dcrat | dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5

Analysis

max time kernel
143s
max time network
139s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5.exe
Size

1.3MB
MD5

a35ac4f4567491fe07eb9a3803fe1239
SHA1

ec8fee9aec8c99c5a09739a5f3f6a5ac534292b3
SHA256

dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5
SHA512

7836c9d46378eb8a4db5fca212b695067d4125a8ac1ba46f765686d45b783069f3d666ba5863788f44b3fe8b92f3f6eee39d672f424196db98de61ac71abcbe2
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2748	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2748	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000017355-12.dat	dcrat
behavioral1/memory/1912-13-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/2548-84-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/1528-279-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/1796-339-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2444-399-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2124-459-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1532-519-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/2460-638-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1308	powershell.exe
1768	powershell.exe
1216	powershell.exe
812	powershell.exe
1848	powershell.exe
1600	powershell.exe
1572	powershell.exe
264	powershell.exe
1356	powershell.exe
1972	powershell.exe
1704	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1912	DllCommonsvc.exe
2548	Idle.exe
2308	Idle.exe
1768	Idle.exe
1528	Idle.exe
1796	Idle.exe
2444	Idle.exe
2124	Idle.exe
1532	Idle.exe
2332	Idle.exe
2460	Idle.exe
2232	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2440	cmd.exe
2440	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1596	schtasks.exe
2888	schtasks.exe
2640	schtasks.exe
1988	schtasks.exe
2428	schtasks.exe
556	schtasks.exe
1128	schtasks.exe
2984	schtasks.exe
1140	schtasks.exe
2028	schtasks.exe
1788	schtasks.exe
2468	schtasks.exe
2684	schtasks.exe
2584	schtasks.exe
2988	schtasks.exe
1460	schtasks.exe
2776	schtasks.exe
2292	schtasks.exe
2224	schtasks.exe
1560	schtasks.exe
1792	schtasks.exe
792	schtasks.exe
2624	schtasks.exe
2136	schtasks.exe
1840	schtasks.exe
2956	schtasks.exe
2792	schtasks.exe
1020	schtasks.exe
2832	schtasks.exe
1528	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1912	DllCommonsvc.exe
1848	powershell.exe
264	powershell.exe
1216	powershell.exe
1572	powershell.exe
812	powershell.exe
1768	powershell.exe
1600	powershell.exe
1356	powershell.exe
1308	powershell.exe
1972	powershell.exe
1704	powershell.exe
2548	Idle.exe
2308	Idle.exe
1768	Idle.exe
1528	Idle.exe
1796	Idle.exe
2444	Idle.exe
2124	Idle.exe
1532	Idle.exe
2332	Idle.exe
2460	Idle.exe
2232	Idle.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1912	DllCommonsvc.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	1216	powershell.exe
Token: SeDebugPrivilege	1572	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2548	Idle.exe
Token: SeDebugPrivilege	2308	Idle.exe
Token: SeDebugPrivilege	1768	Idle.exe
Token: SeDebugPrivilege	1528	Idle.exe
Token: SeDebugPrivilege	1796	Idle.exe
Token: SeDebugPrivilege	2444	Idle.exe
Token: SeDebugPrivilege	2124	Idle.exe
Token: SeDebugPrivilege	1532	Idle.exe
Token: SeDebugPrivilege	2332	Idle.exe
Token: SeDebugPrivilege	2460	Idle.exe
Token: SeDebugPrivilege	2232	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2064 wrote to memory of 3068	2064	JaffaCakes118_dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5.exe	30
PID 2064 wrote to memory of 3068	2064	JaffaCakes118_dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5.exe	30
PID 2064 wrote to memory of 3068	2064	JaffaCakes118_dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5.exe	30
PID 2064 wrote to memory of 3068	2064	JaffaCakes118_dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5.exe	30
PID 3068 wrote to memory of 2440	3068	WScript.exe	32
PID 3068 wrote to memory of 2440	3068	WScript.exe	32
PID 3068 wrote to memory of 2440	3068	WScript.exe	32
PID 3068 wrote to memory of 2440	3068	WScript.exe	32
PID 2440 wrote to memory of 1912	2440	cmd.exe	34
PID 2440 wrote to memory of 1912	2440	cmd.exe	34
PID 2440 wrote to memory of 1912	2440	cmd.exe	34
PID 2440 wrote to memory of 1912	2440	cmd.exe	34
PID 1912 wrote to memory of 1972	1912	DllCommonsvc.exe	66
PID 1912 wrote to memory of 1972	1912	DllCommonsvc.exe	66
PID 1912 wrote to memory of 1972	1912	DllCommonsvc.exe	66
PID 1912 wrote to memory of 1356	1912	DllCommonsvc.exe	67
PID 1912 wrote to memory of 1356	1912	DllCommonsvc.exe	67
PID 1912 wrote to memory of 1356	1912	DllCommonsvc.exe	67
PID 1912 wrote to memory of 1600	1912	DllCommonsvc.exe	68
PID 1912 wrote to memory of 1600	1912	DllCommonsvc.exe	68
PID 1912 wrote to memory of 1600	1912	DllCommonsvc.exe	68
PID 1912 wrote to memory of 1848	1912	DllCommonsvc.exe	69
PID 1912 wrote to memory of 1848	1912	DllCommonsvc.exe	69
PID 1912 wrote to memory of 1848	1912	DllCommonsvc.exe	69
PID 1912 wrote to memory of 812	1912	DllCommonsvc.exe	71
PID 1912 wrote to memory of 812	1912	DllCommonsvc.exe	71
PID 1912 wrote to memory of 812	1912	DllCommonsvc.exe	71
PID 1912 wrote to memory of 1216	1912	DllCommonsvc.exe	72
PID 1912 wrote to memory of 1216	1912	DllCommonsvc.exe	72
PID 1912 wrote to memory of 1216	1912	DllCommonsvc.exe	72
PID 1912 wrote to memory of 1704	1912	DllCommonsvc.exe	74
PID 1912 wrote to memory of 1704	1912	DllCommonsvc.exe	74
PID 1912 wrote to memory of 1704	1912	DllCommonsvc.exe	74
PID 1912 wrote to memory of 1768	1912	DllCommonsvc.exe	75
PID 1912 wrote to memory of 1768	1912	DllCommonsvc.exe	75
PID 1912 wrote to memory of 1768	1912	DllCommonsvc.exe	75
PID 1912 wrote to memory of 1308	1912	DllCommonsvc.exe	77
PID 1912 wrote to memory of 1308	1912	DllCommonsvc.exe	77
PID 1912 wrote to memory of 1308	1912	DllCommonsvc.exe	77
PID 1912 wrote to memory of 264	1912	DllCommonsvc.exe	78
PID 1912 wrote to memory of 264	1912	DllCommonsvc.exe	78
PID 1912 wrote to memory of 264	1912	DllCommonsvc.exe	78
PID 1912 wrote to memory of 1572	1912	DllCommonsvc.exe	79
PID 1912 wrote to memory of 1572	1912	DllCommonsvc.exe	79
PID 1912 wrote to memory of 1572	1912	DllCommonsvc.exe	79
PID 1912 wrote to memory of 2548	1912	DllCommonsvc.exe	88
PID 1912 wrote to memory of 2548	1912	DllCommonsvc.exe	88
PID 1912 wrote to memory of 2548	1912	DllCommonsvc.exe	88
PID 2548 wrote to memory of 2292	2548	Idle.exe	89
PID 2548 wrote to memory of 2292	2548	Idle.exe	89
PID 2548 wrote to memory of 2292	2548	Idle.exe	89
PID 2292 wrote to memory of 3068	2292	cmd.exe	91
PID 2292 wrote to memory of 3068	2292	cmd.exe	91
PID 2292 wrote to memory of 3068	2292	cmd.exe	91
PID 2292 wrote to memory of 2308	2292	cmd.exe	92
PID 2292 wrote to memory of 2308	2292	cmd.exe	92
PID 2292 wrote to memory of 2308	2292	cmd.exe	92
PID 2308 wrote to memory of 492	2308	Idle.exe	93
PID 2308 wrote to memory of 492	2308	Idle.exe	93
PID 2308 wrote to memory of 492	2308	Idle.exe	93
PID 492 wrote to memory of 2772	492	cmd.exe	95
PID 492 wrote to memory of 2772	492	cmd.exe	95
PID 492 wrote to memory of 2772	492	cmd.exe	95
PID 492 wrote to memory of 1768	492	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dfac856c910808a93facacac6f329fae5a41a12aba744436c1a725e5833b29a5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2064
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2440
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3068
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2772
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
        10⤵
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1972
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat"
        12⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1540
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        14⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1624
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat"
        16⤵
        
        PID:1956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1180
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"
        18⤵
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2816
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
        20⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2080
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
        22⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1308
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        24⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3040
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\L2Schemas\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aca03f08d5d5ab2fdda85adb0964d3ed

SHA1
364117ce3374b9f448d8c9a9f8ef95f86abc982f

SHA256
a7bc1e9c11d09ee454c25fd01c04701dfb3af40cefb7aa5d458a47caf8755c08

SHA512
9f6ce1d85af05734195a0a2d045ff30320b37edd43a0ae7701ee79f4d310c67c8383286a199ac0450685b4d720c6639bffde712676f82ca40faa978e42dbea17

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92e4b5d54d33e1994eba820d702cfffc

SHA1
82d61e7c27d290150c0b3cb018f11c47a2dcfb2e

SHA256
c4592f2cc293e807796d97dbdfa9f326105875ffcc6a731c87f15a0737e91111

SHA512
0f4830d43514e6f29b5715eeaa984f2fd06697645d6dde07f14063d11042ec28fd6a48109342ce5cf5cead1eb0722c3e8f070aed22b3737300eff73e7c3bcc87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b624e9a8f7c9f30d11acc74766da86b

SHA1
e5579a7285cd5d3e6589d6012a2c02140f2b2812

SHA256
827ece0356e7f67c6c9bddb8a7024a82932d7af529feeaa88cf403776bb9ca20

SHA512
c48be047084f7c917cdc7b2876be42024343e9719f2de6e1dddba891d867ad7bc0013eb7fc49d9140c528d3365fd0a1337b9cdfed17825f21d5a0f14fec7b806

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7849a818aa506285c0701dd9d93e5c92

SHA1
ca8182e06e43b2dd2975f8ba07817360926bd1a6

SHA256
7bf5e9e7424b0dafd8612868c0af29ae3fd33144e8e9a7690d2b28a3ded65379

SHA512
40d1cf07e6c0cd4e0f5402451a26423f6e83bb06f35e3a361ba3918b19706d13dbd0ae9f9aa178669eab3ec77beb1a83b98143efe390694ccfe98697c5dffd9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b42c53c3832cb7e6bdd313dd19d02efc

SHA1
6fc0087d605215ef51b2bc49f7190741c91976c6

SHA256
c15d2c2e17f9977b9e88fd5b26efa25eacb83ed3171f16de1fd9f4063f8228b5

SHA512
d055b035c3ff56376049a43cebfb306de66a98489eb7f3c8a71a6db952d2833f17e9f4853414c2d1b236d9134e905c3db9efa5c2604b7b5185c0ab56edf739ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e908498c63f52360defd849c43d50a22

SHA1
62df26214f84c69370ecae0d54db34081af00200

SHA256
eecc80e3b90b9b4e7640d212b6a286ab44ce06257d91fa06903f7374757f4570

SHA512
3ad1a9217938a1a358a2bcaad5f0611ad8c4e465ad1f05fd33fb7d4808ebf96fe09f79f88d69760cf8d8b6f5715426da969a480abe299f9e1e4f06b88a2e5675

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5b9f2f7688b2957dbc48010d090003a

SHA1
dd8f7d23ec3fae82d4b7fd3704876f3063a1dfaa

SHA256
c6b2b1693f0c36e8277639c38d0f04ba1d801e8b734537c4808d3ef2ffbc1589

SHA512
cbcc7fdad04a309b7723e6d2ee0258b322d23f0bc9661759da39ee4cbe0a4001a5e545b879af42b22eeaced542c7f14a7d27ad87be05b6f1d20acb01b97ef5a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b50a275d2ac3bc6401c47c3c4b96b87

SHA1
d176aac7d4375e85a4319fb88a718b43770d5a6b

SHA256
ff4e9ff3793869d4cbb2813216953926b696e3623d76ff84f144e9be554b57bf

SHA512
6f37997c0a545e3486b1ba3e521b053ddaff60dd37da52f834b21dbaac9896369c5180c0c6bfe3b38e49069694ed84816599a141adb22f7f665655871f5dd490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26f3b8f8fb7a22c10a35a55c855bd78b

SHA1
01ed3672bf1dd2e4ce97b8f6427d62ede4ee162a

SHA256
0e94381887cb2b95fedc50ac9a3207a87b658421f8edccf989fea6213b85810d

SHA512
32f1dcc77022db3b5e047bbf35e831e82c4fd3706587053018964f708aef4916576f55df269527be58acc81a107be1b46bb5578e3426a5ca8b7a488e67ea6806

Download Submit
C:\Users\Admin\AppData\Local\Temp\0WHmS6dpJ0.bat

Filesize
191B

MD5
6ae92c12adfadd944dca55fbbc820208

SHA1
c67c56d1ac55ac1beeb18a75b9976340d4d772c2

SHA256
50d883df7d542a4c6636d62187f46ebbdd6acef2b7f5166ebd1618e574f098eb

SHA512
6eca361e6683375618c8c9630e41248160f25190ef1a89dc91837585dcf8c3fa007f0fc9288b10b3877e97a5ab76335ddf6e1dc9b34ab06b1d5fa605b3cdf700

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
191B

MD5
39abc75bc8db575615a5338d0b92f498

SHA1
6c7fab235384bac2f5b516368aa6c7e89eba417c

SHA256
1e10644c72e12461de5abf8fd7d4e2e234fcf33eff38470bfc2afab33c923dcf

SHA512
d432cc70d688956018e9f03a9ff74cef70af2deee882b14eee9c53c57da94fadec175263f2b3bfc804f3886d46240d6d62679ec14ec5d3cd595acb1fa31c3ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

Filesize
191B

MD5
7876e1865c89e394b9f694e06f29dba6

SHA1
21264997bc4e0ca65f3750e969f29ffc301f8b9b

SHA256
7668c699f977cbe12de583266882eddb54a756bb49e2bccab160f173c3682f52

SHA512
63fc53cc9d0145fc71b7963b27870ff6ebef408572489c2a0634eb84d18c84f054a30753ab2e382ff15e473ebe877ec59124e2111e3cf0b9f38d6300ad9af12c

Download Submit
C:\Users\Admin\AppData\Local\Temp\5mXdMdden9.bat

Filesize
191B

MD5
5cb68f59833128274e9e53dd6561b43a

SHA1
c3f4777858965eb0fca8737095518619e31ce7aa

SHA256
ba658fde7588c936765f9c6b40628bee5728d1cb647e85430595cd92f0846b0c

SHA512
c4ba22e3a7324cb204618749d961f2b47e7843eb522805f441beac13df44d95aaaaaaf70b8da74bd8f06ff5720e981aefd4c1d94951451dc51718247e262d17c

Download Submit
C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

Filesize
191B

MD5
2584a299ad2416966e0306dbad734ec3

SHA1
21176691d965a179b82dc0f47244e74bc5b72dfa

SHA256
0babba3cf28a2e72685b0a33dcc942134405fa1c76aae28dd3adc84a01c61979

SHA512
70a156f41b5292bee5f3b8a384259fad8f157f9a1acea6b62c7e511a5e65ad767ec281834aae355b368ada7bb3e272591f6be47c8dbf34a53b6cb07745878281

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFAF4.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
191B

MD5
4768d3c41f09c9b621b5584135be8112

SHA1
98b9b841054e85d19473d56a95aa388564b5b093

SHA256
15fe2ec19973f7fd840b88450b12ffac82ecbb6fc9e3a844f81b60e9b32bca51

SHA512
06d8c28077a9f6c2bf22b1422a53e4fc1e0a25f66919c427558ec9864f5d44d9df7a733a73218c4f37c0508df732573c804d7b21fb018a76050598935ec61fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
191B

MD5
d135244516334f06782c5f4b24f0c916

SHA1
1cf3d3188b68ec002b45a2742b1668d9e03178b8

SHA256
1ffee827fc823aa5f0fcf26aee093dfe1f7e9f0e3e2279a2bb52344c25eb4144

SHA512
30bbe656095e583527149cb747b2125132f2123f4ae5d6389a9c20921319c96dd07844d014ccb0d5f8800ec1fbe2d14b75fa466ac0d3fb39deb4d788fb16ede4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB16.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat

Filesize
191B

MD5
407a925f230ecfa73c361b056d0288af

SHA1
98461c7416242626ff26ff6514030dcda717f8c9

SHA256
22a1d0c68e24e049c7a534c14e217a2d4c85bc7dd2fe840444d7517db570ae68

SHA512
5bd966bbf08562cfcb0a7e87c8d1c43809b0d070564fb1360e6678c6fc77efff0d271f8142a522d7e44f7549c7170ba7bc9162a3a6f744ed24534541f753fb26

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
191B

MD5
36dfd3201caa22a438575015bfd3a2b1

SHA1
830524635137d7762f556006ed6c0ab736e0cd4a

SHA256
5b396a462c0b33f5744fb69ef8cee8cce14d27900cbc8add1e4a423fb426746b

SHA512
80e8a7c02f2999cf445b827718a0c2aada49c4edba2e059ab0ad490aaaa4be311a52fc425798a89ae13c934e156bb4a1ab95479173985c49e2d1a07f2119ceda

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat

Filesize
191B

MD5
5868037ae6e92b048d5044452642c2a4

SHA1
7439c68d469296f2ab53dd1ed8ab1cbf71d93974

SHA256
7ca19666fa6f52daa5f3208116349a80e043a1760a67cc01b973446f611d7c43

SHA512
83665f3b3b76ade52fc5e4692ab2666de4bf2a447e3111bb4ba66a0335158222090fd5368750bddc9a99e3273e724c78aa51b76a2749f34930746eec35068ace

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b6328c5e6609cc53b61fe303c7d79dc6

SHA1
9878d15ecffc09f37e27f31e19814deb737b71d4

SHA256
67ce12d12986575d1dd02c3c0aae67b575b2925d219e680a56201b173aae7d2b

SHA512
13a2213643cbf15550e73856b7a0c834a4eb12e888935a7319a56457f5ce1a133e4974c5ebacc7b51c2da7567b37774054733933cf4badc936171685351045af

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/264-54-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

Filesize
2.9MB

Download
memory/1528-279-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/1532-519-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/1768-219-0x00000000006C0000-0x00000000006D2000-memory.dmp

Filesize
72KB

Download
memory/1796-339-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1848-55-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1912-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/1912-16-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/1912-15-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1912-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1912-13-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/2124-459-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2444-399-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2460-638-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2548-101-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2548-84-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download