be28d5f93ee31138ed67933827e10ad9f2d712d6a06a83ad62e51c7151fcb7ca4f219

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3620.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SvvYNrLnHE.bat

Filesize
239B

MD5
c2813f4e0c60b67dd43f145dab6393c8

SHA1
e194778b965c56e3dc495c798e8adad3f1a16f17

SHA256
ecb65bf00a515cfca713a057a5c63c9162f60b31240a29cffc1111080148bf5d

SHA512
afaf56dc1398dd2d4c4083707a518b004965ae8692a01f8e2e16b1d1d7e9b58fa6b9e0fb0e984a9333d5c096e8db3a49da34b29a4a931c00473ad14579104d88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3623.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat

Filesize
239B

MD5
bb93c6598f6c091dab3c85113112c8eb

SHA1
c862e3ac1400c55de6ec3133a8888ac89c7a0a92

SHA256
a80278658369f7011aba7d4d430fd2e6d89f5cfa4760437211acd007e46b38fe

SHA512
6df671a1b19c2a2da61436d07e8dbc01598324168e72eacb25eb04705c756ac4707c5c15271e83428e5946dd5c591daa5229debf53267eefa56bf83bc9ef0a60

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
239B

MD5
d62cea3ca8b357c93e70ad9310d8c1ca

SHA1
1c43dedd05e12dab7d5741ac129c8ac8bafd1228

SHA256
1d3654c68a420056f29ae375c1aeb9c66d079ecad76068146683700ecf1f75c4

SHA512
451e4bc842f8663603875720fc9b0c7730f36d46307b4e79615f1acc489aa027691e3bfdbbfa8b9ae2db82f669fa48287bf5c4277aea4029b316f5800c604b6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bo4ZIAkpMj.bat

Filesize
239B

MD5
f6714552176fc2f53bb98b876b12bba8

SHA1
681e81028a10c0a146c14116680362728e6250d7

SHA256
1f157fa3070d06fbe8a8b0ae2de64a490f960cfb3df5179adae52b39979b925d

SHA512
8da9d79fb40cbfc59cd9fbf57ceffad7a1803fcbba2a01944cb6dfd170ae9c2c86841ddcef3cbd6b4db73b793a397aa34bcda0dc05e81b3716c781990ebe1300

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
239B

MD5
807d5c86c94da32267587e7410a55270

SHA1
3862255b42ed9a31aa900fdc6255e7448471ed15

SHA256
3f6972d782858a1f885eaaf8fef0140b9917cae7450a221c835c38a44ca8055e

SHA512
d4f36322d3227a46903be66e3dd531624215129fda633bb1e44e873c5f778772626abea7f7daab6878e530c2e1d98cc8c64aede07b7f8ddc4144ef7cd12e0d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

Filesize
239B

MD5
84a217074e5149bc28094882eced92b7

SHA1
a3b886988a261ac61ffae63417ab1bd2b4ea7efe

SHA256
591dcd557b46dab6fa1273920822446509ba051b93d072d5936fddd80f2a57c3

SHA512
d2076aed98039a842918fd5c3aea325b7c54940142956a73841bc7bd039e0331d56d5a72f9254ef5388a0df03130f121338c53f8fd4f1c9143701c614c86ad6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzqLwOyuSO.bat

Filesize
239B

MD5
4d0f6d1b87c94fc782d8fe1771b649d6

SHA1
f8f19024275a75e9c4e94607f91b7be6eca0c002

SHA256
f80db8f5692fa1ebfb99d06444d0085b11e297e9e77595a7e6e3bed4d29b41ba

SHA512
21642c49effe4f6367cf31c4ed0ae7fd0497372a09c2cb80788fba8764891c254d7412cbc311511ab534765cb04fb251ed089c366f43c206df887bce0ec9befd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tDjG3X7WPV.bat

Filesize
239B

MD5
44e469249ec7c1a7ee03d9b04d078d5f

SHA1
5349ab4275bc29268ee684b14fc0ea645f2fd69b

SHA256
ce6fcd3f97cf051d13fc5ae598ca6acf6b96c13ec5e824fd00ffcb30cc64f42d

SHA512
98780c66190140faef4ed4f30e4c345a72e276edb72b56a145a2b05577ed608376b175e28a776ab627f554f60f1626a69488372f1a643b236f557bdef69ca1d3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a3ecb9c5bc1f22e822829b35eb6d57be

SHA1
4c20ba4af7055f6c8d770ce2f685100b79c87b22

SHA256
c7b9a05ebce4b3db43cb1b8c66617780a56d39cfab669472af89eaca75b2dc0b

SHA512
6542dad4a2a14173f04d369b62600323500613c9bdfeb3bf8799dfe8d5e1395a7289183f858a28cf80c40418677e088de83bf5d00545a3656c20f7bf9c3be893

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/556-145-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/632-502-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/1036-622-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/1036-623-0x0000000000A70000-0x0000000000A82000-memory.dmp

Filesize
72KB

Download
memory/1244-44-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/1340-205-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2004-683-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/2516-324-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2760-562-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download
memory/2808-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2808-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2808-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2808-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2808-13-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2928-46-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2928-51-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download