dcrat | ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086

Analysis

max time kernel
149s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086.exe
Size

1.3MB
MD5

48152ebb75ca491215e167543c0f3f4d
SHA1

1052db0bbde734c7544d1b8b60031a102bb269d1
SHA256

ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086
SHA512

c17b766d9bc0285b810001fa77f5be66db4957334cc990724f2dd8a9a50ea34db088e5c4ad24d32d16823adcd614b9b607ef929dba1d33981e5a7479e59ce1fd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	1700	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	1700	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001932a-9.dat	dcrat
behavioral1/memory/2756-13-0x0000000000D80000-0x0000000000E90000-memory.dmp	dcrat
behavioral1/memory/2080-99-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/memory/1704-217-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/880-277-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/2244-455-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/1584-515-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe
1872	powershell.exe
1264	powershell.exe
1088	powershell.exe
2648	powershell.exe
1540	powershell.exe
1156	powershell.exe
1492	powershell.exe
960	powershell.exe
856	powershell.exe
904	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2756	DllCommonsvc.exe
2080	dwm.exe
1984	dwm.exe
1704	dwm.exe
880	dwm.exe
2908	dwm.exe
2776	dwm.exe
2244	dwm.exe
1584	dwm.exe
1032	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
3036	cmd.exe
3036	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
27	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows NT\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QHEADLES\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2448	schtasks.exe
1056	schtasks.exe
396	schtasks.exe
2972	schtasks.exe
2372	schtasks.exe
748	schtasks.exe
2504	schtasks.exe
1800	schtasks.exe
2300	schtasks.exe
1760	schtasks.exe
600	schtasks.exe
264	schtasks.exe
2384	schtasks.exe
2348	schtasks.exe
1784	schtasks.exe
1992	schtasks.exe
2280	schtasks.exe
2428	schtasks.exe
3056	schtasks.exe
3048	schtasks.exe
2016	schtasks.exe
2320	schtasks.exe
2516	schtasks.exe
1104	schtasks.exe
1376	schtasks.exe
2368	schtasks.exe
2400	schtasks.exe
568	schtasks.exe
2116	schtasks.exe
2284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2648	powershell.exe
904	powershell.exe
1264	powershell.exe
2096	powershell.exe
1492	powershell.exe
856	powershell.exe
1088	powershell.exe
1540	powershell.exe
960	powershell.exe
1156	powershell.exe
1872	powershell.exe
2080	dwm.exe
1984	dwm.exe
1704	dwm.exe
880	dwm.exe
2908	dwm.exe
2776	dwm.exe
2244	dwm.exe
1584	dwm.exe
1032	dwm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	DllCommonsvc.exe
Token: SeDebugPrivilege	2648	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2080	dwm.exe
Token: SeDebugPrivilege	1984	dwm.exe
Token: SeDebugPrivilege	1704	dwm.exe
Token: SeDebugPrivilege	880	dwm.exe
Token: SeDebugPrivilege	2908	dwm.exe
Token: SeDebugPrivilege	2776	dwm.exe
Token: SeDebugPrivilege	2244	dwm.exe
Token: SeDebugPrivilege	1584	dwm.exe
Token: SeDebugPrivilege	1032	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2880 wrote to memory of 2224	2880	JaffaCakes118_ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086.exe	30
PID 2880 wrote to memory of 2224	2880	JaffaCakes118_ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086.exe	30
PID 2880 wrote to memory of 2224	2880	JaffaCakes118_ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086.exe	30
PID 2880 wrote to memory of 2224	2880	JaffaCakes118_ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086.exe	30
PID 2224 wrote to memory of 3036	2224	WScript.exe	31
PID 2224 wrote to memory of 3036	2224	WScript.exe	31
PID 2224 wrote to memory of 3036	2224	WScript.exe	31
PID 2224 wrote to memory of 3036	2224	WScript.exe	31
PID 3036 wrote to memory of 2756	3036	cmd.exe	33
PID 3036 wrote to memory of 2756	3036	cmd.exe	33
PID 3036 wrote to memory of 2756	3036	cmd.exe	33
PID 3036 wrote to memory of 2756	3036	cmd.exe	33
PID 2756 wrote to memory of 2096	2756	DllCommonsvc.exe	65
PID 2756 wrote to memory of 2096	2756	DllCommonsvc.exe	65
PID 2756 wrote to memory of 2096	2756	DllCommonsvc.exe	65
PID 2756 wrote to memory of 904	2756	DllCommonsvc.exe	66
PID 2756 wrote to memory of 904	2756	DllCommonsvc.exe	66
PID 2756 wrote to memory of 904	2756	DllCommonsvc.exe	66
PID 2756 wrote to memory of 856	2756	DllCommonsvc.exe	67
PID 2756 wrote to memory of 856	2756	DllCommonsvc.exe	67
PID 2756 wrote to memory of 856	2756	DllCommonsvc.exe	67
PID 2756 wrote to memory of 960	2756	DllCommonsvc.exe	68
PID 2756 wrote to memory of 960	2756	DllCommonsvc.exe	68
PID 2756 wrote to memory of 960	2756	DllCommonsvc.exe	68
PID 2756 wrote to memory of 1540	2756	DllCommonsvc.exe	69
PID 2756 wrote to memory of 1540	2756	DllCommonsvc.exe	69
PID 2756 wrote to memory of 1540	2756	DllCommonsvc.exe	69
PID 2756 wrote to memory of 2648	2756	DllCommonsvc.exe	70
PID 2756 wrote to memory of 2648	2756	DllCommonsvc.exe	70
PID 2756 wrote to memory of 2648	2756	DllCommonsvc.exe	70
PID 2756 wrote to memory of 1088	2756	DllCommonsvc.exe	71
PID 2756 wrote to memory of 1088	2756	DllCommonsvc.exe	71
PID 2756 wrote to memory of 1088	2756	DllCommonsvc.exe	71
PID 2756 wrote to memory of 1492	2756	DllCommonsvc.exe	74
PID 2756 wrote to memory of 1492	2756	DllCommonsvc.exe	74
PID 2756 wrote to memory of 1492	2756	DllCommonsvc.exe	74
PID 2756 wrote to memory of 1872	2756	DllCommonsvc.exe	75
PID 2756 wrote to memory of 1872	2756	DllCommonsvc.exe	75
PID 2756 wrote to memory of 1872	2756	DllCommonsvc.exe	75
PID 2756 wrote to memory of 1264	2756	DllCommonsvc.exe	79
PID 2756 wrote to memory of 1264	2756	DllCommonsvc.exe	79
PID 2756 wrote to memory of 1264	2756	DllCommonsvc.exe	79
PID 2756 wrote to memory of 1156	2756	DllCommonsvc.exe	80
PID 2756 wrote to memory of 1156	2756	DllCommonsvc.exe	80
PID 2756 wrote to memory of 1156	2756	DllCommonsvc.exe	80
PID 2756 wrote to memory of 1636	2756	DllCommonsvc.exe	87
PID 2756 wrote to memory of 1636	2756	DllCommonsvc.exe	87
PID 2756 wrote to memory of 1636	2756	DllCommonsvc.exe	87
PID 1636 wrote to memory of 288	1636	cmd.exe	89
PID 1636 wrote to memory of 288	1636	cmd.exe	89
PID 1636 wrote to memory of 288	1636	cmd.exe	89
PID 1636 wrote to memory of 2080	1636	cmd.exe	90
PID 1636 wrote to memory of 2080	1636	cmd.exe	90
PID 1636 wrote to memory of 2080	1636	cmd.exe	90
PID 2080 wrote to memory of 1956	2080	dwm.exe	91
PID 2080 wrote to memory of 1956	2080	dwm.exe	91
PID 2080 wrote to memory of 1956	2080	dwm.exe	91
PID 1956 wrote to memory of 2908	1956	cmd.exe	93
PID 1956 wrote to memory of 2908	1956	cmd.exe	93
PID 1956 wrote to memory of 2908	1956	cmd.exe	93
PID 1956 wrote to memory of 1984	1956	cmd.exe	94
PID 1956 wrote to memory of 1984	1956	cmd.exe	94
PID 1956 wrote to memory of 1984	1956	cmd.exe	94
PID 1984 wrote to memory of 2536	1984	dwm.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ff184108bfb04dc1035981617c78783cbf69ece2019921a8937b1dc5dacba086.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2880
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3036
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i5fErgF3Yy.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:288
      - C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2908
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
        9⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2152
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        11⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1712
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
        13⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2080
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat"
        15⤵
        
        PID:1316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2840
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        17⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1656
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat"
        19⤵
        
        PID:2320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2548
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
        21⤵
        
        PID:1328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1256
        
        C:\providercommon\dwm.exe
        
        "C:\providercommon\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
        23⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows NT\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows NT\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QHEADLES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db4f68f9d834679b7b8d0e2b62e49da0

SHA1
c21dc62b3e169b5dd69ef3c25717791fc325b2e0

SHA256
424d9fda502587625c92666a77be7b995cbcf861f7bcf0c01e569236bc022734

SHA512
7bc4a0f33778941372c9769825bc0e776e2e69d3d38cc2f0ee5e66512d9b7185921a0cdec510b7eb348073d5db10cb65121d1174b97bfd97cde939490b86ba28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a135af80ce50a7713636a31c9b3a55e9

SHA1
cdeabb6c516ed8ce620fbc67244e0f4d29c058d6

SHA256
74740de9bdfd31681837d57e0c1fa2547e2ae2263ce531c0e480aa15c5975f14

SHA512
6cf9868368da044ec0bad6d8e95bfbcb0906c47ad538819da3ea58190e70f498593988ff7880ab46f638162da1492b913ac5bfd45596dfd185c417e300962deb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75763c9a4406a0651821466e8bcd6ec3

SHA1
f39070a5ff6e496a732f19bc38cd37c6772321cc

SHA256
6c457fec29ffa9432b32dea4148110a752113fc4946ad8b7e1e9109b4529fb07

SHA512
0d61d57d9edf94ed2e3288f29cbf2ce807deabef6ab00e59ec28ed6e4e58f8e90bfc840822e9c1703c5fe23f9971b5f5aecbe78d5cf9a2c4418ca6304a8ce95b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35b0d9bb069ac96fa38ff7fd9121756d

SHA1
8c635d7d14e380f1e4b2ae2bfe04b6d373012b07

SHA256
974053e3cf0aeec0064d9b3b23fa5086e97352ddc8f6e766b27faad6f3bf6639

SHA512
f397a80d40d1676b7d4977c38e6505c78662116a71147401761d617f57cdec491e43b90d6bf3efd25db7281eae52266eac82b0b6223417fda16e92e23ad5374b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
427038f94847dabebb992a91a991ab6a

SHA1
694864b832810ea303459762eb073c218491123b

SHA256
ad93308571db4738ac52513457d3e67c5e94b5259bf0f0956161bb33f5ba7c73

SHA512
715eed84cc790ed67042659ea8945dfa21c4bb7455105629595df6a4fc7090728a224b3225dc918719c41e38350e2b79d9a43f834d8e1dedca76a04ebee0f63e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9129a6c59d09d2437fdc30de96d4ad76

SHA1
6e3cc9f63a649a03d648d094a86678a125136de8

SHA256
0879d81c1953c3f68489514427b5bcb122c40684d32d3c9d84e616770a27fdc5

SHA512
201d9319684efb8f5a6c2a44b6ce12eecfcd1106c1f2abc264a7e39d9fee389e21f6f56efe902c444c0182d11eb8eb1e136a775abe84bc4d14aeca435c058212

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7661474e05c341ffa9a0f3c8efffe94

SHA1
888409fc35bd3e70b40dc868ed05085c8de0e165

SHA256
4673be755b1622570eaf36ad87aea5d5181fdd0b12638e4c53287c89a161e3ad

SHA512
407c46bd8af1ea79f602a92162cbfc50606c1eb95777061aaa1c459b9af468787918a1c64c2b19b649d60fe79e835f609e6182aa56968df538d4b735b02373e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fc299141583ce1fc92af79de86c4514

SHA1
002ad0fc1c6cdf05c485121473ee454735952647

SHA256
1b2a3911a311bff01c93c00200cef529316bbd0aa5eef73917f1280d3a4ec682

SHA512
2d59b667670fb4abc97abcea6a3c1be1c5c9b54a8fa45181812c348e6570a419017fce92fa8da8d9d9295f0204d0345069b6aa42c3487d724f85e96fd673740e

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

Filesize
190B

MD5
400378c1ff3def84b658d08b765f6d58

SHA1
4867e8a3a411fb2c6d1ea0cfb5aee628f2aae2f0

SHA256
5258dc7ea1960e3ffc8d3a18fab1b94a1dc350bdf6594a864e4110cd7fcf2739

SHA512
93bd20f3e7c5b0f61e49f30a231da89e5eaca77e414a660cae48a5cf26a90896d6eada1a1ac3a0a62245419d23ff58a56219aa7b07e20855a7d7b708b87f9b67

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
190B

MD5
f1fc8fa6bbedef579c4c42173f95e087

SHA1
28fdfc749372de16fb058edb6c02ca9820b4bbe5

SHA256
38f1034f8162735339f456f010210bb284c4a1768f2d69854d94bee45bc7ef82

SHA512
ad14617bc14f7c497eb36206702f744c67caab39526bc8cd6b3c34ded8c7c8cba81cdd23175eee7b7ba6f3d15543465589c7d71a90f5e73171d037cac58bd7cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
190B

MD5
17abc7df13d23e7142a77648299c0052

SHA1
2dbda6196c544ea0aa71943a23a5b5dce19adfcc

SHA256
12bf2c31f7d0ddfedb3a1517953a90f9dc4ebbe99e27f946f8baea531dfaea7b

SHA512
03ef5fc408c29916f024d2cc2095d6610572a5b683d130b7a395ebcc3782eb494c2415f6aca17dece316676a1d916576e657781df6fd574dbe47f9789fe02792

Download Submit
C:\Users\Admin\AppData\Local\Temp\B4BP5ZSgoJ.bat

Filesize
190B

MD5
0198e73a447d0764656f838aa2fc27e5

SHA1
52af4cfa5988cb8b7c86c19003702cbb5b359b24

SHA256
3634685452f81e671fa7013ec83ae0baed7788447d74a69e57eb5fb736b4daed

SHA512
f02a9b7e1e6c1aecfd856d36b737d7d0c0d2fc967e54edfe70e426a66dee1053f7d8b31008d76f9178335b073d9e79bc8574bfecdfad214f4fbb609c7273991a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC1AC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
190B

MD5
1b82b5be27a6c65a6a1e14a0bfb97167

SHA1
3ca027f5954858994f83e966dd9357a01230d688

SHA256
4c9e1d99ccc735d8ce55ad8cbd30ba43e9b9165d5c3bd42e708dd3e535f4c824

SHA512
dd4959a2809cf1db9e6bf43e556bab306bb1b5af88957377c76c2433182282b2235d68a572f82cbbfccc3bf57ec5b3867ceca70aff33f82c2793005e9d001e5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC27A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIQ15LoDrx.bat

Filesize
190B

MD5
68ee52837532a88d13d864876c9e81d4

SHA1
30f1c82bdd86a2446079d17b114257c24010716b

SHA256
757367edca5103efbd0f84f4469578a1f1acc686432bf49df1ac4431a7f64415

SHA512
7a327eecbb20ab4eb31253c524b14151b36f7ed52b85b19e881253f3ec7ee3d30e93447e26c70da146cde3353955c2140a246d87b19be58fabc6ec6817a67eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

Filesize
190B

MD5
e6677a6fc3917c403f4921c6471743e8

SHA1
0de79e64b3a02618845f9abdad8af5b77697f896

SHA256
a7aeb0b5783c63e749f4a258244d190f76f7af8e120650c9b1d868540f0ff27c

SHA512
fc634b279ddb232c6ab533486aa8c5ecd86323669cfe87909a8f3c8f069bddf974dcd626c5e1f348a5588eeaefb255e70af29ad745e98ac2db043df43fb7bbd1

Download Submit
C:\Users\Admin\AppData\Local\Temp\i5fErgF3Yy.bat

Filesize
190B

MD5
c073898f1c49160564822dda0041ab7c

SHA1
b1a7a5e8416302d425d43e01bfa353d2d5e9d6df

SHA256
876c8e43fe9f89136b8d5dfda507a21bad90787153d88c9ddc9742e209d6fa06

SHA512
671dfdda10ebb0358eca7d6026576075f26b6ec8eceb55dbe3d450f3320109b382a40148bc1d1a12d2b2fc75a0d3ba9981c6596f52634a9954afa52d8c34e18d

Download Submit
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat

Filesize
190B

MD5
9553bb2632bd6eb4516c903d7a49caa8

SHA1
ebdd75f7021828b9a4644cca5ff1a44867008317

SHA256
b0981f8ac0f0e237dc09b1c5addda9c4e6c2ac8eb6e6e603f96685eb2d17c239

SHA512
23ec4141f952f5bc9dcf05aabd21b61d35dbdd06bbae6ebcba41234dbc95b6a01a0f6d08ae82628c57481f4bd4b3ad4b167058c6f94d4fbbe13839af03cf1674

Download Submit
C:\Users\Admin\AppData\Local\Temp\s1KW4B7p45.bat

Filesize
190B

MD5
3e3304b92af8efb6a3474480f4564d6b

SHA1
760a740599b78405e187454ff7036cfc9e272c51

SHA256
76ee94ec531bf6323e01f243e86dac01860e5af5409037537a1f44b352955d98

SHA512
ca651c504d4f71c8dcb2c8224a44062a2b3c0d8ad770bdaa41ec2a87c98e30f999c90da4ef3b941d9a34f18145ccfbad3ad5c14c4c0aa10cf04145aa29f77f5e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
724434b314c6e6d15a5839e6c31aa06b

SHA1
5ae06449d0c0fed1c86451dba8696e8a281d3cab

SHA256
0f1bfa974eb7f71790366fa3a43992ac5b015bd9e810342cc4dbc5728365f0e1

SHA512
058da3225656a421d6211d57c1cadc9d436760edf23075051afa67db188310f68fe81cb4cfe631779ee9df520c709d524ac815af398fbc8c16385473a4d8c1b3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/880-277-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/1032-575-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/1584-515-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/1704-217-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2080-99-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/2244-455-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2648-81-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2648-60-0x000000001B1F0000-0x000000001B4D2000-memory.dmp

Filesize
2.9MB

Download
memory/2756-17-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2756-13-0x0000000000D80000-0x0000000000E90000-memory.dmp

Filesize
1.1MB

Download
memory/2756-14-0x0000000000380000-0x0000000000392000-memory.dmp

Filesize
72KB

Download
memory/2756-15-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/2756-16-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download