dcrat | 804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc

Analysis

max time kernel
148s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 21:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc.exe
Size

1.3MB
MD5

6b25ef77f14a1c41911cc13fcd3b4654
SHA1

94cf3f2684ca0dc16e8c8c773996be7cb982e09c
SHA256

804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc
SHA512

0ccf1b260d9552b48b8d0d39e71cadf1b38e0644cd6708f8ce646e4e2248cb40ae8b2874da1a4c8e675f151264dfbbb079399d466aaa82b55c3cbe57158f3417
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	3052	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	3052	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d69-12.dat	dcrat
behavioral1/memory/2532-13-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2712-82-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/288-142-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/1948-202-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2576-261-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/2556-321-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/1016-441-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/1988-501-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2168-620-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2992	powershell.exe
1064	powershell.exe
1164	powershell.exe
1788	powershell.exe
108	powershell.exe
1980	powershell.exe
2124	powershell.exe
656	powershell.exe
396	powershell.exe
2588	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2532	DllCommonsvc.exe
2712	taskhost.exe
288	taskhost.exe
1948	taskhost.exe
2576	taskhost.exe
2556	taskhost.exe
1772	taskhost.exe
1016	taskhost.exe
1988	taskhost.exe
1660	taskhost.exe
2168	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2864	cmd.exe
2864	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\en-US\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2776	schtasks.exe
2712	schtasks.exe
2732	schtasks.exe
692	schtasks.exe
1972	schtasks.exe
2416	schtasks.exe
2672	schtasks.exe
524	schtasks.exe
2284	schtasks.exe
3024	schtasks.exe
1664	schtasks.exe
2364	schtasks.exe
3000	schtasks.exe
2568	schtasks.exe
2780	schtasks.exe
2056	schtasks.exe
1868	schtasks.exe
1528	schtasks.exe
2748	schtasks.exe
1772	schtasks.exe
2008	schtasks.exe
3028	schtasks.exe
2960	schtasks.exe
1908	schtasks.exe
2264	schtasks.exe
2424	schtasks.exe
560	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2532	DllCommonsvc.exe
2588	powershell.exe
396	powershell.exe
2124	powershell.exe
2992	powershell.exe
1164	powershell.exe
1980	powershell.exe
1064	powershell.exe
656	powershell.exe
1788	powershell.exe
108	powershell.exe
2712	taskhost.exe
288	taskhost.exe
1948	taskhost.exe
2576	taskhost.exe
2556	taskhost.exe
1772	taskhost.exe
1016	taskhost.exe
1988	taskhost.exe
1660	taskhost.exe
2168	taskhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2532	DllCommonsvc.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	396	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2992	powershell.exe
Token: SeDebugPrivilege	1164	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	2712	taskhost.exe
Token: SeDebugPrivilege	288	taskhost.exe
Token: SeDebugPrivilege	1948	taskhost.exe
Token: SeDebugPrivilege	2576	taskhost.exe
Token: SeDebugPrivilege	2556	taskhost.exe
Token: SeDebugPrivilege	1772	taskhost.exe
Token: SeDebugPrivilege	1016	taskhost.exe
Token: SeDebugPrivilege	1988	taskhost.exe
Token: SeDebugPrivilege	1660	taskhost.exe
Token: SeDebugPrivilege	2168	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2188 wrote to memory of 1760	2188	JaffaCakes118_804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc.exe	30
PID 2188 wrote to memory of 1760	2188	JaffaCakes118_804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc.exe	30
PID 2188 wrote to memory of 1760	2188	JaffaCakes118_804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc.exe	30
PID 2188 wrote to memory of 1760	2188	JaffaCakes118_804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc.exe	30
PID 1760 wrote to memory of 2864	1760	WScript.exe	32
PID 1760 wrote to memory of 2864	1760	WScript.exe	32
PID 1760 wrote to memory of 2864	1760	WScript.exe	32
PID 1760 wrote to memory of 2864	1760	WScript.exe	32
PID 2864 wrote to memory of 2532	2864	cmd.exe	34
PID 2864 wrote to memory of 2532	2864	cmd.exe	34
PID 2864 wrote to memory of 2532	2864	cmd.exe	34
PID 2864 wrote to memory of 2532	2864	cmd.exe	34
PID 2532 wrote to memory of 108	2532	DllCommonsvc.exe	63
PID 2532 wrote to memory of 108	2532	DllCommonsvc.exe	63
PID 2532 wrote to memory of 108	2532	DllCommonsvc.exe	63
PID 2532 wrote to memory of 396	2532	DllCommonsvc.exe	64
PID 2532 wrote to memory of 396	2532	DllCommonsvc.exe	64
PID 2532 wrote to memory of 396	2532	DllCommonsvc.exe	64
PID 2532 wrote to memory of 2588	2532	DllCommonsvc.exe	65
PID 2532 wrote to memory of 2588	2532	DllCommonsvc.exe	65
PID 2532 wrote to memory of 2588	2532	DllCommonsvc.exe	65
PID 2532 wrote to memory of 1980	2532	DllCommonsvc.exe	66
PID 2532 wrote to memory of 1980	2532	DllCommonsvc.exe	66
PID 2532 wrote to memory of 1980	2532	DllCommonsvc.exe	66
PID 2532 wrote to memory of 2124	2532	DllCommonsvc.exe	67
PID 2532 wrote to memory of 2124	2532	DllCommonsvc.exe	67
PID 2532 wrote to memory of 2124	2532	DllCommonsvc.exe	67
PID 2532 wrote to memory of 2992	2532	DllCommonsvc.exe	68
PID 2532 wrote to memory of 2992	2532	DllCommonsvc.exe	68
PID 2532 wrote to memory of 2992	2532	DllCommonsvc.exe	68
PID 2532 wrote to memory of 1064	2532	DllCommonsvc.exe	69
PID 2532 wrote to memory of 1064	2532	DllCommonsvc.exe	69
PID 2532 wrote to memory of 1064	2532	DllCommonsvc.exe	69
PID 2532 wrote to memory of 1164	2532	DllCommonsvc.exe	70
PID 2532 wrote to memory of 1164	2532	DllCommonsvc.exe	70
PID 2532 wrote to memory of 1164	2532	DllCommonsvc.exe	70
PID 2532 wrote to memory of 656	2532	DllCommonsvc.exe	71
PID 2532 wrote to memory of 656	2532	DllCommonsvc.exe	71
PID 2532 wrote to memory of 656	2532	DllCommonsvc.exe	71
PID 2532 wrote to memory of 1788	2532	DllCommonsvc.exe	72
PID 2532 wrote to memory of 1788	2532	DllCommonsvc.exe	72
PID 2532 wrote to memory of 1788	2532	DllCommonsvc.exe	72
PID 2532 wrote to memory of 1648	2532	DllCommonsvc.exe	83
PID 2532 wrote to memory of 1648	2532	DllCommonsvc.exe	83
PID 2532 wrote to memory of 1648	2532	DllCommonsvc.exe	83
PID 1648 wrote to memory of 2092	1648	cmd.exe	85
PID 1648 wrote to memory of 2092	1648	cmd.exe	85
PID 1648 wrote to memory of 2092	1648	cmd.exe	85
PID 1648 wrote to memory of 2712	1648	cmd.exe	86
PID 1648 wrote to memory of 2712	1648	cmd.exe	86
PID 1648 wrote to memory of 2712	1648	cmd.exe	86
PID 2712 wrote to memory of 2068	2712	taskhost.exe	87
PID 2712 wrote to memory of 2068	2712	taskhost.exe	87
PID 2712 wrote to memory of 2068	2712	taskhost.exe	87
PID 2068 wrote to memory of 2432	2068	cmd.exe	89
PID 2068 wrote to memory of 2432	2068	cmd.exe	89
PID 2068 wrote to memory of 2432	2068	cmd.exe	89
PID 2068 wrote to memory of 288	2068	cmd.exe	90
PID 2068 wrote to memory of 288	2068	cmd.exe	90
PID 2068 wrote to memory of 288	2068	cmd.exe	90
PID 288 wrote to memory of 2008	288	taskhost.exe	91
PID 288 wrote to memory of 2008	288	taskhost.exe	91
PID 288 wrote to memory of 2008	288	taskhost.exe	91
PID 2008 wrote to memory of 3056	2008	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_804a79af30d692c50eb4124fb6f94173303b1a7b296722857ec9077381aba7dc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2188
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2864
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\en-US\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Music\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYlfhcBu5v.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2092
      - C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2432
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3056
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        11⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1284
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
        13⤵
        
        PID:2540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2288
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        15⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2876
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
        17⤵
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2880
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        19⤵
        
        PID:1128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:612
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat"
        21⤵
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1700
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        23⤵
        
        PID:1160
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1888
        
        C:\providercommon\taskhost.exe
        
        "C:\providercommon\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Templates\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Templates\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Vss\Writers\Application\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Windows\Vss\Writers\Application\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\en-US\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Music\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4547333c758ed0075d7c77266463734c

SHA1
1fd8b1854c50fb09ff1544337acbb3d40dfd20a8

SHA256
c20cfc8455d7463d8ec91b01d5230e455b2a4cf1fde8f679dfe9ed4eb16ac26d

SHA512
360abed28d3c45f95bf55f48e375612038d41fba0487b776da95c9cf18fae5bd0477f039355268329d2fc1469622679dd8cd5495731242ad0a9d14c257020675

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc22e0b9301c24e80aca345fcff5d6b3

SHA1
23c3636c0693539373018a032aa8b18ba45cf001

SHA256
5c0730b7cfab81a808b38076c30fc5dd8b41ed8c1c5fde30df3d0893f598e0f5

SHA512
bf6efa0db556b70e8c90f3f37b75cb262b00a0afb1f33e221afdba01a2596fb62b04a754fea2fce31b543105441305a7056910198a428358012c46f9833c5b69

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba856068ab80322d75a05da1805fac77

SHA1
c7f0a4df7d2fccd7deb229b8f19fa323a2beeb73

SHA256
59321ed5c48f11d36d44530960c2d371dd4effcb1ecd9b49b31b2072e0f93680

SHA512
0cdeb42a47a6deaefb60af59ceecd282d1476392d554ad391bd31976518d876f9443803671c74d73f9ba5d508b98be69161c344e8b826da7a28e3207fdac90a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d39c14403764f3cd8f178b4e1e0a496d

SHA1
e572fddc5ae7d87ff88be19c7bb2dfb527238bb6

SHA256
37f3cf24f5e8e9da6504645086e63d1cc1a4bfcc66fe2ae6866a1ab1041cfc70

SHA512
6e6bcc2ba6cfa6f117a6d8361c305c6de9b64d12a15a47c7f0b131b38ddb790c5f7dedadd35db3cdecb879decdffd39fc9be3cb87f2dbf24d9bd62e51fd8c48c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e9a7ce2eaafed989638aba34d476836

SHA1
21102010f222da06aea518d607a120f35d3392d9

SHA256
5fb6bab26340eec821784497543acbc9c333b2e88eabdaeb00a61128d1caf367

SHA512
37948bd831e860b77bc32ac3263baa31627b978771f08a4ccf1ae7fb0c4bc88c2d61ea602ca37860af05364649cd861c18ab27a5655d71298e6de398dd8dea27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7b92224d3f9b677492413f475bdfb47

SHA1
932b2c2767c5cb2cce450c839d4bfc515a0eaca5

SHA256
7eaf0e82be4bebf8f7f4763a3aa1df4deab588ee510ee6f20d3326ddcc762221

SHA512
61869d454d1cb79ee187db90f73b6d6f95b080c6ce8f0a9a8f6ef2f555d1ba0295ab1084893c532679e7a994e65f6b37a95f5d1556d9b3b8477a2a7d919ac01c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d4da1a1ed1b79c31364775b42d51bec

SHA1
04336b072e67a75f6856ea0dbe0029fff511b173

SHA256
5dae727dc736fa017db1bc653bafb6bc43d161dfbbe86ab5805ba48f35bfeb14

SHA512
054d76a0e9c7da5900211306d7a37aaa13c2ae1c684e9304a093824ef55879b61e814bd7807661692724ba41ecfd5a67efca9f525e109bb9313fb6116ecdf23b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cd4d4c1618d2c31ffcd35939a7622b0

SHA1
f8db131ab039da00febd6434eee9a896a5910273

SHA256
741d410d14d0b94ed4588d601af0f7a86a55f701c039c9c89966200966774624

SHA512
e102e87adc969fad476b204c25d23b96f6f0efdd5f052d2e1779a2e2912723734e6c1e716f5d142d39e5ff52a12a0bde2ccbd75596e14e6731f27e5a4be51ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ldsg1wMto.bat

Filesize
195B

MD5
b3df13f485094a901dc6ec8cba20979d

SHA1
31ac6ac34b9cca0f8d499e3e180c7bcaaf6767f4

SHA256
8c9d1fa2aa63a39ed53a24faaeb6b46ee92e6e931ff4edb62f87541c698d1f42

SHA512
fd31db98c274b3ba77fb4f37863819200ac40ebaf5125940ccec7eca37d24eb7ae10db38977bbda4dea870173f28fe4d1803d5827c7c2b4351cb5a38ccc2e67b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2C31.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYlfhcBu5v.bat

Filesize
195B

MD5
a87587bd5a159b7edec94cbcebfe69e7

SHA1
e0ac7a23b46eb244c51737b516952b579de8af65

SHA256
90471114c58740dec02cc12e0f9a75770710106d813895a4515217c6f1d531c5

SHA512
dc423a075590b1f6717baf1a1650c544779d7f11e9ccd7bdfc970b71c743bd77d5a78713d95f210ecc3538edebcfdb83bf604da78bd6723528136f13077c0757

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
195B

MD5
99a4131b6c7a61cc5418b57cb7940246

SHA1
87f146fe77c64c36c1e428c959f6c3a303b3f90a

SHA256
b4a1b3c8a2c86232c0f8096a83f64e74801e764fa159e09e3fc84b83e1df7a17

SHA512
46359ae6157bbcb6db8909c4bf80fe96186ea8b8d02252e10f3407b8bc7e00e2e99f10bb0e8ef4a4207504fbd7c3a9dae62cb71b11f163bedc4fa7fce8a01ac5

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

Filesize
195B

MD5
94379f64912722ac827e560da4801881

SHA1
6f0e5ede12798199c33fb6d1ea43602a7eaa07a4

SHA256
4befdc20270764b35aaf35ced1785baeff1f876fedbd3bd8424e61537947daf2

SHA512
7235c19f0d00045f2e60f4dc998f3f05c8a8ce32be6339b377555c71df9ead8a55602900789564543bd234b06c5d11178817120db1fa122bd47530629a281dc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2D5C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
195B

MD5
05d1e6a8e96e0006830ff9108e394fcc

SHA1
c44700cb3177e1168e645fb56a8592ac05431a40

SHA256
a8ec7fa2dc1eba3b2bb836ff09b866c8a0b6f097eae0e8d348098a19c22741dc

SHA512
6dbd192a8fdf27638c4400a6d1fff4254824b71fd209d93ab187309b9aa63c5673992ab629e3fe0a51ecac9fc8d50a83ee177a0290bf7d098776ee3a529f9121

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
195B

MD5
f54d24bc238a8128ac218d19028520c8

SHA1
cb5f5b83a25e052df5a65412e781576246f00f87

SHA256
69dd04703ef8834e65d84780682acbcf397bbdbc30cc5276e67adf73e8eef0c1

SHA512
185d8aea4989430e2bf9619ee5269462ec8d2a90b2015e3ab8a0e541e44c212ba124a4ef8fd02c7cb38a5bcc3dc3a29acba9b44c8dcea5170b680b17c9a67102

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
195B

MD5
32ef9d095f13083efb76d70944e35de4

SHA1
6bd34d53770ba6a71470585bff6de5b4db7dce07

SHA256
b78d7a35df5c0f9c8fc542e0080080282a70a22abc906619525469a187eb6c89

SHA512
4a606b40c63f42d43120d2f2e11b62e7624a13334ecef1d23061c99fe2b999eb27e25b972f1ec8860027d1f4bdf12b7b6f447a45a47bfa471170bceb8ef2f3e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

Filesize
195B

MD5
89267dac0e4d3d0c632af7bff692b856

SHA1
0627211e96aaa0b80488a49db21df86c0bbed213

SHA256
2f7058c1735050591f977314448cd5516f36ba7c8452b105b28e36ea12b38f4d

SHA512
aade00aab0b55b88a8154f75befeeb45a4ea5b4137df6dbb3e664e4d861efb759a51fed1079e25eaaf4f7c74ff7e4ea0ca483c6638ede40c47be7fee4cc0b021

Download Submit
C:\Users\Admin\AppData\Local\Temp\tbw0avzYF4.bat

Filesize
195B

MD5
b739d50f8d8aefb44d20678219e78a3e

SHA1
00a3e335db3729217db6e7ed1078c64b9d878c11

SHA256
dc5e0928de6fdf311cbf22f5de63c35f6bfecbcbd2923d7ce63bf06c08f165d4

SHA512
4476a25309e3c241d1bbcbca04a247d44bb7b916af07c47c9df9aa031185030f26f4c84454c0d8c9d26fd3dff8d57cbd704119273c319342c15449bf195a3c50

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1e04eef6ba289baa2861664cb7f8ae90

SHA1
c1e2be8b7617422ce07f76aaba499a3ad270befd

SHA256
5f5c97ac7ca787fdeda728b2ea6611802a34c81c3c672bd6b90b5b6867bb4727

SHA512
5faf59b34c972d8ee840997eb4f86010f50345d03e11b61acec3b9b6f3c55887e0cb4cbb9aefc844a622f82dc98e90406a39599ae38a7a850d148accaafc9eb9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/288-142-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/1016-441-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download
memory/1772-381-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1948-202-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1988-501-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2168-621-0x00000000004A0000-0x00000000004B2000-memory.dmp

Filesize
72KB

Download
memory/2168-620-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/2532-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2532-17-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/2532-16-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2532-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2532-13-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2556-321-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-261-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/2588-59-0x00000000024A0000-0x00000000024A8000-memory.dmp

Filesize
32KB

Download
memory/2588-58-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/2712-82-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2712-83-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download