dcrat | 1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5.exe
Size

1.3MB
MD5

d8929ee9a4385717e6ab45ccbef21bbf
SHA1

9a6306b98a289a05c490c44145ac97bdaccc48c5
SHA256

1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5
SHA512

2fe89363e5bd8931e12efda52e3a401e0384ded2ece3fe6365ad08b53f4ae9f0c8b29baa6623558ba24a3481af4c97c096a937f18da7bcdfd87c07143f292172
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2648	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2648	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c3a-11.dat	dcrat
behavioral1/memory/2760-13-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2848-101-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/324-160-0x0000000000B10000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/2520-220-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1732-280-0x0000000000B80000-0x0000000000C90000-memory.dmp	dcrat
behavioral1/memory/3008-340-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1240-400-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/1784-519-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
668	powershell.exe
2504	powershell.exe
2140	powershell.exe
1912	powershell.exe
280	powershell.exe
1284	powershell.exe
944	powershell.exe
1540	powershell.exe
1016	powershell.exe
2508	powershell.exe
2288	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2760	DllCommonsvc.exe
2848	Idle.exe
324	Idle.exe
2520	Idle.exe
1732	Idle.exe
3008	Idle.exe
1240	Idle.exe
2288	Idle.exe
1784	Idle.exe
1988	Idle.exe
1248	Idle.exe
552	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2720	cmd.exe
2720	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
39	raw.githubusercontent.com
9	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\DESIGNER\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Solitaire\it-IT\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\es-ES\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\temp\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\temp\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\assembly\temp\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2092	schtasks.exe
2404	schtasks.exe
904	schtasks.exe
2056	schtasks.exe
2828	schtasks.exe
2892	schtasks.exe
780	schtasks.exe
2924	schtasks.exe
868	schtasks.exe
2920	schtasks.exe
992	schtasks.exe
1708	schtasks.exe
1928	schtasks.exe
568	schtasks.exe
1900	schtasks.exe
1936	schtasks.exe
1036	schtasks.exe
1316	schtasks.exe
2392	schtasks.exe
3004	schtasks.exe
2384	schtasks.exe
444	schtasks.exe
2036	schtasks.exe
2664	schtasks.exe
2956	schtasks.exe
1420	schtasks.exe
3052	schtasks.exe
2232	schtasks.exe
3000	schtasks.exe
2916	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2508	powershell.exe
944	powershell.exe
2288	powershell.exe
1016	powershell.exe
280	powershell.exe
2504	powershell.exe
1284	powershell.exe
2140	powershell.exe
668	powershell.exe
1540	powershell.exe
1912	powershell.exe
2848	Idle.exe
324	Idle.exe
2520	Idle.exe
1732	Idle.exe
3008	Idle.exe
1240	Idle.exe
2288	Idle.exe
1784	Idle.exe
1988	Idle.exe
1248	Idle.exe
552	Idle.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	2288	powershell.exe
Token: SeDebugPrivilege	1016	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2848	Idle.exe
Token: SeDebugPrivilege	324	Idle.exe
Token: SeDebugPrivilege	2520	Idle.exe
Token: SeDebugPrivilege	1732	Idle.exe
Token: SeDebugPrivilege	3008	Idle.exe
Token: SeDebugPrivilege	1240	Idle.exe
Token: SeDebugPrivilege	2288	Idle.exe
Token: SeDebugPrivilege	1784	Idle.exe
Token: SeDebugPrivilege	1988	Idle.exe
Token: SeDebugPrivilege	1248	Idle.exe
Token: SeDebugPrivilege	552	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 1716	2880	1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5.exe	30
PID 2880 wrote to memory of 1716	2880	1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5.exe	30
PID 2880 wrote to memory of 1716	2880	1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5.exe	30
PID 2880 wrote to memory of 1716	2880	1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5.exe	30
PID 1716 wrote to memory of 2720	1716	WScript.exe	31
PID 1716 wrote to memory of 2720	1716	WScript.exe	31
PID 1716 wrote to memory of 2720	1716	WScript.exe	31
PID 1716 wrote to memory of 2720	1716	WScript.exe	31
PID 2720 wrote to memory of 2760	2720	cmd.exe	33
PID 2720 wrote to memory of 2760	2720	cmd.exe	33
PID 2720 wrote to memory of 2760	2720	cmd.exe	33
PID 2720 wrote to memory of 2760	2720	cmd.exe	33
PID 2760 wrote to memory of 2288	2760	DllCommonsvc.exe	65
PID 2760 wrote to memory of 2288	2760	DllCommonsvc.exe	65
PID 2760 wrote to memory of 2288	2760	DllCommonsvc.exe	65
PID 2760 wrote to memory of 2140	2760	DllCommonsvc.exe	66
PID 2760 wrote to memory of 2140	2760	DllCommonsvc.exe	66
PID 2760 wrote to memory of 2140	2760	DllCommonsvc.exe	66
PID 2760 wrote to memory of 2508	2760	DllCommonsvc.exe	67
PID 2760 wrote to memory of 2508	2760	DllCommonsvc.exe	67
PID 2760 wrote to memory of 2508	2760	DllCommonsvc.exe	67
PID 2760 wrote to memory of 2504	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 2504	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 2504	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 1016	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 1016	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 1016	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 668	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 668	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 668	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 944	2760	DllCommonsvc.exe	71
PID 2760 wrote to memory of 944	2760	DllCommonsvc.exe	71
PID 2760 wrote to memory of 944	2760	DllCommonsvc.exe	71
PID 2760 wrote to memory of 1284	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 1284	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 1284	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 1540	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 1540	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 1540	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 280	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 280	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 280	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 1912	2760	DllCommonsvc.exe	75
PID 2760 wrote to memory of 1912	2760	DllCommonsvc.exe	75
PID 2760 wrote to memory of 1912	2760	DllCommonsvc.exe	75
PID 2760 wrote to memory of 388	2760	DllCommonsvc.exe	86
PID 2760 wrote to memory of 388	2760	DllCommonsvc.exe	86
PID 2760 wrote to memory of 388	2760	DllCommonsvc.exe	86
PID 388 wrote to memory of 1224	388	cmd.exe	89
PID 388 wrote to memory of 1224	388	cmd.exe	89
PID 388 wrote to memory of 1224	388	cmd.exe	89
PID 388 wrote to memory of 2848	388	cmd.exe	90
PID 388 wrote to memory of 2848	388	cmd.exe	90
PID 388 wrote to memory of 2848	388	cmd.exe	90
PID 2848 wrote to memory of 2192	2848	Idle.exe	92
PID 2848 wrote to memory of 2192	2848	Idle.exe	92
PID 2848 wrote to memory of 2192	2848	Idle.exe	92
PID 2192 wrote to memory of 2716	2192	cmd.exe	94
PID 2192 wrote to memory of 2716	2192	cmd.exe	94
PID 2192 wrote to memory of 2716	2192	cmd.exe	94
PID 2192 wrote to memory of 324	2192	cmd.exe	95
PID 2192 wrote to memory of 324	2192	cmd.exe	95
PID 2192 wrote to memory of 324	2192	cmd.exe	95
PID 324 wrote to memory of 2272	324	Idle.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5.exe
"C:\Users\Admin\AppData\Local\Temp\1cb96ed97e2ce5ea2451125970f4a8d21af3d50e962834b416bb38b3d7116bb5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2720
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\temp\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\PrintHood\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Solitaire\it-IT\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3qTQyq7Qku.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:388
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1224
      - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2716
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        9⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1740
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat"
        11⤵
        
        PID:524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1776
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat"
        13⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2936
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
        15⤵
        
        PID:1396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2176
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
        17⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2128
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        19⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2868
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        21⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1688
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
        23⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:476
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        25⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:112
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat"
        27⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\temp\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\assembly\temp\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\assembly\temp\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Users\Default\PrintHood\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\PrintHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\PrintHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Games\Solitaire\it-IT\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\es-ES\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f479c329a2990b08f555598643527ccd

SHA1
0c9f3ac4ed8d6652b9664de4535e130d58c47451

SHA256
569ee022bff9d34152d58c711fbe5d2e7d26a3b09073a5475aa6056835de467f

SHA512
325863b9e2bfb2e0c0671ce5e895d5b934cd54478e4035626fffaf1f40d859db8fa941c5d31a269dc8043496c800037c4b18f5d73429257cdffa6d62449eac19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e88e5098d2df72d08ae53e614007d2b0

SHA1
c8074d1c9a5a9b7c49434704c4a298a82e8e4ca6

SHA256
3b4c361bed8e71f66050515ccb089a35670ae48786b2db59fda05d571748f15b

SHA512
e4ec78b5a55788d495db6f9a86872d4d40fa28071542991156c0145ae4006754b6ffd2a421745c4df5a198882e2c6ca5ded7d22988cd405e1b803e9b6c9e9028

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a0dc782ffe20aef98ae30a18dbbf4dff

SHA1
5416f9e01cdb5a6987e2beff7aa83620a487f18b

SHA256
d557f3644c4f4d3973dfd3547afe5963ddba2761364558e7cc4bffc05b5a53de

SHA512
62d6f134df26f00505a5bc67936a9dc95d4cadd33d1777bcc525c80e6def33f9d8690decd9daf7b4c0d190e2d1349ddd6670990fe780b66acb7ad6ead1e41be6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ec77f3f04a0b2a9f5053d7f4b2bb1ab

SHA1
123b21467b3243d78ea41ff143bfafad2d487805

SHA256
4cc88b8dd6cda212b71a773bfd7d6062afed9cc31baf9895a3a30e5610195982

SHA512
e36d4c4d083799dfffb7c538a8146a8650301214b1732bfa204d949b1094dc8240fd5f7e9bb9c48adc9b9336b76a42396f72ab823f72af1c5543e7ae7a28f711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d8715707e0459b8654f18e8aa527a27

SHA1
301568ab2f54923c59283e9529f07b0d813ea0e5

SHA256
c22949f276f49dba20aa3abccaa24848cebf1f8c1327c63cf59c5817dfc9e3d4

SHA512
a6240f7805683b0d551391428cffae676c50e30c92a8d52d048bc787715aa2b8de0109daf15e75231dc5dd1c7db9a635193fea99073a49b08abb07b43b1f1ed3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b21a8112c31f2833e33b916725592f1

SHA1
e274a653485b349c576f0d16c892a9f06f63d793

SHA256
8a4b4e41cf11883c485e6cb39cd1991648048d624e1236090a94319e78a966b9

SHA512
6f42d833e875b0bd891c1feb5007443a8a892d6f3bafe93ac4d905d20383af0f59e75f10a75c5f304048a3bf1c34ad8ae3a27f0d7810a480106c783a8342c649

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59ecefe1c65801dc3925d63f192666e5

SHA1
27db843ce7c5dec82d69da1c6cdc64778da2efeb

SHA256
1c49366644abd627dedffcb6d50398427f4ea94df7063aa7e2cef9a267760ea2

SHA512
e2f57296f6857ca3f4bc8fb96141b0a00d6e2d8910a784d868867829a71cec50944873cfcd0e5ce560d105246efe3a9cedb333e3ed5bf76570bda002048c1926

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8de8ecd86ed605936bed6732ab8065a

SHA1
11a57c91caf0d1ef7d142a2b8edb25eaa5f40baa

SHA256
bc658ff998529967a4b9a7a1bce304c7b8577c71e584cc19c44b607da6ce2fef

SHA512
636d1f0323544e79e1232a8bf292925cf5af4a7d4a228204e35da634b469a1965f4f0a9bc57ec6a2721b13207f2ed22ed4c5a6ecec77eb22a8bc275fb5aa0824

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b69ba38e4ea2fad991c8a6cac90a29c

SHA1
9c38688d5fa695f45e893751c292eb0043f58aa9

SHA256
ecbd99676e9fc850b3314388eaa5d4c5650e6dc855cb50a146537174f3e7f1b9

SHA512
03484aeb88690cb87c74c559de5a3e31bfa63b9f22302a4c6c76badf1669fd7ef5b7b6e210973e3e9c4aa3832a1181f3132d9c0b7ca5536a320497b666007ab0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a683d146206c69c8e6972ccc3fd46cb

SHA1
bf029957dc9f9ed5ae1fd47b951b935a4de8d89c

SHA256
36e2f776c398cb98bd171ee7ac697ac2ac2692f02be5963b73cf2abfb81cddad

SHA512
e71df015b78f634c3ddd199743632612fab7eb37c5cf9057b5e7feaac67d9157f5e99ddb097cb70df11aa776b09dda021d5ccedff543a0a07e8dc05e74bfe1cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

Filesize
191B

MD5
096009fcc2ebf40b18d2f7a019565e91

SHA1
d0331025855ec7fd4ea4688230a486a7ae0998bd

SHA256
005a5e673fe19e7df85d7b6eb2168f9333b63e3557d42b269e66167aa026acc4

SHA512
07fd8ea2230e95e911116fec19a86923774832e5f1e685209d2766fa2bb0bd7ad9a7c94c08bddc42376def157da009b1dba7f4a2c8e0dfa8be6715cb821cca62

Download Submit
C:\Users\Admin\AppData\Local\Temp\3qTQyq7Qku.bat

Filesize
191B

MD5
86b2550333fd593c26b3fda64dcd49c2

SHA1
36c442ad1dbb91538ce1e0b0114c4424b0e575a2

SHA256
1f30a54fd0fbdcae14cfbc7902b900344aa9b4747a404adf959d018bc91a53b5

SHA512
a56ccbca6c8400ab55e8d0c239fd0a05da0281df4d9f79906ffa14b16b8d59dad22827dbf2bf16217808fe5067522c24805fb2576f26a6b361286fbf04782443

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

Filesize
191B

MD5
af6ef4390110f3a265a970401d4e2727

SHA1
b12d9061a32b985bdef0631c2a315278973c2f58

SHA256
ec555f616d5e918f078aefcceef5fac9d0e01d41dd4bd8062ce84a4c8e876ca0

SHA512
be11cc314cc08875eb64fc5a2d39a52c2fa6bc63741b3520368e2f8bb80c902f8b8d1f7def48fbd1bb7d1bb466d294c0e6d1934dd1132489809193c82f8bc461

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD99F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
191B

MD5
4768d3c41f09c9b621b5584135be8112

SHA1
98b9b841054e85d19473d56a95aa388564b5b093

SHA256
15fe2ec19973f7fd840b88450b12ffac82ecbb6fc9e3a844f81b60e9b32bca51

SHA512
06d8c28077a9f6c2bf22b1422a53e4fc1e0a25f66919c427558ec9864f5d44d9df7a733a73218c4f37c0508df732573c804d7b21fb018a76050598935ec61fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD9B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZES4mQr7Bk.bat

Filesize
191B

MD5
906dfdd87247b3cbfabfbc733e051263

SHA1
c66c9183e55acea3d0f54aefd922ab166725f19d

SHA256
f51b84ea53c634b700e8b8d34a6e5a39d1e83b8ac05aa86f5aab82a44288339c

SHA512
d7abd1ac3e290c4f0f34f8666e65f7c6639972605cce3f3e54a65c5adcaccb2d699636fdb4e2552cf06b4fee9abdf99645c0475057e0b67d79e51f7897bcf3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
191B

MD5
9e31305e125601b53adf52b9c903c7e3

SHA1
0aa24fd2241531c27d13d719869ccf7de8a747fb

SHA256
683a0c53b679304af70a5931b9afa24857c14c7c7be603bae9f0675c44573aad

SHA512
4f869778f5a7e3f6bc536c896b46dd6564adb60bfd0e2320ddf51040d627b4c2003c1e6fc2aaeac8beeea45ebecb501dd90f467bf7e3950d8a863bcc5e6f337c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

Filesize
191B

MD5
428b7e1dd2b477a6bb9fea2f02beddc8

SHA1
f41325e4a25a13e7440df53cb69d1e020ae97355

SHA256
f68bea5811f9e990ab5bc4d3454e6266794e83dc13aca72502e0efd995502083

SHA512
f7ef467ca4d80fdae34d174046f753c09596ba9aa1345703639241bc9a75ad091dfd3125cee185d831e82f38be30da55552c37f3b8ec61f471df6c862cfb4cf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbbIz777a.bat

Filesize
191B

MD5
cbbf58340153830f3f89011d14bafa29

SHA1
e6f9f931859490be083cd907c758252d53a393b1

SHA256
1affa8a6704292d222d3be5fb31edeeea4a9b5c8c72455c0f1c0a6f28a5eb608

SHA512
a2edeca78fd22be8157868e551020597dc52c63999eccac800715cad01c61940bd1118a5d09cc6f3ee103477b55889de27d1e51a4d41be1d6f19b90b2b0b03a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
191B

MD5
a48e3da31ef0eacbe91d4a742caa909a

SHA1
e9643f142ca3eecbb4a839254405dc786ad06e88

SHA256
09a17170ec337364578038383ea95b79f272be6c73ffdb8164e7c87c3320e487

SHA512
2f4b01797c92cd797725d17865b915a50f2bdb02f347f0661b5de75a2a11b3bc1f1c7cc564c1d5475946b0487c87ea456528959a9053653c07f06a82e3111e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
191B

MD5
cba141bdc690db152a20fcc2f99eb987

SHA1
4b506a9b35fb0d76a390a0a5388681e514b3fa48

SHA256
d4de269ea81a5104c894674252d375c4d7178d3b235488c8a73f8f1a1cb50d53

SHA512
4bb640e84445cfe67fa4d0603a66d3f4a3f3bd0f4563946628293918509cff48cf853ab78d820bd940b1eb3cd90ac40e36b3f3d61bd4a17509e0143e8fc6288c

Download Submit
C:\Users\Admin\AppData\Local\Temp\syYKg8QxNI.bat

Filesize
191B

MD5
82e224e688d4347f94227fcb483f1af3

SHA1
e1a180ad2921a45b21c264cc62271b7618938298

SHA256
88153f226b30bb7dbe4b60edf3546c1abd4a2e6784c76c2c214ce76ba0346d57

SHA512
41b6b420d60aef487c538316ae6054b1cb5439a53a70f70476b750cd8d9144e4cbed3f6416d756881f55b75e3c07322f87b031f2035982fb6075bd5b8f21694f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

Filesize
191B

MD5
f2578a4bea7fa42321081ab95d60b875

SHA1
a2e6a766bbe193aeebcc60d5dc38d122cfa200ee

SHA256
fe2e2715077b63a0f1976f3fea5521a75dddc73a0d28f3d0c2da599035059cb6

SHA512
6bbe06a618f27b91fb41ba248c43041f2ed48a144e19bc784b5d823778e3aa7b67e612156ba6de2fd6cf805bb1d17234dc6711bbe41057bdac019de87fbcbb1b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d443bf12a76e7b8f089f2a07bdbe4944

SHA1
2891caa2d135a2a9176f1ff8f05f1af3c9333ac8

SHA256
517b0b3985f6d40f4a0e74a13979146aeea70122ce1889ad9b42e6b9a8d288d6

SHA512
3d34af9687266b0f41dbcbdd8a1cb5d54f13e6d60995cf7f1aa490e97f46cb6324ab25f67d20d65391e145836877f1df63a2142ac0deebb4ddaae0f580628767

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/324-160-0x0000000000B10000-0x0000000000C20000-memory.dmp

Filesize
1.1MB

Download
memory/1240-400-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/1732-280-0x0000000000B80000-0x0000000000C90000-memory.dmp

Filesize
1.1MB

Download
memory/1784-519-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2508-48-0x0000000002000000-0x0000000002008000-memory.dmp

Filesize
32KB

Download
memory/2508-46-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2520-220-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2760-15-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2760-14-0x0000000000670000-0x0000000000682000-memory.dmp

Filesize
72KB

Download
memory/2760-16-0x0000000000690000-0x000000000069C000-memory.dmp

Filesize
48KB

Download
memory/2760-13-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2760-17-0x00000000006A0000-0x00000000006AC000-memory.dmp

Filesize
48KB

Download
memory/2848-101-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/3008-340-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download