dcrat | a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1.exe
Size

1.3MB
MD5

905ebd503d243e92f5ebbc75522f137d
SHA1

60bdfeaf28e6fa6d452425159338ddb06b729384
SHA256

a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1
SHA512

f828d4beb74a4df9d35dca529b6c37b0d1fc03eddb2d9e14f0880837d2a86dca1a84202fd5f437a939e4f606604b0e759feffeeb0257cb4e0fa1688664af10cc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	3044	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	3044	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000193d0-9.dat	dcrat
behavioral1/memory/3036-13-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/1424-87-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/2492-206-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/1520-266-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/2296-326-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1448-386-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/1668-447-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2532-625-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1976-685-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2352	powershell.exe
2088	powershell.exe
1004	powershell.exe
2000	powershell.exe
2112	powershell.exe
2312	powershell.exe
2200	powershell.exe
1412	powershell.exe
1472	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
3036	DllCommonsvc.exe
1424	WmiPrvSE.exe
2500	WmiPrvSE.exe
2492	WmiPrvSE.exe
1520	WmiPrvSE.exe
2296	WmiPrvSE.exe
1448	WmiPrvSE.exe
1668	WmiPrvSE.exe
1756	WmiPrvSE.exe
1052	WmiPrvSE.exe
2532	WmiPrvSE.exe
1976	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2868	cmd.exe
2868	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
5	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2468	schtasks.exe
2460	schtasks.exe
2064	schtasks.exe
1696	schtasks.exe
2408	schtasks.exe
2248	schtasks.exe
1572	schtasks.exe
1736	schtasks.exe
2616	schtasks.exe
264	schtasks.exe
2216	schtasks.exe
2012	schtasks.exe
1244	schtasks.exe
2992	schtasks.exe
592	schtasks.exe
1716	schtasks.exe
2644	schtasks.exe
1036	schtasks.exe
2756	schtasks.exe
2228	schtasks.exe
2464	schtasks.exe
1732	schtasks.exe
1612	schtasks.exe
1044	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3036	DllCommonsvc.exe
2088	powershell.exe
2352	powershell.exe
1472	powershell.exe
2112	powershell.exe
2000	powershell.exe
2200	powershell.exe
1004	powershell.exe
1412	powershell.exe
2312	powershell.exe
1424	WmiPrvSE.exe
2500	WmiPrvSE.exe
2492	WmiPrvSE.exe
1520	WmiPrvSE.exe
2296	WmiPrvSE.exe
1448	WmiPrvSE.exe
1668	WmiPrvSE.exe
1756	WmiPrvSE.exe
1052	WmiPrvSE.exe
2532	WmiPrvSE.exe
1976	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3036	DllCommonsvc.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1424	WmiPrvSE.exe
Token: SeDebugPrivilege	2500	WmiPrvSE.exe
Token: SeDebugPrivilege	2492	WmiPrvSE.exe
Token: SeDebugPrivilege	1520	WmiPrvSE.exe
Token: SeDebugPrivilege	2296	WmiPrvSE.exe
Token: SeDebugPrivilege	1448	WmiPrvSE.exe
Token: SeDebugPrivilege	1668	WmiPrvSE.exe
Token: SeDebugPrivilege	1756	WmiPrvSE.exe
Token: SeDebugPrivilege	1052	WmiPrvSE.exe
Token: SeDebugPrivilege	2532	WmiPrvSE.exe
Token: SeDebugPrivilege	1976	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 2848	2400	JaffaCakes118_a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1.exe	30
PID 2400 wrote to memory of 2848	2400	JaffaCakes118_a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1.exe	30
PID 2400 wrote to memory of 2848	2400	JaffaCakes118_a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1.exe	30
PID 2400 wrote to memory of 2848	2400	JaffaCakes118_a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1.exe	30
PID 2848 wrote to memory of 2868	2848	WScript.exe	31
PID 2848 wrote to memory of 2868	2848	WScript.exe	31
PID 2848 wrote to memory of 2868	2848	WScript.exe	31
PID 2848 wrote to memory of 2868	2848	WScript.exe	31
PID 2868 wrote to memory of 3036	2868	cmd.exe	33
PID 2868 wrote to memory of 3036	2868	cmd.exe	33
PID 2868 wrote to memory of 3036	2868	cmd.exe	33
PID 2868 wrote to memory of 3036	2868	cmd.exe	33
PID 3036 wrote to memory of 2352	3036	DllCommonsvc.exe	59
PID 3036 wrote to memory of 2352	3036	DllCommonsvc.exe	59
PID 3036 wrote to memory of 2352	3036	DllCommonsvc.exe	59
PID 3036 wrote to memory of 2088	3036	DllCommonsvc.exe	60
PID 3036 wrote to memory of 2088	3036	DllCommonsvc.exe	60
PID 3036 wrote to memory of 2088	3036	DllCommonsvc.exe	60
PID 3036 wrote to memory of 2112	3036	DllCommonsvc.exe	61
PID 3036 wrote to memory of 2112	3036	DllCommonsvc.exe	61
PID 3036 wrote to memory of 2112	3036	DllCommonsvc.exe	61
PID 3036 wrote to memory of 2312	3036	DllCommonsvc.exe	63
PID 3036 wrote to memory of 2312	3036	DllCommonsvc.exe	63
PID 3036 wrote to memory of 2312	3036	DllCommonsvc.exe	63
PID 3036 wrote to memory of 2200	3036	DllCommonsvc.exe	64
PID 3036 wrote to memory of 2200	3036	DllCommonsvc.exe	64
PID 3036 wrote to memory of 2200	3036	DllCommonsvc.exe	64
PID 3036 wrote to memory of 1004	3036	DllCommonsvc.exe	65
PID 3036 wrote to memory of 1004	3036	DllCommonsvc.exe	65
PID 3036 wrote to memory of 1004	3036	DllCommonsvc.exe	65
PID 3036 wrote to memory of 2000	3036	DllCommonsvc.exe	67
PID 3036 wrote to memory of 2000	3036	DllCommonsvc.exe	67
PID 3036 wrote to memory of 2000	3036	DllCommonsvc.exe	67
PID 3036 wrote to memory of 1412	3036	DllCommonsvc.exe	69
PID 3036 wrote to memory of 1412	3036	DllCommonsvc.exe	69
PID 3036 wrote to memory of 1412	3036	DllCommonsvc.exe	69
PID 3036 wrote to memory of 1472	3036	DllCommonsvc.exe	70
PID 3036 wrote to memory of 1472	3036	DllCommonsvc.exe	70
PID 3036 wrote to memory of 1472	3036	DllCommonsvc.exe	70
PID 3036 wrote to memory of 828	3036	DllCommonsvc.exe	77
PID 3036 wrote to memory of 828	3036	DllCommonsvc.exe	77
PID 3036 wrote to memory of 828	3036	DllCommonsvc.exe	77
PID 828 wrote to memory of 1632	828	cmd.exe	79
PID 828 wrote to memory of 1632	828	cmd.exe	79
PID 828 wrote to memory of 1632	828	cmd.exe	79
PID 828 wrote to memory of 1424	828	cmd.exe	80
PID 828 wrote to memory of 1424	828	cmd.exe	80
PID 828 wrote to memory of 1424	828	cmd.exe	80
PID 1424 wrote to memory of 1508	1424	WmiPrvSE.exe	81
PID 1424 wrote to memory of 1508	1424	WmiPrvSE.exe	81
PID 1424 wrote to memory of 1508	1424	WmiPrvSE.exe	81
PID 1508 wrote to memory of 2644	1508	cmd.exe	83
PID 1508 wrote to memory of 2644	1508	cmd.exe	83
PID 1508 wrote to memory of 2644	1508	cmd.exe	83
PID 1508 wrote to memory of 2500	1508	cmd.exe	84
PID 1508 wrote to memory of 2500	1508	cmd.exe	84
PID 1508 wrote to memory of 2500	1508	cmd.exe	84
PID 2500 wrote to memory of 688	2500	WmiPrvSE.exe	86
PID 2500 wrote to memory of 688	2500	WmiPrvSE.exe	86
PID 2500 wrote to memory of 688	2500	WmiPrvSE.exe	86
PID 688 wrote to memory of 2828	688	cmd.exe	88
PID 688 wrote to memory of 2828	688	cmd.exe	88
PID 688 wrote to memory of 2828	688	cmd.exe	88
PID 688 wrote to memory of 2492	688	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a08897c6a63f252daf9bdbe41dabd061c022a5d577876a75408901702c2d1bb1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2868
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VSjxgpKhh7.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:828
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1632
      - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2644
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2828
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat"
        11⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:376
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat"
        13⤵
        
        PID:2964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:568
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
        15⤵
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1652
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        17⤵
        
        PID:2112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1592
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
        19⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:828
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
        21⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1220
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
        23⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:960
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        25⤵
        
        PID:1108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1720
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a994a36dda68817db4a2b5b51f8ffe5

SHA1
f6170d6ceca96ff0a27867432bf601ef5e81d393

SHA256
c421e7c4ff813c50795ea86274580e5c7d672bd470b38fe9e4b35527c985a346

SHA512
8b57131d5a998140cbc0408ed9ae43391d041219771c774682998bed801fa13355081ba384ffa1678218f174718325532c861e1410c926673080893f63262703

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c53974fb65b7f64483ddb0754550b7a8

SHA1
6c9e2d7bb5b451d25eb8251ce640f3e95600e080

SHA256
f78027c4e32b21cf0131f4fc20855a6dd9096b7318d9a998fd527591e4733e07

SHA512
e96e70217098cdf16f11610e919a5dbb4223ed2d9bc5acfee6f1179988bca1dd65691be23f6b94f7b78715eceeef477e9f74751f32412f6785f720c2d21f521d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94260d21c59cfbb67fb02ac464c54d96

SHA1
3493f2804ad95886f04280d6e022bacb5a322906

SHA256
f0e5f8caf50588a728cfc623a78983e7fe50a350bf95697a8ef1198f65cc7dd8

SHA512
f52aedbf10afa52959b1fc9aa953c0a88204e95a759b35fd44657ad2c1de4adee9725f56e9b0681d284172d90b7ebce182c33b2cee300220315b4c5949970eb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
224f7d61557c20aa0b98265b6566e4bb

SHA1
a701d4785079b0b9190a45e50eb136e488f5c13c

SHA256
de9135d9c6321feebb30eff119b64b8abd76fd86d50ec253884eda4cbf576aea

SHA512
277998de4dc36324a0402ac6b535bffc7bb7421e02e847dd946ae8ff99d146bf7c179fab3c45ad279034fa2a769da76915737cdbc6922a07ae29863088e69773

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06c362718b6b21f014a8c8217fcc76e0

SHA1
31b3279187e6e8b4662c063abecafacca4a3adde

SHA256
c0b33527d044d35efa33d3d6df27fab75b348c54d57b6ee891dc95ab0dab3d5a

SHA512
81f4881f56bfc5f111a18337a392a9ceca0ee7ff9ca0d2e3df65e4ebece5ee956d8c501e78658c6d7c0ff125d4556cec337992b7452a8648a4d69bac8c832031

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0931e5ecfd0bfbecef55a4b382ba96a3

SHA1
4f4af8de242c031b0378194e0fe3a682a22f3ac0

SHA256
0d9683269de236574edd9cb9b064b671e1b2b7c6401f411969487bd7c1e49510

SHA512
0fce34ea529742c934e2eb1871e90cc6531552de1daafa5bea874614feade7b01f42d9ee74150b506c4577c736d398339bf21d513b066509a9879a1ff8dcdaed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35451a1e851e41e40f60c77afa328259

SHA1
0161d61707c4ade95ccdb33f0d15b73c4e48f557

SHA256
285b30a0aa9f5cfc2ad1b1cbb5fd619842293e6d94429fb94a621536aec73285

SHA512
e173b7b379ee0937a068a569c43670254849bbe6f6f8b3b624d0cf3a5d1aeb40ce8de356b27f3bfb5d048843ce4f06cc7bf2ef43ceaa189ca3fef2408f7079c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a65f507116bd3d09bb983214897c5bdb

SHA1
23e0b791c743a260c0200a1525cd7d37a582ca6f

SHA256
046591a6c15445cc11b8262de182e19474d52a613e5969f8630913b22d9f6087

SHA512
4495ed7b8f7ced4fd8f60c0f041c2ccddc09a3014455d9fe4e7b292f8824b463510a0ad8fc121f642b3f896ebda42acf41478d6f3b92d4bccf160acca9a7a733

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be58babfa4e95177195cf6c89c8b6848

SHA1
c7a86282bcd6d651778838461abc490def620c9f

SHA256
2eaf235d08293d87889c8f3a4cfbb4bb079b449dbeab680908eabdb68b9ac377

SHA512
aa67eb074d9b829566a1c5a86880ef8d8ec098203e16d1f16f4cbd96a64d04802d015cda42239d6e0199c4243b1673b5fc8252401e02ca41e559a4e8c3f386ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat

Filesize
240B

MD5
913515187fb9d0a890d5ad8b365a28a8

SHA1
2e9b762597335d0ee488f8c8e2661cadf011a8c4

SHA256
e02430ca6096982ff0de0a9ff5a4ea4cb2b8fa93de1aadeb004a3d87ed8eba1b

SHA512
e300f36e6ab350e4dcdf1a5ea6a16e33759aca08e025e0a29024026ccb5fd25b0bbeb5c903116490713720a39de0afb1309acf88066d00f208a37c1dafbbcbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

Filesize
240B

MD5
5e9d5d5c78cebb79decf55de7a830266

SHA1
874d1f3f3c02c347f4d0be7c00d9fd3bbeb77a52

SHA256
0f27348d785a9481a6f6e108793b156a5114f2830623d40a66c6eed86c862b3c

SHA512
8f10cec509f8824388da7cae230db73fb84fab374db098d4669adb36c21acd3ccd334be4d4fb6de2411877172d99da0ba86771b5920d351358f79e39260bccf2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBE90.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CrTeqwt2Oo.bat

Filesize
240B

MD5
0f073d72204cbca08c92557bafb4ec65

SHA1
fa1322ff07cd98e66fc2d2babd9176ba73f7bd39

SHA256
0bc4337826c588223f53a1d34cbd4a5a13137b51d5ccaf6c7f4a527221dd0b35

SHA512
ff9b4b0054bd3c4707eab5d5c59166ada9812df18101434f5b7f4d5060897905afa332504345ab5dbd1aedc841950758e28d41c7a89da0921b7059a7265834e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
240B

MD5
0226dda37b76231f2cc197b741178859

SHA1
ec161fa13ba3a3903b9c4a777ba09409ca231627

SHA256
91114236fc83ca4487caa332253ae64dfd60a6173fc12ab2c507a587471da460

SHA512
445c9d602be58f4a6f375ce38fe2d9371b6e8f80ffdd82a21d93ba0ab5616e0548e98aa7731ac611012efebee390926f7640d94db3dd5ff9e7774fb11d18f9b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat

Filesize
240B

MD5
288f1bb79594ec910d638ec52ffe3eb0

SHA1
80ad80b7bc3708cc9d7fc2db883dcd744ce8a713

SHA256
75bc3f7980ee6a3948865f6838670e8db10e8614c2e71f5faa4011ef05e1aea6

SHA512
b09a98937d41f2a1b8cd3f65229043b54f921b9f148e6acad5af9f34a70cf5185f7e9e79ab46f02379fe3feffe4c8a9306113bc7b3c80048c732d2732c8006a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

Filesize
240B

MD5
5f50bc0f7b95c552468f2723cd6d808b

SHA1
a1f828341d082a2c65f1de1f957e7b44649429c8

SHA256
77872799dd555e73308c64bd958a56b99011fe244e1a255e03f805b3712a4848

SHA512
b0b25f872c8ee0db4ebbb6ba32ab064ee7712ae402b30d77ab0f483eb0a40d0388d8ad62c04673d2734ae314accb5eef427ba531c22bc4f7ab68c432d5bfd687

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBEA3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSjxgpKhh7.bat

Filesize
240B

MD5
46bb1bb700702b814ecaea3102932642

SHA1
4469c4fd95c4b383c75d92bd410cc7c7139cd72b

SHA256
57aeb50df33b5fc5549cdba0e0b13797d6eeb67a956268598f96ea217328308a

SHA512
8a14016849ff7519d89c25cf9c8b76e5f3754823a8d285c4dafefb2d58647c34d95e5ee8fd729864721cf21972d67898b0a2aa0675516e71cfed76de0af26c47

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

Filesize
240B

MD5
9130df80fad671c210d2a3d1eb5453ad

SHA1
438bf13e1af849a891034dd5f682c07325cfc71c

SHA256
516402d409ad0c7a0a20e5a749577865eba9daf109325b0d84aefbf6e9fabc81

SHA512
90f50791cd8b2c7620ae8b0fa1c9f1579e94ae058e3975c26971cad56399e4467e3f17fe2a4a26d9069ce848ea662da5b360e4c784e12d8e2e57bd02209dce07

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

Filesize
240B

MD5
ffcf16f28c47d0429a5765dbba523a34

SHA1
d7532d297e1bf6452c623c9f46da01dc21a7fcb7

SHA256
68efa1db265831f8fdaae10221df1e4682a49534708eadd9fb6eb9f242ed2369

SHA512
7a3286ae9031f44b5bdd9c8b35b04355b54e1047f16f969e3d25e7164678b557c094353326151154ed9ce6ef8f7c02594fdd9efa0ca2773f1a777c9fa2078f53

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

Filesize
240B

MD5
88afc80a0fd25495e71d62aec8496bdc

SHA1
ee1d29cb871419a41b03515b720f77ac94e97de4

SHA256
43011ef998759fc13a83b1281e85ba5864cd5364f6d57c8d97cd2e6972707230

SHA512
38cc6fc9cc359056c6f837a3c2cafcb958dbb5b4ded702ae2f5d37c439a76815ee76eb4d24c9ca004431b018a80f90b00847902e135997179173f8615f4aab4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\zfOrxS71E3.bat

Filesize
240B

MD5
af71b040c4345525fe6bd80802f66b07

SHA1
6354959bd4a2d8095cfa6e8bc73a22e54201fefc

SHA256
9cfb9c764649cc74f21681475fefa5602958f33febe65c495c526f523dd1efa8

SHA512
396452da92890ac1b6498fbdfe649b68c07a09eac3b3c77cac79acec7ebeda192c4d078a03cae72b28b85bdaa788d9bec7789f6504e847aef4545d45951c716b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
aecdbe62358250771dad8806c8605d89

SHA1
f42de1d9ef02a1a16f712c042c877c72370244cd

SHA256
e8db003303e215b56c8efab8e086baf23a119d203b456be87b8e6ba42fd5ff04

SHA512
eb7f39183350442d3b9a02850b0e0c4e92e5eeedffed927dec50b171ea234548ac58166807a453540f00485f4e7acb2f2ec5c28b53dc03f0d8026f55d020bb36

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1424-87-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1424-88-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1448-386-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/1448-387-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1520-266-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/1668-447-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/1976-685-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2088-49-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/2088-48-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/2296-326-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2492-206-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2532-625-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/3036-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/3036-13-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/3036-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/3036-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/3036-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download