dcrat | 86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea

Analysis

max time kernel
145s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea.exe
Size

1.3MB
MD5

94c07c2eeb41401c3bfc93e31673d153
SHA1

6928eb61ac20e4c08ad7208c29de78e34021b1ac
SHA256

86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea
SHA512

8006afebdac93a5bb4d8c9f6e2bf3364d80c996d0357dee351c5b9a5da5866e1b13fb25e765298fd120cd77b16297c23d935f92adab4993e25664c06f9a801ac
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1392	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2820	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015694-9.dat	dcrat
behavioral1/memory/2684-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/696-73-0x00000000011F0000-0x0000000001300000-memory.dmp	dcrat
behavioral1/memory/1708-193-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/2240-668-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2624-728-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1140	powershell.exe
1600	powershell.exe
1336	powershell.exe
2328	powershell.exe
1316	powershell.exe
1440	powershell.exe
1276	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2684	DllCommonsvc.exe
696	Idle.exe
1740	Idle.exe
1708	Idle.exe
1828	Idle.exe
892	Idle.exe
1688	Idle.exe
1744	Idle.exe
2324	Idle.exe
2700	Idle.exe
2072	Idle.exe
2240	Idle.exe
2624	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	cmd.exe
2904	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
42	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\DllCommonsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\addins\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3004	schtasks.exe
2312	schtasks.exe
2784	schtasks.exe
392	schtasks.exe
2656	schtasks.exe
2660	schtasks.exe
1668	schtasks.exe
1760	schtasks.exe
2636	schtasks.exe
1392	schtasks.exe
308	schtasks.exe
2992	schtasks.exe
2192	schtasks.exe
2016	schtasks.exe
2320	schtasks.exe
2592	schtasks.exe
1864	schtasks.exe
624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2684	DllCommonsvc.exe
2684	DllCommonsvc.exe
2684	DllCommonsvc.exe
2684	DllCommonsvc.exe
2684	DllCommonsvc.exe
1316	powershell.exe
2328	powershell.exe
1600	powershell.exe
1140	powershell.exe
1440	powershell.exe
1336	powershell.exe
1276	powershell.exe
696	Idle.exe
1740	Idle.exe
1708	Idle.exe
1828	Idle.exe
892	Idle.exe
1688	Idle.exe
1744	Idle.exe
2324	Idle.exe
2700	Idle.exe
2072	Idle.exe
2240	Idle.exe
2624	Idle.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	DllCommonsvc.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1140	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1276	powershell.exe
Token: SeDebugPrivilege	696	Idle.exe
Token: SeDebugPrivilege	1740	Idle.exe
Token: SeDebugPrivilege	1708	Idle.exe
Token: SeDebugPrivilege	1828	Idle.exe
Token: SeDebugPrivilege	892	Idle.exe
Token: SeDebugPrivilege	1688	Idle.exe
Token: SeDebugPrivilege	1744	Idle.exe
Token: SeDebugPrivilege	2324	Idle.exe
Token: SeDebugPrivilege	2700	Idle.exe
Token: SeDebugPrivilege	2072	Idle.exe
Token: SeDebugPrivilege	2240	Idle.exe
Token: SeDebugPrivilege	2624	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3028 wrote to memory of 1192	3028	JaffaCakes118_86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea.exe	30
PID 3028 wrote to memory of 1192	3028	JaffaCakes118_86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea.exe	30
PID 3028 wrote to memory of 1192	3028	JaffaCakes118_86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea.exe	30
PID 3028 wrote to memory of 1192	3028	JaffaCakes118_86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea.exe	30
PID 1192 wrote to memory of 2904	1192	WScript.exe	31
PID 1192 wrote to memory of 2904	1192	WScript.exe	31
PID 1192 wrote to memory of 2904	1192	WScript.exe	31
PID 1192 wrote to memory of 2904	1192	WScript.exe	31
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2904 wrote to memory of 2684	2904	cmd.exe	33
PID 2684 wrote to memory of 1336	2684	DllCommonsvc.exe	53
PID 2684 wrote to memory of 1336	2684	DllCommonsvc.exe	53
PID 2684 wrote to memory of 1336	2684	DllCommonsvc.exe	53
PID 2684 wrote to memory of 2328	2684	DllCommonsvc.exe	54
PID 2684 wrote to memory of 2328	2684	DllCommonsvc.exe	54
PID 2684 wrote to memory of 2328	2684	DllCommonsvc.exe	54
PID 2684 wrote to memory of 1316	2684	DllCommonsvc.exe	55
PID 2684 wrote to memory of 1316	2684	DllCommonsvc.exe	55
PID 2684 wrote to memory of 1316	2684	DllCommonsvc.exe	55
PID 2684 wrote to memory of 1440	2684	DllCommonsvc.exe	56
PID 2684 wrote to memory of 1440	2684	DllCommonsvc.exe	56
PID 2684 wrote to memory of 1440	2684	DllCommonsvc.exe	56
PID 2684 wrote to memory of 1276	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 1276	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 1276	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 1140	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 1140	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 1140	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 1600	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 1600	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 1600	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 1628	2684	DllCommonsvc.exe	67
PID 2684 wrote to memory of 1628	2684	DllCommonsvc.exe	67
PID 2684 wrote to memory of 1628	2684	DllCommonsvc.exe	67
PID 1628 wrote to memory of 1284	1628	cmd.exe	69
PID 1628 wrote to memory of 1284	1628	cmd.exe	69
PID 1628 wrote to memory of 1284	1628	cmd.exe	69
PID 1628 wrote to memory of 696	1628	cmd.exe	70
PID 1628 wrote to memory of 696	1628	cmd.exe	70
PID 1628 wrote to memory of 696	1628	cmd.exe	70
PID 696 wrote to memory of 2840	696	Idle.exe	71
PID 696 wrote to memory of 2840	696	Idle.exe	71
PID 696 wrote to memory of 2840	696	Idle.exe	71
PID 2840 wrote to memory of 1756	2840	cmd.exe	73
PID 2840 wrote to memory of 1756	2840	cmd.exe	73
PID 2840 wrote to memory of 1756	2840	cmd.exe	73
PID 2840 wrote to memory of 1740	2840	cmd.exe	75
PID 2840 wrote to memory of 1740	2840	cmd.exe	75
PID 2840 wrote to memory of 1740	2840	cmd.exe	75
PID 1740 wrote to memory of 1476	1740	Idle.exe	76
PID 1740 wrote to memory of 1476	1740	Idle.exe	76
PID 1740 wrote to memory of 1476	1740	Idle.exe	76
PID 1476 wrote to memory of 1716	1476	cmd.exe	78
PID 1476 wrote to memory of 1716	1476	cmd.exe	78
PID 1476 wrote to memory of 1716	1476	cmd.exe	78
PID 1476 wrote to memory of 1708	1476	cmd.exe	79
PID 1476 wrote to memory of 1708	1476	cmd.exe	79
PID 1476 wrote to memory of 1708	1476	cmd.exe	79
PID 1708 wrote to memory of 1140	1708	Idle.exe	80
PID 1708 wrote to memory of 1140	1708	Idle.exe	80
PID 1708 wrote to memory of 1140	1708	Idle.exe	80
PID 1140 wrote to memory of 1276	1140	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86fdf2f1643ea676b2e88111bcb6d4f77adfbf50f6c9cabef4a0e10878a245ea.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3028
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1192
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jgzc8Qt4RW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1628
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1284
      - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1756
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1716
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1276
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        13⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:3024
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
        15⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2668
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
        17⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2540
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat"
        19⤵
        
        PID:2792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2976
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        21⤵
        
        PID:1804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2904
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
        23⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2352
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        25⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3032
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        27⤵
        
        PID:2648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2400
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        29⤵
        
        PID:1228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files\VideoLAN\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
654182df4a30e83d9d7c9f3bbbd9bc5a

SHA1
0830aaaa64778f124ffe8098e916520149a8db5d

SHA256
3d0ffbc1b7f53954a127fe515002048c8b93a265984c59157cfab6c4c0044255

SHA512
ef2bdbb99f6f6681596d20ec52fbf27efc231c412d422561501d0b54d18419a1af587b566dec9361636367d80fc27f3fe7d525ba374616c3c7023980b38bad48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
375dcbb1078b029f6aad71df97577be0

SHA1
809d9f24027275bc36a31635cdfa417d2315b753

SHA256
dff7438e689e6dc962a5b1f7ec4c4f5a329b082841c42f9a8fba5963f33872ba

SHA512
fb92228017b7f84d74233d515a0a4e1c0cf215b65992a8a3886d00feefcec77a63312ac5b9e510f8298fcb37f9092b0604a936889ddeb2935b5cb2247ce53be2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53a305424921676c8443826ba936fe05

SHA1
e201186e33de1fc7f153153b3e666a75e884a035

SHA256
48f00f97c8774e0abd5fc74ab7c9241f72d7b08c156df89141a4474329791cc6

SHA512
f3c66921d572237a744174216be3832754f1832dcbfe90b31d5e461b7a19f9d77a52a43fec0cf61a9ca68e86229fe9d3ef08dfe20480fdd7db1dd89f42803b3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d34e0bc8d2090a1540efe862d4df33f

SHA1
bc4504d62f7dc32c6eb59e72ab2df41f27cf3bad

SHA256
244525fe7aa9e97fa967553dbd221dc593d9eb1bc724ec6ae27f6200a371ab7d

SHA512
e62ae714756752de7bcb4fe690b2c7a26c262cba3b7fa3400dc8505f3a7c29d6674282462ca2825bd3c88e51b12b66ed17ab80814b19ec998fd8d9bcaed2a4b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2065296554fcf8f4108c74f28d8aba32

SHA1
0ac0c2faf8aa9778654acbe8c480f42b8782034d

SHA256
b385beb138fc1ce4a96773fadf00ca6ab2393822d62b2c61b28691c04e8ac7ab

SHA512
767ee82f39e93f7ec86f3764b5dfb4e3e954f18bad7f3ba4e09b8a3b9863c309c114a6e83665c4625f9bdbc89beeb1b579a5aa3ade02bdc9afecab9f81fcef1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90e589718c6ed14f9241f1d8e8758b55

SHA1
d14f2615999a9f3e2a8b3dae6291cb291791deed

SHA256
b83c611d86c50fcdf11008065c248cfb7cff0a729bc057a52d4ae57fc6f15c77

SHA512
036e8081f81822327c3a263975cca9ff46d5da163029d9802f9699864fd16c0a8911af074d744a527c0160dc95a4a5523dc7ffdc0335bad2d3e341576b003f7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b69eb033e947bc43f19a59dc562f956

SHA1
dbcee8656a979e59057b013c36cceaa39c2f09b1

SHA256
96f85927f898c7b6ba561506368c09069e38c04c1beeb1ab7ec8c989eb166391

SHA512
875a84cc338b22446063cd3d088eb4c881669a15340ed2c1760aa3984d13214bb081a71b5252d69f8e8ecab23665e126ee0aeba273b048e6201a09aa9f4b5484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7432ad00deda045df20c2ff14d0865ae

SHA1
4174872f2787682e582e03d248996ebbe41db72a

SHA256
9eaa177edbd52846448c62ecfa5fbf2b616451b900436e8d8431c28e2f4493f9

SHA512
c1da32bba044de29449baced5bb8ee11e388c4dc3d33216596cd19baaf20a0820580f60b1bc15fe9a215cdd81a311e0e20ff2278c60406be45c50cae26363f41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3388ead1172c3fed54e2ec155692b81e

SHA1
d89ae4bb85abe2097fb9ed29d9ab368160d14d27

SHA256
55a6d78039ab3f1a4f7e482017c6b08332e2a01f0b4ca54b68a8309cd20137ac

SHA512
8b14744d63fc12b6d8a45cd478165c1ef13f55928630ad5726af640f9064b9d898a2a95f166c9e97bd14eed450f2963407258098bf78e462de5be388113747f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e1ba5f6603f562454298cba45c7acc5

SHA1
6370999deb82c20e7b5677f6586408d931605763

SHA256
353f9bdb756b618748f63e5c45cb4be9ff7467dfbe13efaa4dd5924519a6552c

SHA512
742ee2d9acb1cd2a866172fbf4190ae72e68eac6125c082edd50a318de5beff967b44113e4472a0f61a3d4056dc9dc187bbd9b430ea7251e6e47510014d97908

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f627dca1db2eac4f5e7cd94315601b4

SHA1
0c7aaeedee9cc32151673126638f017da8d21724

SHA256
455c056ffb0b44b635cb12282947684abe526d438bd29f6a3d459133b746ca78

SHA512
3490296cfec801dd56173422a85e4cdcc7fe93d541634f7618497925a787ed82560aed5becfd3742f4726686f9ce309218d22d295dc17fc17386d7f6c5102708

Download Submit
C:\Users\Admin\AppData\Local\Temp\0MFyH7TMVd.bat

Filesize
236B

MD5
cedb25ec6dc7e700a1b8cca95760b6dd

SHA1
f9cdb8fa4b009e179606d6294bee0ef65ececf8d

SHA256
6de39fe92ea359ee35b7a591b403b6313c4cf81746d0c4fd8c5e4e7bc58f2adc

SHA512
ab18d1c7676cec72d3f5dd0cb92176af9c20210b8f0c78a81674db8b547f372aba28b3a39d86dbbba5b9186d1a5013a807cf1789bf5df85506b28b6750e2b958

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
236B

MD5
746a94878d66b4bce523051ee1fb50e6

SHA1
03684f84591677d0ab6296fa8067ffb6a2f3a90a

SHA256
f6d21044e89bacdf0a7a02d016e54e868218cd934d8d317899c776e3d9df4dcf

SHA512
5d88dff0f56edb78c613fbd5c0e56ee10dbc638e32132c4d8391cd8194f1614bf2a9d2689db48df55a8f97fe9cb27064670eabbc1dbba5236388a1b723c58a19

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
236B

MD5
9fc18969f3866c4fc79ff1326eb67084

SHA1
48530a3a250c35d6b4aef4e50a3fcc16c41970fb

SHA256
68beb598486fcb474f3d06d08e61521a0c6f3d0f85392e42f566d48f7a906baa

SHA512
ee5c8789babe8cb6d166b26f998cf08579231d4afeb0ec45413a59f5fc11babc031b6b871fb2aca2722b711e5c11806b4371234fff6889838179d540ad48a922

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
236B

MD5
1a0ee61f5802a584f60a5853f6bd8d7a

SHA1
a3fab8d13a662b3f3783423db116aac64fcab5ef

SHA256
d51a06e4017cf74bd4c8e1642d0aa46256c074343956f06ba02ab9b8e40a5a50

SHA512
fe9a75ee82d1387178ecf2db9e7920761c18b66279abcc8e7801504f7786b3b1bb15e7e15aedaac4c4893da2d7d3b3f461977ae5a91447ed0b075c585fd8a27d

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCF04.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
236B

MD5
cad9f6d38768c5ebb6b97a57cfeb667e

SHA1
0709b8da2bc5714cbf8ebdf4b200d639d6458c27

SHA256
d46545898c82a9417bb1ba2e8b5f55aca22bed37ea875470b260f6b26e8ccfe6

SHA512
c07deca4c29c7b6bf692dd472a7282c091fff6599121c167b71f55cac45cb8b4b880b8ba9bc30667737a888616c8d1cfb8da40df781a7b8d16a89daf03ff5f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

Filesize
236B

MD5
b5a5f44f53c8506d8ccdb1a580f3af62

SHA1
0f4253b64a3854b6ec80425120ef96d9fbe9053f

SHA256
20718fddc003f78aaa1d4b6b0f6c034edcb85f95bacbbb57df58cadfe511bdb3

SHA512
8060d2582e01ea510fa47bbbb6867becfa6f1c4cc37ebc2e4f804c8e6ef6fcb2a6d3db0927a9ac32602887215bb5baa6e516ea85f7f1eae9e40010efb8fa9ee8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

Filesize
236B

MD5
cee4ab716b07e7a5c18850d48456ad87

SHA1
364b84c4c768b7811490f9bffff602833da7c133

SHA256
4626d9cbc0cb085e3ea526c544f01739923d6158e8371722a4738c6f7b26ea41

SHA512
f2c3203fac05829bf2995ca6f53a5842efc63ec2a1ec4c8beb1f5c56dc8899ff62b4b6a020cab74e4dde7f70a20bf43f0785286db22727953768f3b6631f3487

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCF17.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

Filesize
236B

MD5
221043fe54e5d5596f05868c914dedc2

SHA1
f7d537dbb6d25e96ac7bd24fd2599459c3dd3224

SHA256
e58b6f819283131680cfc701d330cafab8a57bc95f0f27a63b19caea88d27ec1

SHA512
b6b572ffefeda400602b1e45307e4fb8ad841a9e655d6300650e39d30529d28acacbeb8541d5dbe2f2b305686c686dfa8212011997a6cf31b2fa2078ccf87f75

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

Filesize
236B

MD5
5b83319877ac291c71f045f480a043f7

SHA1
c780528d0ccb4991d7a800e17f724325894f5b5c

SHA256
70ccd97f104ff16d75c2a552ba8c1d1d396ff15b24205ac3ef06591b59c13a06

SHA512
a15f2fda105f6238c2364c2a75eff6cc794a257f618d540a3cc28bbbe35e853f38358087b20241ea29bdc1c0d1a3350f24aecbdbc990bfa0f4507541519c5ac2

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzc8Qt4RW.bat

Filesize
236B

MD5
2ea3e1021482d0b1b8762c7fc10c92de

SHA1
3e546a3260e3fd67eca8f3d950e54601799f2b03

SHA256
ad6cfdfc3431d0f034786bf30e6342d4731b06a152f4c60480f5ecca149f4d73

SHA512
f818b55d627aef67dbc8de02a5993d7ccccf2cd57f40ac8de266c886ea235c8e1624845c343a0816cab93f1a9a81e5b9d551d41b70ec12c666020f0fc5abb268

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
236B

MD5
b1b9beb439f086ce3bb7f378acddc500

SHA1
2b94bbb5072b6dc96c7918e9cef32484f0a73d0c

SHA256
50f56c1a9ff25d3dc71fbcb3eb22e7e218b98a07be29917844925b5298c452aa

SHA512
3101e798bfaf33a8e20eed963ffe08fac05f78fbf242de2173721a90faff8c7b2aa2919cb2e46239cb90fdafbe9816532471cf88cefa428559a3a6f0cabc9ce8

Download Submit
C:\Users\Admin\AppData\Local\Temp\l4DYpxlgJN.bat

Filesize
236B

MD5
834c090e4181c0617721024154c8eae0

SHA1
98ebfadd81031a133dab3f59a1c6350e94f18de9

SHA256
4feb4a8ed7293c8dea9d54d82b67f45d6f94b479af115d78fb204d07e2aeecbf

SHA512
163bf000a566073eb472344f5183d70967e878d2aca029a678a7d86c2de899368878e3b4d9d042f81fcbfa8fbc43a3503afbce3bc9ff4463f96a375ab2977067

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
236B

MD5
ab5427e935c4d2649eaa5019faac1bbf

SHA1
b7788c967810f422bdf1c1fa51ebdf2ac5a2a047

SHA256
0e4a6f1ca3d6356667cbd6581ade260c1b2e9daa4766122194234537ba05dd17

SHA512
b950bc58990b295b943b9364d39296959098ad73f2312ee15aa880974b51259ed787c2d2d30edcb5649fb64b11cca9e74b8ea9bf6cb8f4874770c590060d06aa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
10f593d53b0e636e31d123608f2e9085

SHA1
a2ba15244a29d3292ff60eb13c50f19a34a76430

SHA256
965bc4c37bf79bd9f7825e35d53b33ef1fb60fc52f8a5cb023ff77a3f5e7b0f2

SHA512
e2d8c11a42f33adb24722e9b9e6b13a425b993497b592aeae5b9a3cb8eaa3cf49cfb9748de0e63401227b63e6e097549b77251534b29ac121626e5ccb5df5b8e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/696-74-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/696-73-0x00000000011F0000-0x0000000001300000-memory.dmp

Filesize
1.1MB

Download
memory/1316-54-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download
memory/1708-193-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/1740-133-0x0000000000BC0000-0x0000000000BD2000-memory.dmp

Filesize
72KB

Download
memory/2240-668-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2324-489-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2328-53-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/2624-728-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2684-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2684-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2684-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2684-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2684-13-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2700-549-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download