dcrat | 11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09

Analysis

max time kernel
142s
max time network
137s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09.exe
Size

1.3MB
MD5

739b0048f0e02f3331763bbbdb4c74ce
SHA1

8c895d15ad4649db52d346d1f62e3537250a6e24
SHA256

11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09
SHA512

2c2075cb9dec82f2d0d0549ea199ee0a530abcfde81fe7749b6a91b206cfd7ab99afd30145f284be0cd8424227dd5330d4e8717f3d613b99e77dcda2dfa54353
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2408	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2408	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d1f-9.dat	dcrat
behavioral1/memory/2696-13-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2516-101-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/692-160-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/536-220-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/3024-280-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1824-340-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2912-400-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/2760-520-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/1892-581-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2792-641-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1452	powershell.exe
1292	powershell.exe
704	powershell.exe
2412	powershell.exe
376	powershell.exe
2260	powershell.exe
2772	powershell.exe
1564	powershell.exe
1232	powershell.exe
1252	powershell.exe
1096	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2696	DllCommonsvc.exe
2516	conhost.exe
692	conhost.exe
536	conhost.exe
3024	conhost.exe
1824	conhost.exe
2912	conhost.exe
1680	conhost.exe
2760	conhost.exe
1892	conhost.exe
2792	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2964	cmd.exe
2964	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
31	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2868	schtasks.exe
2280	schtasks.exe
1124	schtasks.exe
796	schtasks.exe
1924	schtasks.exe
1384	schtasks.exe
2296	schtasks.exe
580	schtasks.exe
2976	schtasks.exe
2264	schtasks.exe
2848	schtasks.exe
1624	schtasks.exe
2480	schtasks.exe
536	schtasks.exe
1660	schtasks.exe
564	schtasks.exe
2428	schtasks.exe
2952	schtasks.exe
2920	schtasks.exe
2164	schtasks.exe
2520	schtasks.exe
1820	schtasks.exe
2140	schtasks.exe
2676	schtasks.exe
2896	schtasks.exe
3060	schtasks.exe
2384	schtasks.exe
2132	schtasks.exe
1532	schtasks.exe
608	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2696	DllCommonsvc.exe
2696	DllCommonsvc.exe
2696	DllCommonsvc.exe
2696	DllCommonsvc.exe
2696	DllCommonsvc.exe
376	powershell.exe
704	powershell.exe
1096	powershell.exe
2412	powershell.exe
2772	powershell.exe
1564	powershell.exe
1232	powershell.exe
1292	powershell.exe
1252	powershell.exe
2260	powershell.exe
1452	powershell.exe
2516	conhost.exe
692	conhost.exe
536	conhost.exe
3024	conhost.exe
1824	conhost.exe
2912	conhost.exe
1680	conhost.exe
2760	conhost.exe
1892	conhost.exe
2792	conhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2696	DllCommonsvc.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	704	powershell.exe
Token: SeDebugPrivilege	1096	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	1252	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	2516	conhost.exe
Token: SeDebugPrivilege	692	conhost.exe
Token: SeDebugPrivilege	536	conhost.exe
Token: SeDebugPrivilege	3024	conhost.exe
Token: SeDebugPrivilege	1824	conhost.exe
Token: SeDebugPrivilege	2912	conhost.exe
Token: SeDebugPrivilege	1680	conhost.exe
Token: SeDebugPrivilege	2760	conhost.exe
Token: SeDebugPrivilege	1892	conhost.exe
Token: SeDebugPrivilege	2792	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2732	2764	JaffaCakes118_11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09.exe	30
PID 2764 wrote to memory of 2732	2764	JaffaCakes118_11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09.exe	30
PID 2764 wrote to memory of 2732	2764	JaffaCakes118_11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09.exe	30
PID 2764 wrote to memory of 2732	2764	JaffaCakes118_11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09.exe	30
PID 2732 wrote to memory of 2964	2732	WScript.exe	31
PID 2732 wrote to memory of 2964	2732	WScript.exe	31
PID 2732 wrote to memory of 2964	2732	WScript.exe	31
PID 2732 wrote to memory of 2964	2732	WScript.exe	31
PID 2964 wrote to memory of 2696	2964	cmd.exe	33
PID 2964 wrote to memory of 2696	2964	cmd.exe	33
PID 2964 wrote to memory of 2696	2964	cmd.exe	33
PID 2964 wrote to memory of 2696	2964	cmd.exe	33
PID 2696 wrote to memory of 1096	2696	DllCommonsvc.exe	65
PID 2696 wrote to memory of 1096	2696	DllCommonsvc.exe	65
PID 2696 wrote to memory of 1096	2696	DllCommonsvc.exe	65
PID 2696 wrote to memory of 376	2696	DllCommonsvc.exe	66
PID 2696 wrote to memory of 376	2696	DllCommonsvc.exe	66
PID 2696 wrote to memory of 376	2696	DllCommonsvc.exe	66
PID 2696 wrote to memory of 2412	2696	DllCommonsvc.exe	67
PID 2696 wrote to memory of 2412	2696	DllCommonsvc.exe	67
PID 2696 wrote to memory of 2412	2696	DllCommonsvc.exe	67
PID 2696 wrote to memory of 2260	2696	DllCommonsvc.exe	69
PID 2696 wrote to memory of 2260	2696	DllCommonsvc.exe	69
PID 2696 wrote to memory of 2260	2696	DllCommonsvc.exe	69
PID 2696 wrote to memory of 1252	2696	DllCommonsvc.exe	71
PID 2696 wrote to memory of 1252	2696	DllCommonsvc.exe	71
PID 2696 wrote to memory of 1252	2696	DllCommonsvc.exe	71
PID 2696 wrote to memory of 704	2696	DllCommonsvc.exe	72
PID 2696 wrote to memory of 704	2696	DllCommonsvc.exe	72
PID 2696 wrote to memory of 704	2696	DllCommonsvc.exe	72
PID 2696 wrote to memory of 1232	2696	DllCommonsvc.exe	73
PID 2696 wrote to memory of 1232	2696	DllCommonsvc.exe	73
PID 2696 wrote to memory of 1232	2696	DllCommonsvc.exe	73
PID 2696 wrote to memory of 1292	2696	DllCommonsvc.exe	74
PID 2696 wrote to memory of 1292	2696	DllCommonsvc.exe	74
PID 2696 wrote to memory of 1292	2696	DllCommonsvc.exe	74
PID 2696 wrote to memory of 1564	2696	DllCommonsvc.exe	75
PID 2696 wrote to memory of 1564	2696	DllCommonsvc.exe	75
PID 2696 wrote to memory of 1564	2696	DllCommonsvc.exe	75
PID 2696 wrote to memory of 1452	2696	DllCommonsvc.exe	76
PID 2696 wrote to memory of 1452	2696	DllCommonsvc.exe	76
PID 2696 wrote to memory of 1452	2696	DllCommonsvc.exe	76
PID 2696 wrote to memory of 2772	2696	DllCommonsvc.exe	77
PID 2696 wrote to memory of 2772	2696	DllCommonsvc.exe	77
PID 2696 wrote to memory of 2772	2696	DllCommonsvc.exe	77
PID 2696 wrote to memory of 2024	2696	DllCommonsvc.exe	87
PID 2696 wrote to memory of 2024	2696	DllCommonsvc.exe	87
PID 2696 wrote to memory of 2024	2696	DllCommonsvc.exe	87
PID 2024 wrote to memory of 2040	2024	cmd.exe	89
PID 2024 wrote to memory of 2040	2024	cmd.exe	89
PID 2024 wrote to memory of 2040	2024	cmd.exe	89
PID 2024 wrote to memory of 2516	2024	cmd.exe	90
PID 2024 wrote to memory of 2516	2024	cmd.exe	90
PID 2024 wrote to memory of 2516	2024	cmd.exe	90
PID 2516 wrote to memory of 2840	2516	conhost.exe	92
PID 2516 wrote to memory of 2840	2516	conhost.exe	92
PID 2516 wrote to memory of 2840	2516	conhost.exe	92
PID 2840 wrote to memory of 2628	2840	cmd.exe	94
PID 2840 wrote to memory of 2628	2840	cmd.exe	94
PID 2840 wrote to memory of 2628	2840	cmd.exe	94
PID 2840 wrote to memory of 692	2840	cmd.exe	95
PID 2840 wrote to memory of 692	2840	cmd.exe	95
PID 2840 wrote to memory of 692	2840	cmd.exe	95
PID 692 wrote to memory of 856	692	conhost.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11bc031ef02112d7f31e235603d71ee50da8013b5eaa71b27668b03f59a3be09.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2964
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hV9XkVmZkx.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2024
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2040
      - C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2628
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"
        9⤵
        
        PID:856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2704
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        11⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1700
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        13⤵
        
        PID:968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2572
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        15⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1548
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        17⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2260
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
        19⤵
        
        PID:2448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1540
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
        21⤵
        
        PID:2872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2460
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat"
        23⤵
        
        PID:624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2372
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Templates\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Pictures\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f882de2a4e846d92674f20e4efb3c0b

SHA1
1bae60225ff5eed04e01e72f2af3c1847ae662e9

SHA256
8dc2ee54ef8fe2e7055019d8a75a4b4c560929caa967adb5df0272e92cfbed5c

SHA512
997ceecc68dbe434574d36a2d7723837cc2278fe2a02aad1f28df3a9f662ef9b843bc63fc9cd13557f011ea603568607ff72723ddbad790aab028dbd7a47eb48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b1af4958427493bc5c293afec913b86

SHA1
a116d8440f10600fadebd3bf4c328d3a289ed646

SHA256
7edc87e6dd5035902a093023c7b4edd447bc01311f5b28c374365e3fbe14051e

SHA512
4167d9945e90b36ef43297ea46501e5746908b9f87a149b4e43c021f126791961385f4bd9f56d1c27ad745ee56488ead897b84a77efcc776dbf1514b71f273cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfc9f93d6c668c313f47463059bc21fb

SHA1
11fc8f5180468f857737efd61977e40a4b0d2449

SHA256
88b6a3686d225d111817e0efb4488a3a1669509e1914c57dfea73a4f4e1968b9

SHA512
c0aef7dae88067c49c6098434f2b64440b5cde792959123c9553919f123bd29a4bf6f90df4a1b5dca838eb5441fb5018608867ad3c5a22f3bdbd2556d07960a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60ab71d8713c0c752a35a7a00156c841

SHA1
e612f73dad83f83f4312fac7290cffcd703a2230

SHA256
02581d1420066f0a8a84ed7d5b80bd7bff1b1a7bf629518cf0531066e58db94d

SHA512
03658d3db1f458aabaf064304dd5827832673186d89e255803e45cf6e60686af5a2e025491b85aba22b98ecc600a7563bbbe6a4c222f9292237ce42e8aa9480c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f88ce7560c5b799b00576c16fbe6bbfc

SHA1
3602c3cfe7fba9a28cfa6b10e320079ba4324f8f

SHA256
3e960210c72aa6e82a87e8df7a94e80816a7a04f8efc6550cd010ffe812377e8

SHA512
5a1f981cf3a7ed4fea50fe6901e89f5ff0cdf9a69a23ae636296bfa33ab0899b728609ef61009c45c56bcaa5b43598c2dfcbf09ab720fffb6bf8cde140188e3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bed8f850a5d6e03579fed63f1c3e5a8e

SHA1
b1c5cf6c594d6cfa364fa5da1e3de0dbc0748a4c

SHA256
fd68afcd8d7da5d5f7d9b4ffc4994ae000d91b994065ecd216c541c2230b3e8e

SHA512
2d57ce7714f926fae7bd89bf411c929ae529ac460931e1ccfb43e94f739a998fee5a9fda52e1ce379fbc300a7dadc3f10d642bf88c8f1cd55998d6f0d0a4cc6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09787c6c0ff14703f26ce6e685fb4c14

SHA1
78778bf6bc808901753b2533e738ead5a15489f4

SHA256
60164363067c245a8f505a414586e59646db4784ef31f65c272c6052aa6a968a

SHA512
bdec9f49c69bebc09e4ab13b6fd2729e4c575933306a44b7246cc77e77db952b60a97832be9b6fbdd5806c9dff61ecdfad439cdb8fbcfd39c9eaffbb7bb46453

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
773ab0dad4efa6916dbbbbbb50ff6010

SHA1
931d15ffa792f2c4d4ea0e8a1a422072eb5a6785

SHA256
8129fd43c103bd78ea2a487807ca0e4c66fc54ef9923c1a811bf336f2352aaaa

SHA512
80b4387defc57e65774f3b8f40f877c498ede763073504db16ff469ab4e06581cce3866d1ef9a45bd4609501e782606a7eab9d1d2d99dd417aa652de52bd20b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat

Filesize
194B

MD5
357f5922b532d6754a5e22631f7747de

SHA1
6631ed2c855457d274aaf023b9f516f89ead51f6

SHA256
988f87640e4776b9cc093a13102e20073a46224a2a0713a4eb1914dccdb2be56

SHA512
136c3d8d8989ad2ac5ad387df5fdfcf1637f6f1e0eb6ba020bc530c2a0c2e2ff1b44eb3ea7a1e017d9c26962ffb83f4060e2758aa154ddaad2b938f889daf8f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF7B9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
194B

MD5
63a7f7a59616bc18ed39baf65ff79b01

SHA1
e33033433558946e010f0c9d975f781565bf5357

SHA256
c2f274191084501fdacebeb269818a1e26ae6e1efe102a9bd29caf4560b49d3a

SHA512
93e65504254737d9e9f9a97be04623de4533e5eae04ef83cf721d6f3cad5bbc2d6ea415445746a1327795bb1935c9f34edccccced96d43f50fe7eda572042c0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

Filesize
194B

MD5
11d63f2e4c8f346232833363049b61a4

SHA1
23d27ece53b9ad2e7ae5a66a96c338d8dee354da

SHA256
019aacfb007a294204f234b1f917b083b023c5127f3b11507153452fb41b2f82

SHA512
21bcda3b4998e7ac90baac7042016bde3cbd55c6b274d3f682ca7d5841df11a7ff79afc52ed920970020c23818bb4108121168966cb815a964d5c70c8df52a68

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF7BC.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat

Filesize
194B

MD5
52a33fde7c5c299854924bba884a5bdb

SHA1
e72fbbf8f24da804a15eb51e85ef1e4ef5366858

SHA256
4478970b6cac875047b512e3cd40dd97f14049e275836670488ec96bcd5c033e

SHA512
8e4cd9012b67d7e9d5b0c7e2701ec36efd8cbfbf147429ea1f6e6b164ba68bcbe628e8541e4d5adbda7c4850597080dff59201e6f8c43a32114389bbdc65967b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

Filesize
194B

MD5
f56151209de6275654040794a80078f7

SHA1
50c1a34171d2debb366ad3cbdf20c6314f5dbf3f

SHA256
741db11c78636a7f0d73e20bdb9056624cb589abe57794bb22679d8ed973f3e4

SHA512
7f011da08aba073b230b9813dd9fd69c734b7eff361992353b3fa7ef1a1d22437386ac02a4ae0f1b8b77ae8d199298c186f8bf64982281aef2bdf9fafb392a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
194B

MD5
c17f627695d80746e3fb5e75fa305f41

SHA1
2c2f661c09111f500b7acd1907643ec597b460ed

SHA256
b74efc34a61fe7eee12c8df00f3f7d261a2f254d847e437101ffeb427e24ff60

SHA512
819066b261daedbb64803ba02507e35daf6d095be3b75247983fa6dc36569284fe2591ca4e45646d5569dd96fdfe5975701d57bf3a65785f55e497acd071cadb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

Filesize
194B

MD5
2b8b009439c6349da1978026a6775c18

SHA1
23d20c6cc5391ef25674b8b1d01755913b647bae

SHA256
bf45f141aecb58cac72de3575050fe221eedd8ae99fc1debf493dd0fd750d307

SHA512
f55b6e792c8eacef2e78f183503753a91fa5c8deaeb17988ae8dd0f630e7a94b1f609df5251aa183c985683a68e89f817a932cba28cf3244d87dfa86100f89aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hV9XkVmZkx.bat

Filesize
194B

MD5
ff782dec7d548b2a47108de33e83ec68

SHA1
82066fe07dda2c54e5e711ff8dc642be6edc979c

SHA256
68fbcb58df9e70e985ac7eae4519314aa60069be0d4f8143d83cd25b655d2ac3

SHA512
058ef3130bab7748b7e66e6d72efa43e42380b2016750a7a69a9741317d9b7e41712c52b97f00bd58de8d7df412394cb69aa0d1ef0c3ad6f55a37d6a1b962c61

Download Submit
C:\Users\Admin\AppData\Local\Temp\oqEnL4f5pl.bat

Filesize
194B

MD5
b72182e0ba4a401d5cd8d8181fff4e28

SHA1
8c2dad185c47cba02210aab3aa79defe6f3d93ae

SHA256
87223eddb6dc94c4121e016fa1288ef5df25a19ba7d0ffb263f8cda415d4697c

SHA512
1d970aa3c92711759dd9e2c3555a48fc1579912e2e3b59746e89481b73825542043c1e841d9217b10383a3a42f2a6921c0d927f9322d624a844cd367a51c9b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
194B

MD5
e9c2cb85401c4d60f6b9467d22537478

SHA1
a61eb4dd2ada8bd843d4900d2a21d4fc83f1d2f1

SHA256
7ee43e0b1474f5fab2c2f4ada102cc7ecc777486f4dd6ee7843eb275bcab6a7d

SHA512
02b8f6a202980047ef4c12f42d7c63e39f0dcd98cd935927c15f9e3ece04a438d67c868295b6891d7f5f457ed054a713f85f45a0f582790b0b74011a57cafc72

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UNWVGPSJ5GVR4J5ENUDT.temp

Filesize
7KB

MD5
1b3991aa7486bb720940695cf21b45d7

SHA1
cf242bbda8dfbf6cb24602adeb65fb9f1b11f597

SHA256
5e9dde0151117de81134dc0b1b3ecaea5266277d4d525d46b585f027c57f67d3

SHA512
363cda1558e63aa584fc2032f408ddf8d2c03d1c6391cee91b66307b744aecfdb14d6ae987cf62e0027c846ce80a29e882bd4dfd0b396a80226ea0f50b8413cb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/376-56-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/536-220-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/692-160-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/1096-52-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1680-460-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/1824-340-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1892-581-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2516-101-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2696-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2696-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/2696-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2696-13-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2696-16-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2760-520-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2760-521-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2792-641-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/2792-642-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2912-400-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/3024-280-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download