dcrat | ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe
Size

1.3MB
MD5

e2c50503a3a3e38102f75f04197b73ef
SHA1

7b5fa694c801890f078ca509a7fb948c03f5bdf1
SHA256

ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4
SHA512

4ae8c38ca0a983e4be6ddba989c900ed9ec4197c5736bb5481dbd20e83a4396a64457318020e07bd0a5728d8f4e7a062be313aca4f71c29b98d6c3240a7c364d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2600	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2600	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016edc-9.dat	dcrat
behavioral1/memory/2668-13-0x00000000008A0000-0x00000000009B0000-memory.dmp	dcrat
behavioral1/memory/3012-58-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/1676-154-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/2936-215-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/1096-275-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/2464-453-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/864-514-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/580-574-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2132-634-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
900	powershell.exe
828	powershell.exe
1772	powershell.exe
1856	powershell.exe
2120	powershell.exe
2188	powershell.exe
1628	powershell.exe
1368	powershell.exe
1616	powershell.exe
2252	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2668	DllCommonsvc.exe
3012	WmiPrvSE.exe
1676	WmiPrvSE.exe
2936	WmiPrvSE.exe
1096	WmiPrvSE.exe
1244	WmiPrvSE.exe
1236	WmiPrvSE.exe
2464	WmiPrvSE.exe
864	WmiPrvSE.exe
580	WmiPrvSE.exe
2132	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	cmd.exe
2556	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
20	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
12	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\1033\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\de-DE\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\es-ES\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2244	schtasks.exe
2184	schtasks.exe
1968	schtasks.exe
664	schtasks.exe
3020	schtasks.exe
320	schtasks.exe
1676	schtasks.exe
2488	schtasks.exe
2924	schtasks.exe
2920	schtasks.exe
1396	schtasks.exe
2220	schtasks.exe
2884	schtasks.exe
1756	schtasks.exe
2348	schtasks.exe
336	schtasks.exe
2276	schtasks.exe
1080	schtasks.exe
676	schtasks.exe
2800	schtasks.exe
2788	schtasks.exe
2020	schtasks.exe
1440	schtasks.exe
1376	schtasks.exe
1964	schtasks.exe
1724	schtasks.exe
1156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
2668	DllCommonsvc.exe
900	powershell.exe
1772	powershell.exe
828	powershell.exe
1616	powershell.exe
1628	powershell.exe
2120	powershell.exe
2252	powershell.exe
1368	powershell.exe
2188	powershell.exe
1856	powershell.exe
3012	WmiPrvSE.exe
1676	WmiPrvSE.exe
2936	WmiPrvSE.exe
1096	WmiPrvSE.exe
1244	WmiPrvSE.exe
1236	WmiPrvSE.exe
2464	WmiPrvSE.exe
864	WmiPrvSE.exe
580	WmiPrvSE.exe
2132	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2668	DllCommonsvc.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	1616	powershell.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	3012	WmiPrvSE.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1676	WmiPrvSE.exe
Token: SeDebugPrivilege	2936	WmiPrvSE.exe
Token: SeDebugPrivilege	1096	WmiPrvSE.exe
Token: SeDebugPrivilege	1244	WmiPrvSE.exe
Token: SeDebugPrivilege	1236	WmiPrvSE.exe
Token: SeDebugPrivilege	2464	WmiPrvSE.exe
Token: SeDebugPrivilege	864	WmiPrvSE.exe
Token: SeDebugPrivilege	580	WmiPrvSE.exe
Token: SeDebugPrivilege	2132	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2168 wrote to memory of 2768	2168	JaffaCakes118_ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe	30
PID 2168 wrote to memory of 2768	2168	JaffaCakes118_ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe	30
PID 2168 wrote to memory of 2768	2168	JaffaCakes118_ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe	30
PID 2168 wrote to memory of 2768	2168	JaffaCakes118_ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe	30
PID 2768 wrote to memory of 2556	2768	WScript.exe	31
PID 2768 wrote to memory of 2556	2768	WScript.exe	31
PID 2768 wrote to memory of 2556	2768	WScript.exe	31
PID 2768 wrote to memory of 2556	2768	WScript.exe	31
PID 2556 wrote to memory of 2668	2556	cmd.exe	33
PID 2556 wrote to memory of 2668	2556	cmd.exe	33
PID 2556 wrote to memory of 2668	2556	cmd.exe	33
PID 2556 wrote to memory of 2668	2556	cmd.exe	33
PID 2668 wrote to memory of 2120	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 2120	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 2120	2668	DllCommonsvc.exe	62
PID 2668 wrote to memory of 900	2668	DllCommonsvc.exe	63
PID 2668 wrote to memory of 900	2668	DllCommonsvc.exe	63
PID 2668 wrote to memory of 900	2668	DllCommonsvc.exe	63
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 2188	2668	DllCommonsvc.exe	64
PID 2668 wrote to memory of 1628	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 1628	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 1628	2668	DllCommonsvc.exe	65
PID 2668 wrote to memory of 828	2668	DllCommonsvc.exe	66
PID 2668 wrote to memory of 828	2668	DllCommonsvc.exe	66
PID 2668 wrote to memory of 828	2668	DllCommonsvc.exe	66
PID 2668 wrote to memory of 1772	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 1772	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 1772	2668	DllCommonsvc.exe	67
PID 2668 wrote to memory of 1368	2668	DllCommonsvc.exe	68
PID 2668 wrote to memory of 1368	2668	DllCommonsvc.exe	68
PID 2668 wrote to memory of 1368	2668	DllCommonsvc.exe	68
PID 2668 wrote to memory of 1616	2668	DllCommonsvc.exe	69
PID 2668 wrote to memory of 1616	2668	DllCommonsvc.exe	69
PID 2668 wrote to memory of 1616	2668	DllCommonsvc.exe	69
PID 2668 wrote to memory of 1856	2668	DllCommonsvc.exe	70
PID 2668 wrote to memory of 1856	2668	DllCommonsvc.exe	70
PID 2668 wrote to memory of 1856	2668	DllCommonsvc.exe	70
PID 2668 wrote to memory of 2252	2668	DllCommonsvc.exe	71
PID 2668 wrote to memory of 2252	2668	DllCommonsvc.exe	71
PID 2668 wrote to memory of 2252	2668	DllCommonsvc.exe	71
PID 2668 wrote to memory of 3012	2668	DllCommonsvc.exe	82
PID 2668 wrote to memory of 3012	2668	DllCommonsvc.exe	82
PID 2668 wrote to memory of 3012	2668	DllCommonsvc.exe	82
PID 3012 wrote to memory of 852	3012	WmiPrvSE.exe	83
PID 3012 wrote to memory of 852	3012	WmiPrvSE.exe	83
PID 3012 wrote to memory of 852	3012	WmiPrvSE.exe	83
PID 852 wrote to memory of 2940	852	cmd.exe	85
PID 852 wrote to memory of 2940	852	cmd.exe	85
PID 852 wrote to memory of 2940	852	cmd.exe	85
PID 852 wrote to memory of 1676	852	cmd.exe	86
PID 852 wrote to memory of 1676	852	cmd.exe	86
PID 852 wrote to memory of 1676	852	cmd.exe	86
PID 1676 wrote to memory of 2140	1676	WmiPrvSE.exe	87
PID 1676 wrote to memory of 2140	1676	WmiPrvSE.exe	87
PID 1676 wrote to memory of 2140	1676	WmiPrvSE.exe	87
PID 2140 wrote to memory of 1236	2140	cmd.exe	89
PID 2140 wrote to memory of 1236	2140	cmd.exe	89
PID 2140 wrote to memory of 1236	2140	cmd.exe	89
PID 2140 wrote to memory of 2936	2140	cmd.exe	90
PID 2140 wrote to memory of 2936	2140	cmd.exe	90
PID 2140 wrote to memory of 2936	2140	cmd.exe	90
PID 2936 wrote to memory of 268	2936	WmiPrvSE.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ae7f38d1046b35971075b9f63352a21faee2f6ee0e77bebf83a5f4bac45779a4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2168
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\es-ES\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\de-DE\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3012
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2940
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1236
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
        10⤵
        
        PID:268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1532
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat"
        12⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2956
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        14⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1676
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat"
        16⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:828
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        18⤵
        
        PID:556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1376
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        20⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2148
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat"
        22⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1932
        
        C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
        24⤵
        
        PID:352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Media Player\es-ES\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\Office14\1033\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\de-DE\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Favorites\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Favorites\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Google\Temp\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f724400ed0fc5665fdbcce2480d8c4d2

SHA1
dae7964fd14d20fd8d3da8f64d8dc6a70a52e8c5

SHA256
95d6febb9aadac80746b53710048684abcec005a1ca3926a6b9ee4e1c4f47ad7

SHA512
91ec4b10b808c91a90319eb5e96aed95333d97343721fa2f54f35bd634f036fd8e0b4e89ab7bd0924a03cc02d80d0740e66dffea063481c1fa421cd68192720a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
91bb1f560074be564e17eef085c8f85c

SHA1
d8747ffd47e38a5ae04ead0c6ad52c491812fd40

SHA256
36c2d3aa2a7ea74a6518f352212e4a6a32db1f9b44de0e713ea95236bcb81df0

SHA512
0b416d2730502de6c2d0ee4cb39a31770f3f12682e390424498de0a4705366bfac9eff858f2c0f15c3d97dd0eb4844ecc88ac0b3888e280a64f05aba9825c8e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab6fd1b1bde22ce01b4e292230edac1d

SHA1
6efb87d3098017e3947045f064dd8edfaed98a4c

SHA256
74d37a5c4469fe3458354a3f05da171e6f961b8c112fbc36c8f04e03a27d18de

SHA512
472e00b95066a4fda0ede3529625d8e996fbb4200d3198c936f068a856e5c93a0de6121352066dc42b64b4f71a7e50298081e1a9a2439a660ab35ad74909f287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8cfbeb667e34c05c740ba9b0ff3b9732

SHA1
eacd76c59ddd35cb195997132478cc8bb03d80cc

SHA256
246a9044a238f6f1e950b7b41c139d98dcd3626af7fe5abe89eb7ef6f558676c

SHA512
c491b67bb922e2d7f9dab3980c103af390ca9914bbbc507da7eef99df62b8bb3622409e1faa6ecf8ee6cc1cef0cdb979490e605cd6c7565454c88d2917c35ee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c57bfd8571b171b986e41dee11caba5

SHA1
74098280e4b361e6254b867b720a204f5af15d67

SHA256
fd7d91291b9c1550e744f07a2b8bdfc64af2bc39f5223fa18db4cfd9d436b992

SHA512
e0729663575d8a8fd7f319dce42a4e6d9f3a73403bb92944710d5110c6eaf44a1309292b2cbc1d546ecbc1a1bf0e6f706a16068ad4742e7ba8d7c3cf8f9725af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
307ddfc3717a1c67b1b224d4f6fd0b43

SHA1
0974b83c5f6b999fc1c65976bcd81efe87fe2e7a

SHA256
ef9afb40907722e90e80c634e7fc26b2e23be5e3a5d93c8f40d7f5c228d86796

SHA512
e363664e6abfb24302f441164a6b0253ce7fb9f7fbedebd7fc354b36ab3d8a2050ac6a2bd5d4413f7ba961d4b45a5f451dc71e09916fb440dbcc2dfec16fcf0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8bae6712bd91390aaf8415c4d86013b

SHA1
b32858d7707cc62d07fe38ad81d723116ad2b4c0

SHA256
a03053b87c12101ca1c1caa4f12b1294e2b4d823a1685992d1657b113db55291

SHA512
80f22fe2c3bc79f68796d43596847c3759777b2eeec4b220f157d02f2bc3d7805610d07525ff28144494c3e0cf6f02e0666b6ecba3c286496ef2974c299cea5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6dfc165d303ce6b95eb7fd2da49e4403

SHA1
695f2274e63dc6058637f62d001b8b281c885ebc

SHA256
a18e4750341a0d824aa5a81569b415833dd3f42cfa7c9ee9f8e39e7565866dde

SHA512
ea1063f1a9bc6281ced4718eec83df6eff2e3661805397d1a87df2a9192fcf7249258555da201ba4e1b9f273accedbc0f248ae9bbb940cebf4ed665b773d0d63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59c79cefc76893cabf38b3d7f613a24f

SHA1
74ff3b8fc869addd734e7b51cb2a6ee0e2f86678

SHA256
044b7db718d96b90305561db6f2116722939576bd23dd6131eacd06077d86107

SHA512
5f6c1b96846ee47ff9408e161c5f8b8e7311811dfc5e0c77ac76c945891f8a48ff61cd44fa5c6fc9b195752fc642a81413ca774ce96384630311847580d7482e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
212B

MD5
4d39ce162dfffe39a2ee12f10c4f1aca

SHA1
fc1f865089fde8911c34d5f0f10e1819c7cafcfd

SHA256
7263588f4adb1d47083cc266c00820381b3f60dc58d3ba8b1bfebac5e8cab6ab

SHA512
3a43e0ec1a55c7b371734c100ec43fb519f10ccd3417397361759033bf6062557e77d70c429eac8aec5d81b5b7fc5f5e9dd37bb0186db7a38989c38ed620dbe7

Download Submit
C:\Users\Admin\AppData\Local\Temp\AsgPmp9HNF.bat

Filesize
212B

MD5
995b0906db93e8b073619604430cf34d

SHA1
66ad98af5e10c8b48489898e1b4f09b32fa3d5a9

SHA256
4863f32ad41cfed4e27dbc6e1560a2dfdb23eaf78de958132f56b97eebfebd13

SHA512
7c173781b82ef5d8726c77f5cd6763c3c4360333dffe258a30024d7793ed77d724178eeea0b1548f681ee297fabaa507c9755cf8bea13df8e9b9ad25b4ff91bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

Filesize
212B

MD5
5d640c8523b435129602045e7489ecfb

SHA1
42572695b0e13e2414a6cc11c3854e56ca4acaeb

SHA256
3a19f033ee94fd031ede3dc1e270d8ab994cb1f6ae29fa3d3ed01100a3ab8ec8

SHA512
f58571bd25fa8a99af462975e454f2b71613940da4b3fb3e1c027c66d34b1af4b8908849d20e3ffe799571ce56cb31e74b41adaec25df47367b0d377ee28098b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

Filesize
212B

MD5
b626b0ccfd95a7e7c4e6b4b9bc803d78

SHA1
1122e15e7b5d63b7f239e4983f3487a536f1998a

SHA256
25ffb5058f480bd95bb51bf1ab9c7fe96b59cc06249d1e920b0fc78e66b5a952

SHA512
da1b7b7b85cf64acef766b0cc1ee27adcb200b8a9486291a3f6f718e0801a5857e3f5862e42aaa6f37a6a93a3af801b1fa714a28bcf6e5d5b59ec0aa89c87850

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3A54.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

Filesize
212B

MD5
4ad4af7bbe59cd96cfc96b95981c2464

SHA1
17bb17623a3133968fdb1e05f89992a46e48abda

SHA256
c31709631d191be5235942526bfeba1744987a57852aa716533ce962c7d1fbae

SHA512
51e3e5553918e1a854931546a5c71e1337a7ce7bff05e5bf0997a9c4897e676c0cd113209b2ba430f04f6688f8331558c76fe6b3e0d7359402d83cea7e366d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\JeZnuB4iL9.bat

Filesize
212B

MD5
79a6c48611ab21d570ea884d791c75e3

SHA1
bbf6f27301f4d6081318cd9ec91e64b6c47b6cfc

SHA256
f01f2f8bf58812324a752b2489460aab04df4db90d5e7c9f023afb02286fab94

SHA512
f17b6a1b98bd11c269776b157c6a452d22ef68421e5784ddc49912ddbc25da7ac3d0649e65b78b551907eb5397a10119b6cdc4577893c5d151aafd8365c16e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\RjWoOVK6wo.bat

Filesize
212B

MD5
ff5f91f7baa8acec57db8bf4b68e5b30

SHA1
d86c31cdf70e1b154aae65f85fb8964fede3633f

SHA256
b461be490f04a114db62850b7fc135f40ca52d8e10c8ab69b6f3bd5d274e8272

SHA512
c4041ef5d66049b039f966c653cd42ab61ed14f5711994400eb9942cd9a411b0d1deabb7f4ad0515df2a77f4881bbae4b99a1fdb4d8cb2d508f789c9b964e283

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3A57.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

Filesize
212B

MD5
d6db3209c031a1ecf56e8aa4b864d687

SHA1
0c0151ced59c9b3c927eaf77c6c13901a8c3cb6f

SHA256
c20b481ade64bc5bdfeeb894fddd9e0c36a1a6562b37a09f99fc92ea511195bf

SHA512
253886cd5488c3e79e4bbd56c2f31c46ecf5ed76e1ca1f75645ae4022236b61999a0fe3ff910ceb8be2f1365d52af7b236babb96001150b72089292cc18ea10f

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

Filesize
212B

MD5
88efe783281d9ab7e9a730582295a67b

SHA1
c65678d67d3cf0534f997410f6757431f2e55a62

SHA256
29523be2ce074d62f539f752b203a2dea112b85e373e7162834d53777d235426

SHA512
3314a67a9b6283d8fa823ba4e4da980713b5775a6faad935afffca6e3de7e8a88b1eb127f7f458fcb72f3babd1c5d70f3beac4841b2b05ce2ff8802e9b394964

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
212B

MD5
a88bb5f16a322c173cae5a17187928c3

SHA1
68a7ea905d829512bc016ee78e4c5d5ea7e1e8d8

SHA256
fa5a8b56824bacf10e083a840db0325768b837ba51d92ebae6155875f6e54366

SHA512
2fffe9e1fb5f6ff855895a4796aef2814543d79a2e003bd69822b57c205188c1fee2b21a31b1e19a13eb995be5c0afe1f51bde7d293e3df91ca7776ad19775ad

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f85c9aa82589acace0b3f566bb7e7133

SHA1
1dadf435b6de4d055f9e67bb7954d10a59e9da13

SHA256
fb272a994637b311e4220511904b4dae52dddc911e5a4c02a353f82e8b5a4795

SHA512
676d48d8b019fef4b310d665dcdf2c1d421a403c890f96b21b47e0973fce217188b39e3fe523ff3433e3b8368b364a6e11f9104a11118a03c10365ea914ed879

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/580-574-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/864-514-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/900-43-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/900-41-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/1096-275-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/1676-155-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1676-154-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/2132-634-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2464-453-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2464-454-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2668-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2668-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2668-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2668-13-0x00000000008A0000-0x00000000009B0000-memory.dmp

Filesize
1.1MB

Download
memory/2668-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2936-215-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/3012-95-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/3012-58-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download