dcrat | e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a

Analysis

max time kernel
146s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 19:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a.exe
Size

1.3MB
MD5

f66688833e33a10db46fc0a81040fbaf
SHA1

22130c76816f54915323e7a12367c81fa97cc008
SHA256

e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a
SHA512

13458110e5e752a62be6bc989cd0d97d2f80c5c0ce23f6473d60266e59c18fb36991c83dd67313b9c7078bcbc727cd1da30278ef6fb921418cdedb26d768c019
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1888	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	776	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2512	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000a000000016d64-10.dat	dcrat
behavioral1/memory/2228-13-0x00000000009A0000-0x0000000000AB0000-memory.dmp	dcrat
behavioral1/memory/2392-56-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/2248-164-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/2524-283-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2360-344-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/2432-405-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2988-465-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/3016-525-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1884	powershell.exe
1732	powershell.exe
1968	powershell.exe
864	powershell.exe
1716	powershell.exe
1932	powershell.exe
1088	powershell.exe
1556	powershell.exe
1432	powershell.exe
2860	powershell.exe
1184	powershell.exe
296	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
2228	DllCommonsvc.exe
2392	cmd.exe
2248	cmd.exe
2752	cmd.exe
2524	cmd.exe
2360	cmd.exe
2432	cmd.exe
2988	cmd.exe
3016	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	cmd.exe
2956	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
31	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\0a1fd5f707cd16	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\system\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\system\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\Fonts\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2748	schtasks.exe
1068	schtasks.exe
2712	schtasks.exe
1832	schtasks.exe
2132	schtasks.exe
1492	schtasks.exe
1888	schtasks.exe
2988	schtasks.exe
1652	schtasks.exe
2020	schtasks.exe
2776	schtasks.exe
3032	schtasks.exe
992	schtasks.exe
2816	schtasks.exe
2792	schtasks.exe
2576	schtasks.exe
1828	schtasks.exe
3000	schtasks.exe
2996	schtasks.exe
2984	schtasks.exe
2688	schtasks.exe
2568	schtasks.exe
2940	schtasks.exe
656	schtasks.exe
1496	schtasks.exe
1664	schtasks.exe
2464	schtasks.exe
2280	schtasks.exe
2268	schtasks.exe
776	schtasks.exe
2192	schtasks.exe
1964	schtasks.exe
1152	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
2228	DllCommonsvc.exe
1968	powershell.exe
2860	powershell.exe
1716	powershell.exe
1556	powershell.exe
1932	powershell.exe
1884	powershell.exe
1088	powershell.exe
1732	powershell.exe
296	powershell.exe
1432	powershell.exe
864	powershell.exe
1184	powershell.exe
2392	cmd.exe
2248	cmd.exe
2752	cmd.exe
2524	cmd.exe
2360	cmd.exe
2432	cmd.exe
2988	cmd.exe
3016	cmd.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2228	DllCommonsvc.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1884	powershell.exe
Token: SeDebugPrivilege	2392	cmd.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1184	powershell.exe
Token: SeDebugPrivilege	2248	cmd.exe
Token: SeDebugPrivilege	2752	cmd.exe
Token: SeDebugPrivilege	2524	cmd.exe
Token: SeDebugPrivilege	2360	cmd.exe
Token: SeDebugPrivilege	2432	cmd.exe
Token: SeDebugPrivilege	2988	cmd.exe
Token: SeDebugPrivilege	3016	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2616	2376	JaffaCakes118_e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a.exe	30
PID 2376 wrote to memory of 2616	2376	JaffaCakes118_e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a.exe	30
PID 2376 wrote to memory of 2616	2376	JaffaCakes118_e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a.exe	30
PID 2376 wrote to memory of 2616	2376	JaffaCakes118_e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a.exe	30
PID 2616 wrote to memory of 2956	2616	WScript.exe	32
PID 2616 wrote to memory of 2956	2616	WScript.exe	32
PID 2616 wrote to memory of 2956	2616	WScript.exe	32
PID 2616 wrote to memory of 2956	2616	WScript.exe	32
PID 2956 wrote to memory of 2228	2956	cmd.exe	34
PID 2956 wrote to memory of 2228	2956	cmd.exe	34
PID 2956 wrote to memory of 2228	2956	cmd.exe	34
PID 2956 wrote to memory of 2228	2956	cmd.exe	34
PID 2228 wrote to memory of 1732	2228	DllCommonsvc.exe	69
PID 2228 wrote to memory of 1732	2228	DllCommonsvc.exe	69
PID 2228 wrote to memory of 1732	2228	DllCommonsvc.exe	69
PID 2228 wrote to memory of 2860	2228	DllCommonsvc.exe	70
PID 2228 wrote to memory of 2860	2228	DllCommonsvc.exe	70
PID 2228 wrote to memory of 2860	2228	DllCommonsvc.exe	70
PID 2228 wrote to memory of 1184	2228	DllCommonsvc.exe	71
PID 2228 wrote to memory of 1184	2228	DllCommonsvc.exe	71
PID 2228 wrote to memory of 1184	2228	DllCommonsvc.exe	71
PID 2228 wrote to memory of 1968	2228	DllCommonsvc.exe	72
PID 2228 wrote to memory of 1968	2228	DllCommonsvc.exe	72
PID 2228 wrote to memory of 1968	2228	DllCommonsvc.exe	72
PID 2228 wrote to memory of 864	2228	DllCommonsvc.exe	73
PID 2228 wrote to memory of 864	2228	DllCommonsvc.exe	73
PID 2228 wrote to memory of 864	2228	DllCommonsvc.exe	73
PID 2228 wrote to memory of 1716	2228	DllCommonsvc.exe	74
PID 2228 wrote to memory of 1716	2228	DllCommonsvc.exe	74
PID 2228 wrote to memory of 1716	2228	DllCommonsvc.exe	74
PID 2228 wrote to memory of 1932	2228	DllCommonsvc.exe	75
PID 2228 wrote to memory of 1932	2228	DllCommonsvc.exe	75
PID 2228 wrote to memory of 1932	2228	DllCommonsvc.exe	75
PID 2228 wrote to memory of 1884	2228	DllCommonsvc.exe	76
PID 2228 wrote to memory of 1884	2228	DllCommonsvc.exe	76
PID 2228 wrote to memory of 1884	2228	DllCommonsvc.exe	76
PID 2228 wrote to memory of 296	2228	DllCommonsvc.exe	77
PID 2228 wrote to memory of 296	2228	DllCommonsvc.exe	77
PID 2228 wrote to memory of 296	2228	DllCommonsvc.exe	77
PID 2228 wrote to memory of 1432	2228	DllCommonsvc.exe	78
PID 2228 wrote to memory of 1432	2228	DllCommonsvc.exe	78
PID 2228 wrote to memory of 1432	2228	DllCommonsvc.exe	78
PID 2228 wrote to memory of 1556	2228	DllCommonsvc.exe	79
PID 2228 wrote to memory of 1556	2228	DllCommonsvc.exe	79
PID 2228 wrote to memory of 1556	2228	DllCommonsvc.exe	79
PID 2228 wrote to memory of 1088	2228	DllCommonsvc.exe	80
PID 2228 wrote to memory of 1088	2228	DllCommonsvc.exe	80
PID 2228 wrote to memory of 1088	2228	DllCommonsvc.exe	80
PID 2228 wrote to memory of 2392	2228	DllCommonsvc.exe	93
PID 2228 wrote to memory of 2392	2228	DllCommonsvc.exe	93
PID 2228 wrote to memory of 2392	2228	DllCommonsvc.exe	93
PID 2392 wrote to memory of 2864	2392	cmd.exe	94
PID 2392 wrote to memory of 2864	2392	cmd.exe	94
PID 2392 wrote to memory of 2864	2392	cmd.exe	94
PID 2864 wrote to memory of 2008	2864	cmd.exe	96
PID 2864 wrote to memory of 2008	2864	cmd.exe	96
PID 2864 wrote to memory of 2008	2864	cmd.exe	96
PID 2864 wrote to memory of 2248	2864	cmd.exe	97
PID 2864 wrote to memory of 2248	2864	cmd.exe	97
PID 2864 wrote to memory of 2248	2864	cmd.exe	97
PID 2248 wrote to memory of 1500	2248	cmd.exe	98
PID 2248 wrote to memory of 1500	2248	cmd.exe	98
PID 2248 wrote to memory of 1500	2248	cmd.exe	98
PID 1500 wrote to memory of 2080	1500	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e58ed36e149e1df87f324f4781637a45c05f2d5dfd0f5245d5cf45b4f2caf84a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2616
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\system\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2392
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2008
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2080
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        10⤵
        
        PID:1324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2532
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        12⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3020
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        14⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1696
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
        16⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2532
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        18⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2820
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\system\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\system\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\system\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\Fonts\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b564fcf26607d8c9bc11a32793699b81

SHA1
23a2f06df593d04a1c2fd0cb448ca95c1fca62a8

SHA256
1ddb60f87da90cca2a36e4f62488bdfa4c0d331675cafb729081184416ece4f4

SHA512
03a024d95fbcab612221783858f665c7cc64eb9f016d5b34cb541ff1e08494244d1dea273f904f40a201cb456ca297333f0b7ccc6b6594e512976a7903ecb77e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b17360fe1261d0b6ffcf5edc52396b75

SHA1
1380b62000a20d6ab13c940fd02de487fb7e9f78

SHA256
f3eee16cbd71bd80d0cf2f6e20dfc687f55b5ce651e0ccf304f2727750959cef

SHA512
363b4195df27719d137ff5a92731e2a456da65352615cb5600d2702771f35a10ad8e91e6890e544bc0ab31021bd9c5c511e33d599695ed63cf032417501ae0aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0503a87929419faaeeb62e5c326e3f0

SHA1
84c9b0100d49b7ed029553eb0d0779eb2500b6ed

SHA256
e5156ea0f9dc3a64eae712974f1862403f413a2a3f1396d07216c924fd1faeb0

SHA512
afdf981cfebfcdbdec3769fc2bb29e2a8c964d668c43f4fac5effc5460182c8d1e4588a37f94502ca1ee0c717d9bd187edc4458aad94e270a9fe5cb96a9777eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb5bb87cacbeef9356a680a937e15ecf

SHA1
ff495c5896ed5235a0d8b426207fda1ab825ee06

SHA256
56adbc87a77a4c23897b8170b38109ee2675d2a51972fbb9c49903acbbcca4a0

SHA512
0e6b6c52b5e0b62b35c408b142697fe1b449d3bcb570d47c93efb1eae50f965bcca3a5c94587b4cfe8faf999defe46a828c23368e7db95d866e91f5d3244e073

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c50fa0e6d778d3f745c86cb6420b5770

SHA1
9ee11ad67190ac207cea935a1817a7a66c5f124c

SHA256
170b8423c3748a882b107a326684a48e00cfb4b2aaae06593f93aba234d36a16

SHA512
008bebee9543c2a8462981dfe96d3de03f2468e200f503564cf1430764bc74945f3086d5bc35e2d4c2d606cc944adbd6da385bdf8c29fec18c55bc575dbe8d41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf371c0467549ba48cc5315deb2a1278

SHA1
af857bfbfe4db3b1bb10560eb6eba8a864aca62a

SHA256
6d110ef273dc2354f229227f69fe4709ab202af08bf3c498f3e86316826346e8

SHA512
35d27719a0f66f12ff91ca37a4f84a9ca3d172982b21f8c239d4af0811402696da26bd7135bf0806130143ce6a0e6ab321f39c1ee27f2b75477b0aade62165f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c6b20b67a4be7322e418bb0e99cb4fe

SHA1
5020dfa10a992df8c92d3d55bbb8a97cfa7f2da9

SHA256
cb2546c80ceba677841df877d3eae2afc7cf7f59717643b9b06858b89dfa2cae

SHA512
e81f55eeed72dabbdb36a49483eee800fadddeedc5b2dd62a44939155dce27dbf73e90e99e5dcefb109bc946ded6add075aa7f6ffeeb58fb13ed49f0e8f32d1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3323.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
221B

MD5
7a5d44d11c47e55059126787be1d82d4

SHA1
7dd3f73b87dfb95fffd0e591a11404256e02db5c

SHA256
2c1e00b4fb11e9a8da8788880203b956d4b616f095aa7a6502af650c2beba966

SHA512
e595a84c505a4a83b9232f633227229cf5e2f28611b4d2b3ce8ac40a18139b3f78ef10a29f10868fe6f8b7b316f1939743606df91d26db7a2e30964f4657c536

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat

Filesize
221B

MD5
8bf04db089a5fc90a2b3f0f5c617ac71

SHA1
50802551667084fcf831ce1bf49a5cb2240bb520

SHA256
90c729bcaba530c21e3389f48a4522119cc6f402b2683e3fb25854bdd5382cc4

SHA512
87c08f725c92310dfa376bda337e67762bf93ec2a9f9ce8b4cce45544378db6809bf0fa9f8e72705150db15e6cc4c9be76ee9ce82bf652b1eecf21a234402e44

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
221B

MD5
c4c9a7d29634b36df827a484be2ea5a5

SHA1
8c112fc6ff1750e65b34f96e64d1cc6f107a6e96

SHA256
f4138f4628ff90f7d3f941f882ae9d0a3baedcb2987ab0366edd935a2a7addd6

SHA512
c8d1b3cb878c00192ec7ea4e40e5630dd3104dd3cb43df2107e23152290699f76cee35609cdf529edf1945b33d8b9720c83969ee3d5ebf1f8ce31243fd100926

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
221B

MD5
bf4c2b5bfcd9c32ae31b5ac98775610f

SHA1
ac73a1cedea990152614875c857436f7c59955f7

SHA256
11956c899f3c74b42630318499144c64bee5abd232bea32283bc682976deaf86

SHA512
f3e154d6a3c7b1dfab46a8d50683ed48a7c730ce46885106bcd939f09edc54320052dfe894e7aa7382d795b300e95366378da361a90b809dda98bd28eb09fb9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar345E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
221B

MD5
3cc92cbd1f521acc6886406788740098

SHA1
24583261396d6e82694ecae4906fe10dfeeb0eed

SHA256
bb7695772d325b5e50e72de2a77020aefea02a9d10963be29da1e843203956fb

SHA512
ce0b11beb33407d90a72d3fb3bc4aa03ffe57bd31901b056f12fa9da48b53235f3e230886e3cba906169d820a27f9ede3dc885c00378813f81257d9a905c432f

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
221B

MD5
0f99f3b91d9a1da815ae8c89f21ec9c8

SHA1
8c3ea0e6d1cf115622800a1430c70c7e99b6f5f0

SHA256
d40e1d66ca8b888b9d7f0fb9d026af773bd03cd9dc1a3c4c474a3b8d5bee0492

SHA512
b7ee4b73a944f835e9747c742385a31942d695f0e71f6708abd6cf4adc66c94f0ff1858d7d5087101b27f5f6699989a81c4b771375831206d031a945f507b5d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

Filesize
221B

MD5
3fc3b87ed949f3ab2eb4cbd0bd16e09d

SHA1
a68ea1dc949b9f9d974073949195e0a7b36f4e13

SHA256
9ce360a0dc4923999274979896c80dba95a869b61b273102d9575ebceff47b27

SHA512
bf406e97a8e4b93a959c4ecf590dab1686114593a273b9b9960f867c94150ae6bd3d409695acf3e03de30e202ca7ea06f3a3e137ed9699f515d4283457446876

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\N8IF9LIPU6DRYAS7502E.temp

Filesize
7KB

MD5
339856ca958dc7fe58921ddff37922d9

SHA1
8045646233ffdb6fcd59a1db58946289d758d20a

SHA256
cc307522dd0946c8c4b7b6045c4b0a6af455d655a3bcd13c033d58b897e3bbf3

SHA512
b7153460237d015b538c0e8a3a574ade9b9edd72ec4e5c6db2491a81bedd95b234c9b7dca958472e47cefec28c6f745d551bda77cb253bccbc13b4d89b9edf62

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1968-57-0x000000001B210000-0x000000001B4F2000-memory.dmp

Filesize
2.9MB

Download
memory/2228-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2228-13-0x00000000009A0000-0x0000000000AB0000-memory.dmp

Filesize
1.1MB

Download
memory/2228-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2228-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2228-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2248-164-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/2360-344-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2360-345-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2392-56-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2392-105-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2432-405-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2524-284-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2524-283-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2860-58-0x0000000001DE0000-0x0000000001DE8000-memory.dmp

Filesize
32KB

Download
memory/2988-465-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/3016-525-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/3016-526-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download