dcrat | dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661.exe
Size

1.3MB
MD5

fcb3d95259c3338277ca05bc1f96b0f7
SHA1

6df55893b8ee75625c51a927e994326bf3854b2c
SHA256

dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661
SHA512

e06a0274e587ed7d7ea1b651896cfad8ad5a235db1566db0338778e788b3b72addaf6b21ccc92c1aa13123273dcab1f34b2313e5be68e383139f12d52d332f5f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	616	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	3004	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	3004	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186c6-9.dat	dcrat
behavioral1/memory/2908-13-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/712-42-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1884-152-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/1756-389-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2968-449-0x0000000000BB0000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/2196-509-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/2852-570-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/1980-631-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/2380-691-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe
1820	powershell.exe
1084	powershell.exe
1968	powershell.exe
1120	powershell.exe
936	powershell.exe
1240	powershell.exe
1588	powershell.exe
292	powershell.exe
980	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2908	DllCommonsvc.exe
712	services.exe
1884	services.exe
2388	services.exe
1696	services.exe
2440	services.exe
1756	services.exe
2968	services.exe
2196	services.exe
2852	services.exe
1980	services.exe
2380	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	cmd.exe
2564	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
468	schtasks.exe
2348	schtasks.exe
1904	schtasks.exe
1528	schtasks.exe
616	schtasks.exe
2148	schtasks.exe
1052	schtasks.exe
2744	schtasks.exe
2568	schtasks.exe
2092	schtasks.exe
1696	schtasks.exe
264	schtasks.exe
2444	schtasks.exe
1604	schtasks.exe
752	schtasks.exe
3068	schtasks.exe
1068	schtasks.exe
1556	schtasks.exe
1948	schtasks.exe
2512	schtasks.exe
2896	schtasks.exe
1620	schtasks.exe
2164	schtasks.exe
972	schtasks.exe
2104	schtasks.exe
2904	schtasks.exe
2812	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2908	DllCommonsvc.exe
1820	powershell.exe
1968	powershell.exe
1120	powershell.exe
936	powershell.exe
2140	powershell.exe
1588	powershell.exe
292	powershell.exe
1084	powershell.exe
980	powershell.exe
1240	powershell.exe
712	services.exe
1884	services.exe
2388	services.exe
1696	services.exe
2440	services.exe
1756	services.exe
2968	services.exe
2196	services.exe
2852	services.exe
1980	services.exe
2380	services.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2908	DllCommonsvc.exe
Token: SeDebugPrivilege	712	services.exe
Token: SeDebugPrivilege	1820	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	292	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	1240	powershell.exe
Token: SeDebugPrivilege	1884	services.exe
Token: SeDebugPrivilege	2388	services.exe
Token: SeDebugPrivilege	1696	services.exe
Token: SeDebugPrivilege	2440	services.exe
Token: SeDebugPrivilege	1756	services.exe
Token: SeDebugPrivilege	2968	services.exe
Token: SeDebugPrivilege	2196	services.exe
Token: SeDebugPrivilege	2852	services.exe
Token: SeDebugPrivilege	1980	services.exe
Token: SeDebugPrivilege	2380	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2636 wrote to memory of 2756	2636	JaffaCakes118_dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661.exe	30
PID 2636 wrote to memory of 2756	2636	JaffaCakes118_dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661.exe	30
PID 2636 wrote to memory of 2756	2636	JaffaCakes118_dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661.exe	30
PID 2636 wrote to memory of 2756	2636	JaffaCakes118_dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661.exe	30
PID 2756 wrote to memory of 2564	2756	WScript.exe	31
PID 2756 wrote to memory of 2564	2756	WScript.exe	31
PID 2756 wrote to memory of 2564	2756	WScript.exe	31
PID 2756 wrote to memory of 2564	2756	WScript.exe	31
PID 2564 wrote to memory of 2908	2564	cmd.exe	33
PID 2564 wrote to memory of 2908	2564	cmd.exe	33
PID 2564 wrote to memory of 2908	2564	cmd.exe	33
PID 2564 wrote to memory of 2908	2564	cmd.exe	33
PID 2908 wrote to memory of 1120	2908	DllCommonsvc.exe	62
PID 2908 wrote to memory of 1120	2908	DllCommonsvc.exe	62
PID 2908 wrote to memory of 1120	2908	DllCommonsvc.exe	62
PID 2908 wrote to memory of 936	2908	DllCommonsvc.exe	63
PID 2908 wrote to memory of 936	2908	DllCommonsvc.exe	63
PID 2908 wrote to memory of 936	2908	DllCommonsvc.exe	63
PID 2908 wrote to memory of 1240	2908	DllCommonsvc.exe	64
PID 2908 wrote to memory of 1240	2908	DllCommonsvc.exe	64
PID 2908 wrote to memory of 1240	2908	DllCommonsvc.exe	64
PID 2908 wrote to memory of 1588	2908	DllCommonsvc.exe	65
PID 2908 wrote to memory of 1588	2908	DllCommonsvc.exe	65
PID 2908 wrote to memory of 1588	2908	DllCommonsvc.exe	65
PID 2908 wrote to memory of 2140	2908	DllCommonsvc.exe	66
PID 2908 wrote to memory of 2140	2908	DllCommonsvc.exe	66
PID 2908 wrote to memory of 2140	2908	DllCommonsvc.exe	66
PID 2908 wrote to memory of 1820	2908	DllCommonsvc.exe	67
PID 2908 wrote to memory of 1820	2908	DllCommonsvc.exe	67
PID 2908 wrote to memory of 1820	2908	DllCommonsvc.exe	67
PID 2908 wrote to memory of 292	2908	DllCommonsvc.exe	68
PID 2908 wrote to memory of 292	2908	DllCommonsvc.exe	68
PID 2908 wrote to memory of 292	2908	DllCommonsvc.exe	68
PID 2908 wrote to memory of 980	2908	DllCommonsvc.exe	69
PID 2908 wrote to memory of 980	2908	DllCommonsvc.exe	69
PID 2908 wrote to memory of 980	2908	DllCommonsvc.exe	69
PID 2908 wrote to memory of 1968	2908	DllCommonsvc.exe	70
PID 2908 wrote to memory of 1968	2908	DllCommonsvc.exe	70
PID 2908 wrote to memory of 1968	2908	DllCommonsvc.exe	70
PID 2908 wrote to memory of 1084	2908	DllCommonsvc.exe	72
PID 2908 wrote to memory of 1084	2908	DllCommonsvc.exe	72
PID 2908 wrote to memory of 1084	2908	DllCommonsvc.exe	72
PID 2908 wrote to memory of 712	2908	DllCommonsvc.exe	82
PID 2908 wrote to memory of 712	2908	DllCommonsvc.exe	82
PID 2908 wrote to memory of 712	2908	DllCommonsvc.exe	82
PID 712 wrote to memory of 1652	712	services.exe	83
PID 712 wrote to memory of 1652	712	services.exe	83
PID 712 wrote to memory of 1652	712	services.exe	83
PID 1652 wrote to memory of 2480	1652	cmd.exe	85
PID 1652 wrote to memory of 2480	1652	cmd.exe	85
PID 1652 wrote to memory of 2480	1652	cmd.exe	85
PID 1652 wrote to memory of 1884	1652	cmd.exe	86
PID 1652 wrote to memory of 1884	1652	cmd.exe	86
PID 1652 wrote to memory of 1884	1652	cmd.exe	86
PID 1884 wrote to memory of 2508	1884	services.exe	87
PID 1884 wrote to memory of 2508	1884	services.exe	87
PID 1884 wrote to memory of 2508	1884	services.exe	87
PID 2508 wrote to memory of 1192	2508	cmd.exe	89
PID 2508 wrote to memory of 1192	2508	cmd.exe	89
PID 2508 wrote to memory of 1192	2508	cmd.exe	89
PID 2508 wrote to memory of 2388	2508	cmd.exe	90
PID 2508 wrote to memory of 2388	2508	cmd.exe	90
PID 2508 wrote to memory of 2388	2508	cmd.exe	90
PID 2388 wrote to memory of 580	2388	services.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dd58b0854cd97df160204752551466c9cda5729e16607059280ea9a9023c5661.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2636
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:712
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2480
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1192
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat"
        10⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1644
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        12⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2076
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        14⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1012
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat"
        16⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1124
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat"
        18⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1744
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat"
        20⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:916
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
        22⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3020
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        24⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2364
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        26⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Tasks\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2a6dce0cd626acaef4dcc506bb90079

SHA1
89952cc82578e2ea25f0a34af4a4b210791cf1cc

SHA256
25ff326f3a1ddefd312d27aa7c157cd61f660e8c88b57cf6de16e484b7cfedb7

SHA512
31f00c44c85ecdec814af8b46bea07e48334144462d0fc93bd58ff835b7b721987effe367117254553cac62378c2c68bde4614600cf6de7c6bdc1df92637484d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
591d57d9ae4c8c67e752eb677e4ac2cd

SHA1
fffdb992afcc61a816824ca61d65920cbdff6229

SHA256
94a1dc311324054bc645991baade953bbd4b07f28901ed346b00e104812c74ee

SHA512
909c7378e70fa8c9bf0bebce10d06a7be143f6f83e28db135313ee2db503fa5399dc05cebabbec733125fcb0124e9558732700345dcc04e128805241d51ae9d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72c481e1566127e056c425f9da980a7e

SHA1
17e98212db85f09bab9cf0265e2dce913f941fbb

SHA256
89e2c5f98e0d56388c8ab4d40022fcfda64fd22d7ca1cd91d9798926c19d1517

SHA512
ffc9452efc8329bc09033e2475586528f37090058e7ccb2798f493aba3b007cceef5fd3ea4ab7e51a269ffb6299a2fb3a6c7038814c45c7915b7da352a43e283

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b1ba656f9dce80d706b784e7167f139

SHA1
cde25a45a9976e9d0e097be924c54740d95ade02

SHA256
e02c34e6a9681a5c044c7ce7a83cd13153a2ac937ac51c49419791c9ae54bb05

SHA512
bb11723a63e1866624f2bdc9c1423134e8e06b68a1768ac6a32aa58b74294dcb4301bfa1f511e83ed9cacbd755cacbd0554276644373faca25bde77d17b37afd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d42d6d0e38858beb31786f2f47ba5c5d

SHA1
dbf0fe749a7b1f151d42517bb465f9ff4b5d4f86

SHA256
f4deb2b7cf61beb1901a9e30c580d629677e74270ef35e28c0959b4b3881b174

SHA512
92d4a2ceeeb046adfbbf5026b8e829066c10e92e43ca58fd770e03d6ebfc3121d69010513a4d2ddade06c03a95f280d75da361458eb833e6a7eb600afb0c4cb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ade25963cbb060473e07487b2e6db619

SHA1
bf56645f4730d0904c89d97526ae5c23edc4e4c8

SHA256
8f006133e8f8d9cbb7593e067294cd5ec0fddf44e07ced3d6040e6c2c4de63b0

SHA512
6475532d05d0a29238441fabb6a8af2bcc1d342701bb33336448ce71dfd68293b149a2b0b334caef0fc0ebbcaa043fdd248977ad71eaeffd887838db8bee0df4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dcba9e6d4900bfdd55453d91593f6d1

SHA1
c9b93edd73c8513c13dd4f958491c6536ff3d3f1

SHA256
85f82af9d6857f20d9f09c8757b0132a514137f21a49f49a7de8d402381ae5cf

SHA512
51ef93388603b7eabe712b428886808dd681f1b7d9ea781bd998dd577633125b3845d0a5ab596f6faf4af0d2920f8b2ca42f67f5980563048c091f4e03c7b1ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57e3dfb2447a47810e8f9cd9c3af12c4

SHA1
142f4237d1cff9b29a30603e5a1a0fb55072736e

SHA256
1796ff3c4d29e9d670f7a1214403c4427af369eaec897802ced62cfd5c41f3b8

SHA512
090b55af620baeb1a27ed2a026a6b85ffe6298ebe3adc132480495b2a7141022ddefe8d7a7e2deab1a34788ff64adb06b86127717ef39fdf11b6bb26a2a7c79d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6fad4f0929de3b21033634bb614a3c4

SHA1
bc0ab59e155e6c0968a614e19ef057665eaf0f8b

SHA256
f509e352954df6329a33977a9e70cd4a4d897bc89bdce852867059f2dca27321

SHA512
2690d3d526e4210ba981bf6ca85214c102114952eab906fa32f8b938fa1793808abcd970d6e785e453109ecd1db3cdf31e2f2fad9879acdd3ce5899b75db8bb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
730096a73d0a285e93dae5573e229218

SHA1
a153f0d9ad5dc2d03fb6dec7c2406173fed50dea

SHA256
808a47c5cf4f9eda51509a6afda124a89ff4ca6bf4ee0474008122e7ff65ab3e

SHA512
f44424f18b7fb2a83cd3b57b21ddf0fd9dd2392c31ce571bfe8b93e1a6966ce3a3a64a908ec70d1a6e08805f45b7484ee75f831faf69b96ab4e18d37b81de8bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

Filesize
240B

MD5
6578666b0b5a51e18a3581d3b7ff3c39

SHA1
1f074b305d21006ca73896cb2ffde0a08d6f60e9

SHA256
8835607690b9a9ff7dedbae68c6953061dbc50ec7f2688b3844fb70aa89cf2f0

SHA512
ef9861035d9374c67312b2c40515dcba03746bf2277f7abddb1e42803ab0f7866fbe7971bf9daca05aded3951fbb5a20cba5ba9e435e2b507a40aa5f3aa44898

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB2ED.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
240B

MD5
ce51b0efc447b5871296f20381044350

SHA1
4d3b5dc4f2eeb6b6ca02f637a8938343a5ec1246

SHA256
458eae250056fb8462074170c8a40ebee4cb2e092d996469558fb633acd062be

SHA512
184551a84a6446ff075eada62d675a3b317478eb02003ca8375b6067373d9630ff2215b39439b6c6b1f5ccca5d92e073c045d7f5aa6cdcfa13131af551ba3c32

Download Submit
C:\Users\Admin\AppData\Local\Temp\DegeIw2hse.bat

Filesize
240B

MD5
2751537b0adc3f36329a886dc75cea08

SHA1
58cd0b6f5b845e7144a9f5942199ce101bda263d

SHA256
75287142d712de05153d496ab2a0d7a9cdcb737988d770bf391629de0071dd1f

SHA512
affba4c1162648038f05d3af178111131b4f0e643c41855f52b00d8abf14add86f3ff7d7130cb4e5312994b52c9cb09b4c7e74cb0acfc4463ea405668171ed16

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nc51i3GWIc.bat

Filesize
240B

MD5
6a8bd87a8efa413b410ef4b7d2996980

SHA1
1f0a23d4b074149cbc777b27ee42decbf1136da3

SHA256
7343ff049a945c0721b3c95a92e720d43fd546c6510573188436fca0a1f3204b

SHA512
9c3c66fb6b782b18eb5ab04d03d52a888c2965cd36792aca4f252b2e12acde4a71b24d90c8ecd56624ed7ceed56169aedc23e2f9478787d176ae15e2c840a6ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

Filesize
240B

MD5
a20436bee2fa04d45d4c1538db939a82

SHA1
fce4451ed90744f2233595f7169174a95409cdb1

SHA256
65717f3b69496d748a17b04e72dbfc388079a27787dd7664ff28ea6e1ccae453

SHA512
02e0e203e974e12954d1a3c09520a5ed45bc1467e760d59cc383d848e1755dfb7905679bd9ed30f76fc33095510bed9cf83cfa859ae21f3027dc2db3d9da58d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB2FF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
240B

MD5
ed96fe5113b6ba10d2830e45b070628d

SHA1
7a4a3ad2dc3bc113939138502a652458b6eae39e

SHA256
9f831d740367402b26542644784f568438a2282346abd83594c89504f79ca488

SHA512
4438ac0aaea6b190725d7d617792dc5f756c4e675716a8d02ca4a9372f33646b09d9231e94ac462eb5f169bff73a39f25f3a416e7f86670524a30ba70e2c3141

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
240B

MD5
db1e4abf30c317566dedd0baa802ada3

SHA1
88891b9433440624894e213d9d03158a3c58cb0f

SHA256
142feb7b25fe5735cade7df8a2d568f2a629ad523aa3df5b781db4ca8a6bd491

SHA512
9052dea48f0a5a42847d1d290e38e26c24723e96eb57007ca82ed6b9ddcedd2a8797f2c645d78ae0bb008ac1d0f7e3d437493148341f4a8b231726a10b065557

Download Submit
C:\Users\Admin\AppData\Local\Temp\nGcIoKmMem.bat

Filesize
240B

MD5
4607721670241935dd7b049a809545d8

SHA1
da4f1424bc6d85a58809db67ca816924ae2863db

SHA256
2b33e6647fb41437801b0682b859ee05da5baa72ab12d91e72a140a264fbdb6d

SHA512
d07a43e1feb835ecc367fd9304a72a5f8f5924115f5f969fd539163ad4f606a23b9461ef98bfcf2d4164a2289f3e8ea494e150361a2108993fd46d69814cba34

Download Submit
C:\Users\Admin\AppData\Local\Temp\oLfAgN0jmw.bat

Filesize
240B

MD5
d142f1ebaabcc20adf67ffc26fe18eac

SHA1
af2bcdf09b804b874c510f346db00c53859fc1b0

SHA256
845044b08203d3753af4dec339a2f5011528277a9942bfb1bc63600c272b4846

SHA512
9847c99ec7e0a4e6d1f5e55b208230dd3c8342d1af700dc865442554b16e525902ab04417e70f3c7a4e17b6c65d0863d40e46ef2f5c79b31267fc678ac4df12a

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCY6B1XXru.bat

Filesize
240B

MD5
bac4bc066e8989fe8686e8fb93552cd3

SHA1
d540c65c4bc5f80264a62f859616a6b2fe10bff6

SHA256
1d3dfe816d104cfcbfe03f832489d767377658ed0cf9097fb6f7af61312fd88e

SHA512
d107e6f81d02766725c941ed963dc2a5eecf7216694d8ab76559682a030b6b012fae71b47128d5ed1016d9dd5be16f1d76ee8a3fdbea4c2db3cee514aeaa89d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
240B

MD5
0a5dfcbfc0df8883448b37e5edea17d8

SHA1
1fc703992bda7212568d1ca3f7bc653d73408488

SHA256
e04a4672456f4a64bc2c25e34d1336b2311ecbbc1182335e5b4d89b0bd3ca553

SHA512
e585faefba57bf8a367c3de101b783c47d7b8e8ef72e18ff5fb97b0a8fb0dea04dda8e63fd028e433c9c495fcb0cc40d58e693c447b32d71295cf02e3b1662a1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
948ee061d692865652ef98ee896970f1

SHA1
d146f340ac402880019b7af3f510ca570ce9047a

SHA256
5d5ea3331000ea6b2e00ce18d528ad454f985652035fdc9d5e1457dd04f4e63f

SHA512
38d9ee20a7b86cf40ee187ecf6a33aaa646fde5fd5bfd0fcdccbe3161079623236551a4fc6e210313d62551bd8f8089a7cb1ff94cf125bdc300f2fc2bdb43064

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/712-42-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/1084-67-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/1756-389-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/1820-68-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/1884-152-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1980-631-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/2196-509-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/2196-510-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2380-691-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2852-570-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2852-571-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2908-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2908-13-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/2908-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2908-15-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2908-17-0x0000000000780000-0x000000000078C000-memory.dmp

Filesize
48KB

Download
memory/2968-449-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download