dcrat | 0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c.exe
Size

1.3MB
MD5

8494296f06f725e01937b919cd9f2232
SHA1

b7c9a0f573768f2be076e2445aaab91e3413aac1
SHA256

0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c
SHA512

661e6cf49679fc80a57eab69cbfa42463d5b9bdc8f66beb5a58f1d34475a8b84a6ffaf51bac16d74d751b1077a8e8b06fe8391c9e299cd3d603ea78255200a3f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1184	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2620	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2620	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019345-11.dat	dcrat
behavioral1/memory/2016-13-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/1728-94-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/1920-153-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2540-213-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/876-273-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2892-333-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/1612-454-0x0000000000E40000-0x0000000000F50000-memory.dmp	dcrat
behavioral1/memory/2936-573-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/3028-634-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1752	powershell.exe
888	powershell.exe
1640	powershell.exe
2936	powershell.exe
2428	powershell.exe
3028	powershell.exe
3064	powershell.exe
3024	powershell.exe
408	powershell.exe
2432	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2016	DllCommonsvc.exe
1728	csrss.exe
1920	csrss.exe
2540	csrss.exe
876	csrss.exe
2892	csrss.exe
1288	csrss.exe
1612	csrss.exe
2216	csrss.exe
2936	csrss.exe
3028	csrss.exe
2876	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	cmd.exe
2468	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1620	schtasks.exe
2920	schtasks.exe
1228	schtasks.exe
2700	schtasks.exe
2588	schtasks.exe
840	schtasks.exe
1184	schtasks.exe
2648	schtasks.exe
2244	schtasks.exe
2940	schtasks.exe
2336	schtasks.exe
2808	schtasks.exe
1876	schtasks.exe
2980	schtasks.exe
2688	schtasks.exe
1744	schtasks.exe
1404	schtasks.exe
2444	schtasks.exe
1704	schtasks.exe
2624	schtasks.exe
1248	schtasks.exe
1872	schtasks.exe
852	schtasks.exe
2292	schtasks.exe
1900	schtasks.exe
1452	schtasks.exe
1904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2016	DllCommonsvc.exe
2016	DllCommonsvc.exe
2016	DllCommonsvc.exe
2936	powershell.exe
3024	powershell.exe
1640	powershell.exe
1752	powershell.exe
3064	powershell.exe
408	powershell.exe
2432	powershell.exe
3028	powershell.exe
888	powershell.exe
2428	powershell.exe
1728	csrss.exe
1920	csrss.exe
2540	csrss.exe
876	csrss.exe
2892	csrss.exe
1288	csrss.exe
1612	csrss.exe
2216	csrss.exe
2936	csrss.exe
3028	csrss.exe
2876	csrss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	DllCommonsvc.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	3024	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	3064	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	3028	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	1728	csrss.exe
Token: SeDebugPrivilege	1920	csrss.exe
Token: SeDebugPrivilege	2540	csrss.exe
Token: SeDebugPrivilege	876	csrss.exe
Token: SeDebugPrivilege	2892	csrss.exe
Token: SeDebugPrivilege	1288	csrss.exe
Token: SeDebugPrivilege	1612	csrss.exe
Token: SeDebugPrivilege	2216	csrss.exe
Token: SeDebugPrivilege	2936	csrss.exe
Token: SeDebugPrivilege	3028	csrss.exe
Token: SeDebugPrivilege	2876	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2160	2384	0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c.exe	30
PID 2384 wrote to memory of 2160	2384	0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c.exe	30
PID 2384 wrote to memory of 2160	2384	0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c.exe	30
PID 2384 wrote to memory of 2160	2384	0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c.exe	30
PID 2160 wrote to memory of 2468	2160	WScript.exe	31
PID 2160 wrote to memory of 2468	2160	WScript.exe	31
PID 2160 wrote to memory of 2468	2160	WScript.exe	31
PID 2160 wrote to memory of 2468	2160	WScript.exe	31
PID 2468 wrote to memory of 2016	2468	cmd.exe	33
PID 2468 wrote to memory of 2016	2468	cmd.exe	33
PID 2468 wrote to memory of 2016	2468	cmd.exe	33
PID 2468 wrote to memory of 2016	2468	cmd.exe	33
PID 2016 wrote to memory of 3064	2016	DllCommonsvc.exe	62
PID 2016 wrote to memory of 3064	2016	DllCommonsvc.exe	62
PID 2016 wrote to memory of 3064	2016	DllCommonsvc.exe	62
PID 2016 wrote to memory of 3024	2016	DllCommonsvc.exe	63
PID 2016 wrote to memory of 3024	2016	DllCommonsvc.exe	63
PID 2016 wrote to memory of 3024	2016	DllCommonsvc.exe	63
PID 2016 wrote to memory of 1752	2016	DllCommonsvc.exe	64
PID 2016 wrote to memory of 1752	2016	DllCommonsvc.exe	64
PID 2016 wrote to memory of 1752	2016	DllCommonsvc.exe	64
PID 2016 wrote to memory of 2936	2016	DllCommonsvc.exe	65
PID 2016 wrote to memory of 2936	2016	DllCommonsvc.exe	65
PID 2016 wrote to memory of 2936	2016	DllCommonsvc.exe	65
PID 2016 wrote to memory of 888	2016	DllCommonsvc.exe	66
PID 2016 wrote to memory of 888	2016	DllCommonsvc.exe	66
PID 2016 wrote to memory of 888	2016	DllCommonsvc.exe	66
PID 2016 wrote to memory of 408	2016	DllCommonsvc.exe	68
PID 2016 wrote to memory of 408	2016	DllCommonsvc.exe	68
PID 2016 wrote to memory of 408	2016	DllCommonsvc.exe	68
PID 2016 wrote to memory of 2432	2016	DllCommonsvc.exe	70
PID 2016 wrote to memory of 2432	2016	DllCommonsvc.exe	70
PID 2016 wrote to memory of 2432	2016	DllCommonsvc.exe	70
PID 2016 wrote to memory of 2428	2016	DllCommonsvc.exe	71
PID 2016 wrote to memory of 2428	2016	DllCommonsvc.exe	71
PID 2016 wrote to memory of 2428	2016	DllCommonsvc.exe	71
PID 2016 wrote to memory of 1640	2016	DllCommonsvc.exe	72
PID 2016 wrote to memory of 1640	2016	DllCommonsvc.exe	72
PID 2016 wrote to memory of 1640	2016	DllCommonsvc.exe	72
PID 2016 wrote to memory of 3028	2016	DllCommonsvc.exe	73
PID 2016 wrote to memory of 3028	2016	DllCommonsvc.exe	73
PID 2016 wrote to memory of 3028	2016	DllCommonsvc.exe	73
PID 2016 wrote to memory of 1464	2016	DllCommonsvc.exe	82
PID 2016 wrote to memory of 1464	2016	DllCommonsvc.exe	82
PID 2016 wrote to memory of 1464	2016	DllCommonsvc.exe	82
PID 1464 wrote to memory of 1424	1464	cmd.exe	84
PID 1464 wrote to memory of 1424	1464	cmd.exe	84
PID 1464 wrote to memory of 1424	1464	cmd.exe	84
PID 1464 wrote to memory of 1728	1464	cmd.exe	87
PID 1464 wrote to memory of 1728	1464	cmd.exe	87
PID 1464 wrote to memory of 1728	1464	cmd.exe	87
PID 1728 wrote to memory of 3056	1728	csrss.exe	88
PID 1728 wrote to memory of 3056	1728	csrss.exe	88
PID 1728 wrote to memory of 3056	1728	csrss.exe	88
PID 3056 wrote to memory of 2304	3056	cmd.exe	90
PID 3056 wrote to memory of 2304	3056	cmd.exe	90
PID 3056 wrote to memory of 2304	3056	cmd.exe	90
PID 3056 wrote to memory of 1920	3056	cmd.exe	91
PID 3056 wrote to memory of 1920	3056	cmd.exe	91
PID 3056 wrote to memory of 1920	3056	cmd.exe	91
PID 1920 wrote to memory of 1516	1920	csrss.exe	92
PID 1920 wrote to memory of 1516	1920	csrss.exe	92
PID 1920 wrote to memory of 1516	1920	csrss.exe	92
PID 1516 wrote to memory of 2836	1516	cmd.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c.exe
"C:\Users\Admin\AppData\Local\Temp\0c2513dcee294f21baf75a5d3216d0c7b722b78f63f2253eafc3eb4d0ef4205c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Downloads\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Desktop\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ttz16TmcLB.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1464
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1424
      - C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2304
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2836
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
        11⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2700
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        13⤵
        
        PID:1420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2296
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat"
        15⤵
        
        PID:852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2196
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        17⤵
        
        PID:2256
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1720
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat"
        19⤵
        
        PID:596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:584
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat"
        21⤵
        
        PID:1636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1588
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        23⤵
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1152
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        25⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:836
        
        C:\providercommon\csrss.exe
        
        "C:\providercommon\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Downloads\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\images\120DPI\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7b1d84a399b9b0ff4465f44b27e14fd

SHA1
fd036ad06deb9c509e345aac9edf2811070549b9

SHA256
2fdd5715137f2270f69e881271b4eaec01e9c078c878285f2878feba1a900f76

SHA512
ff94271eb16a1afa165d2741738aa4e45b35eee6d459b1ffbf3259c22774571db349d77b19afaea6c2cafb1696299b516be3234a25ca99acd29d8f0ba168d0ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e735ea3c386340d56fa14dc10c92475

SHA1
17f31b670fc2df4ce1886be3e935132d7baf9929

SHA256
7f14ee8223f1bf678e8a24e1951ca1f033c9c30acef401fdad9d260b1d38f36f

SHA512
eb7f6c5831c930e259a5915d8110bfeaad36d4116c4b95836781eac55519a3de49e21f350b9c4d28e165a0b079d459ec8cf1f08aefdb336538deb47834d33da4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b812f6842ec7f55f43377926223fec2

SHA1
fde8ab17d58c491952c5f615739d100b6650debf

SHA256
63c9840b4d4b83dc9b5c584c8afe7f7329370e7d07737c658fe9350f649d5904

SHA512
c16832ccc411b540de0753f5697f05473b4302f4d6bf05c8b9f36eec42e61d8aa1c379226ae54d23a56a83005258ed2ce803e804144966e33463bd3cbb849a62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1645fd20b496d5a773d4a1a9cdbb0460

SHA1
6d667220c512f989ef3f97524080ed4ab8978998

SHA256
3ba340bf1d3123965d11bc7220dcdea5567bfe8358f13145c19dd00c42b481fc

SHA512
fa7498eafdb9918d66572807fb1be683cc59fa6391178a9d6356d7cd220b8d837e6d708d388a62f57f4d94a065859b80c115e3d6adaa03e4692383ab089aec9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ed06626b13453c8727079f8584a52f6

SHA1
ab2d736656b08ab621d90ca7f264601ec7fd7ed6

SHA256
db84aea5c1dc1378489411bcc58a9736743d2d80c5f989750203c678fbfd2f93

SHA512
1023befb397b00ff4d6fd43438e7a78dd137537cc1cd4228154ef34f1cb1fa8f52a639ce089cc473ec75e37116bfabc6094dcbeed04f1a1009743d99aadbef4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3d90427dff2fab8616e19535a84efc0

SHA1
42ad4fdd4941b3eac1bd7bbee393c2467cf38ee6

SHA256
f5d38781bcd6c48e052a09e907487ea198c0821ada874be915de2ccabde0beed

SHA512
bacd27adf52abe2a188a6aa889b852106d00968e3db9dbdb736d4adb0de3c74eaa774d31920c6d53161f230bd3f2590542e071b9e1b53ec7fc5a131aa8368cbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33c4bc16f85e62ede58fc14c3979387b

SHA1
c0403fe00e5124cac5578d0aa71d56767e825efa

SHA256
bdad8d82f24e0f27fdb8406c1695dfddce2a308960624d09892a88e9f1d279db

SHA512
1060e09e1898dc6c62f7ce772d6bf5579e30faa7a4bc5fb9541c1a7cc678ec3b1bf6001dcf9209d0d176725cc332fd0b6978e37502154e6671cea1f89298fd54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0bdd1bc7d6186b55b0b978051bbc52f4

SHA1
bbad6137b50fc37e4485aa7ad596d8b7a31fcc2f

SHA256
efaf0193542b1d43a4840d6a42b615932ccd4ee1d310c09cb93c6b29bbb21bde

SHA512
d5ab204fa9491439f14573a26bc8cb353edbe75ddbe142587660502229b739d97b568b41731e507eee6641e2915b37b97cb9a51f0286138e37da3db08be929ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
715eb77bcd99828cb608b406f8ab54e2

SHA1
c62ee2b2ef1b1353a69440964a100b43e148713b

SHA256
bb1d93cacfc17e63f279e2b8864e63da61b6ecedaedaf543fee29cff12454872

SHA512
401089a6c6452be9679606b3d47e57717914cd5b047ac65ad6c882a2c12bf69effacd50ac470369b0a29603e755c5cc1f621b8603f7435d0b5a7e573ecc289c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\34gW2xHJWZ.bat

Filesize
192B

MD5
7dbfd284b9316cad683c7fffdd38e5fb

SHA1
613d851c56fe911d0b71c4b868265498fba4a3f7

SHA256
d4c3b594b9bb0764e1ec930ee075639ea9335c67e58cc7542af94be45e9feb69

SHA512
997444edade82ab39ef0af6d736cfffa437c733ec2945c78ec961db99d182b8c9811f188407052103cf425aeea430ef919f75cd3deaa32b466fe7d89a95fd2ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFBDE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
192B

MD5
b302a2710587adf2d4b50bcf121d4354

SHA1
758216d7ed3509f1349221260217ddd1024186f4

SHA256
29c8f3b053a57f308130053778e1c70ee72f97c4ca3461105e3dcd8496e593bb

SHA512
00c6a1f90c40d166a34f25878fbe5a2e51fcb50079b67c2d7d99fc0ba0b9b0939fb6f86281a2198bbc706d3c811810fcce1e522b8ce4de2545bf0070e24727f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFC00.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UQ4uSu8U9J.bat

Filesize
192B

MD5
a3902e0f84a0be2bd9c954acc2a00cfd

SHA1
1512d89bdf631f9d5f2ad2a9c99ba64b93d5b26d

SHA256
8d837a031c296874416b44903646fbee09b06ffa68df82826bc1280c8868ad90

SHA512
a20f5c84f0ade29ed615121de84dcbfe6d3e64ac217feb0a75eb4993dd9739d1a699a385e82272bce7bd263d119dba1c63cafe526eca60cdf8daadacddc32670

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

Filesize
192B

MD5
24876a9e84cab6cbcd802ec6bf4cbc54

SHA1
7564840ef581c09ca6d753eb02a9f6ee96102175

SHA256
1a7446bdaac2c53a9e2d1afef5b8d85d786617bb69dc4287c4c02bcab5611bc3

SHA512
98c23240ecc301175f1ecd8adce0282eb5d8ee53642cba0de61995097dc281f7b9ab9d2d4d53c84743a8ed7d2484dc6142e0a1ac24c8e8fda81ccc9308d9a52c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
192B

MD5
972909194dfd1c806716a918add71014

SHA1
7fecb7022e79d72586c7618804b77af681d243d1

SHA256
41bedf2ee1a823a17598d6e91fbdbfe5bb68a0b8f99641bff919c25c6f18085b

SHA512
322397654fc1106425fed346fc84866bb9fe80df9034631cfc8e36c64e067704652cf0ae7ce9206c13e8bcd81ac12d4b3a070c3067baa258536bf75f6bc796fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\crRU6Ya2tl.bat

Filesize
192B

MD5
5b575b1b77aa632615015b7440334ef6

SHA1
0e14a3a1a284446d0d2da27a015980473ae84ff1

SHA256
a2d699b569050ce8115899ad03b972425c089e6c4af14b7de2e5dc732a604115

SHA512
eeffb69391ebbd859e373b48177b69e32b3d188027e20175af04c4126f0955a7f531d04c9311e3a0427606d61f1078815d96c5f57841316222fc25dd6459ff3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\hfpeQ4JfvC.bat

Filesize
192B

MD5
d856da3138066944dd884edf390da4e3

SHA1
0e3a5498c4b402348a5732203c553a15be6fecde

SHA256
60eea4844f5d9b9490882cdbdfc1140e363870a97a8b8a66942f209e27b816a7

SHA512
0ea051a5df2000540421496bb4be2a61132e9cf01ee07151600dfebc7d97acfd3651914a8ca563fa32711dcfdb8a9bb2300f736975abc7cc7db533b2913c13bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
192B

MD5
3b1966401da0cdac4226f0de8b6f21c7

SHA1
8351b26936f82f39322ff26c20163d18b915d4fc

SHA256
f9c18081c51c57d7f22c8a2d0b18313246555ee9f09638aa0f95232b06008c5b

SHA512
d64845a0823b8e75b4194df96e62db1fc0bad7d1b2b67e9efdf35999324a37cb784d5d8eeb8049fd5f05954da169354b511345be89156f60f42a474cb37ecd30

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

Filesize
192B

MD5
123eb7e0f8285a847ae83721a2d0117a

SHA1
07f145c7fe4d54fe0fd32d3e8f595a68b33c6826

SHA256
fa3be089de49bb40b0cd3a82316e738feadccc9b85ce867fdc02cc9ce1da995d

SHA512
65397e17cccf9f3d351d15b9ffd82ea1a770a889e318c45b92068bc54a36f8782cd58e4f5f2adf871c75ed0c2b5dc7204fd10cf10395714882ad31059d2c2779

Download Submit
C:\Users\Admin\AppData\Local\Temp\tebxeZNirC.bat

Filesize
192B

MD5
ccf61dc648df978a0bdc5cfbb18896de

SHA1
ecb802373585ed5b8099b858e205b962b152295f

SHA256
d7bce7c9d21b156647ee7576da65d18c7b0de1256805e9834132be5a0a03f748

SHA512
dc83653a78c6c5fbfa3486cbde840e3c470518f281a35f044c3a45065e5f5447376e6bbde04fd9ee1fb82329876d0252a0a2f122ce700f7ab5e7f200d701c9a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\ttz16TmcLB.bat

Filesize
192B

MD5
a7213dcd781acc53838e3b569fed8074

SHA1
983969505c1ed5da19fb386e7d025213ed3f71ff

SHA256
9dae7f62a35d0f96ece1291e58b09b8710823e900607afaeb6f41c57fc19f5da

SHA512
71d10734cd8d68dded0c7c5d12c82eb0eb8c57c8b6865928220df7fb3004d3e6ef8d4596014f2d0e0514d2cf791c4eef71959969cdeb1509adf475c63a45424c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
9a0cf6727a8b36ca58dbde487310e566

SHA1
851361b88118ab11590e3abbcfd4b6146430c929

SHA256
612b0199bab05d37c1aeeabbbb0c8e6788103af36807fbc95c6a4b2aaedca7c4

SHA512
ef89536e470bd31b633d7397d40805e771584556e59205dccafa747a6ce1c045c53603686b177a011a813b5b98451a19d1f8640c496bdbd57db4c65c723a42f6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/876-273-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1288-394-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1612-454-0x0000000000E40000-0x0000000000F50000-memory.dmp

Filesize
1.1MB

Download
memory/1728-94-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/1920-153-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2016-14-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2016-17-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2016-16-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2016-15-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2016-13-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/2540-213-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2892-334-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2892-333-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2936-573-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/2936-574-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2936-51-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/3024-49-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/3028-634-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download