dcrat | d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d.exe
Size

1.3MB
MD5

33fa04554eb8ae83bc970d9c24544e04
SHA1

3928ede08ff1a34f59418e863a226f3bb27721af
SHA256

d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d
SHA512

50d46f7474eebe59ad34598e3d66f33fdcc8711c139455a94b1295a97b232db0072516c0cbb16cefd5e28d26cfd8fdee588f5a6f72a193820ec7d38599efdbcd
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2372	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016de4-12.dat	dcrat
behavioral1/memory/2676-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/1952-42-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/1096-152-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/2600-212-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2808-272-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2044-332-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2420-392-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/3020-570-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2520	powershell.exe
1632	powershell.exe
3008	powershell.exe
2920	powershell.exe
1944	powershell.exe
3016	powershell.exe
112	powershell.exe
408	powershell.exe
316	powershell.exe
2904	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2676	DllCommonsvc.exe
1952	spoolsv.exe
1096	spoolsv.exe
2600	spoolsv.exe
2808	spoolsv.exe
2044	spoolsv.exe
2420	spoolsv.exe
760	spoolsv.exe
2716	spoolsv.exe
3020	spoolsv.exe
2536	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	cmd.exe
2140	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
12	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\WCN\en-US\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\System32\WCN\en-US\886983d96e3d3e	DllCommonsvc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\locale\cs\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\locale\cs\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1444	schtasks.exe
2672	schtasks.exe
1404	schtasks.exe
2972	schtasks.exe
2120	schtasks.exe
468	schtasks.exe
2552	schtasks.exe
1612	schtasks.exe
2576	schtasks.exe
2148	schtasks.exe
2560	schtasks.exe
1316	schtasks.exe
3000	schtasks.exe
1488	schtasks.exe
2624	schtasks.exe
1164	schtasks.exe
2636	schtasks.exe
2980	schtasks.exe
1784	schtasks.exe
1924	schtasks.exe
2588	schtasks.exe
2288	schtasks.exe
2852	schtasks.exe
1588	schtasks.exe
2608	schtasks.exe
2124	schtasks.exe
1940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2676	DllCommonsvc.exe
2904	powershell.exe
408	powershell.exe
1952	spoolsv.exe
1632	powershell.exe
3008	powershell.exe
2920	powershell.exe
112	powershell.exe
316	powershell.exe
3016	powershell.exe
2520	powershell.exe
1944	powershell.exe
1096	spoolsv.exe
2600	spoolsv.exe
2808	spoolsv.exe
2044	spoolsv.exe
2420	spoolsv.exe
760	spoolsv.exe
2716	spoolsv.exe
3020	spoolsv.exe
2536	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1952	spoolsv.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	2920	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	316	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2520	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	1096	spoolsv.exe
Token: SeDebugPrivilege	2600	spoolsv.exe
Token: SeDebugPrivilege	2808	spoolsv.exe
Token: SeDebugPrivilege	2044	spoolsv.exe
Token: SeDebugPrivilege	2420	spoolsv.exe
Token: SeDebugPrivilege	760	spoolsv.exe
Token: SeDebugPrivilege	2716	spoolsv.exe
Token: SeDebugPrivilege	3020	spoolsv.exe
Token: SeDebugPrivilege	2536	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2512 wrote to memory of 1544	2512	JaffaCakes118_d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d.exe	31
PID 2512 wrote to memory of 1544	2512	JaffaCakes118_d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d.exe	31
PID 2512 wrote to memory of 1544	2512	JaffaCakes118_d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d.exe	31
PID 2512 wrote to memory of 1544	2512	JaffaCakes118_d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d.exe	31
PID 1544 wrote to memory of 2140	1544	WScript.exe	32
PID 1544 wrote to memory of 2140	1544	WScript.exe	32
PID 1544 wrote to memory of 2140	1544	WScript.exe	32
PID 1544 wrote to memory of 2140	1544	WScript.exe	32
PID 2140 wrote to memory of 2676	2140	cmd.exe	34
PID 2140 wrote to memory of 2676	2140	cmd.exe	34
PID 2140 wrote to memory of 2676	2140	cmd.exe	34
PID 2140 wrote to memory of 2676	2140	cmd.exe	34
PID 2676 wrote to memory of 2520	2676	DllCommonsvc.exe	63
PID 2676 wrote to memory of 2520	2676	DllCommonsvc.exe	63
PID 2676 wrote to memory of 2520	2676	DllCommonsvc.exe	63
PID 2676 wrote to memory of 112	2676	DllCommonsvc.exe	64
PID 2676 wrote to memory of 112	2676	DllCommonsvc.exe	64
PID 2676 wrote to memory of 112	2676	DllCommonsvc.exe	64
PID 2676 wrote to memory of 408	2676	DllCommonsvc.exe	65
PID 2676 wrote to memory of 408	2676	DllCommonsvc.exe	65
PID 2676 wrote to memory of 408	2676	DllCommonsvc.exe	65
PID 2676 wrote to memory of 1632	2676	DllCommonsvc.exe	66
PID 2676 wrote to memory of 1632	2676	DllCommonsvc.exe	66
PID 2676 wrote to memory of 1632	2676	DllCommonsvc.exe	66
PID 2676 wrote to memory of 316	2676	DllCommonsvc.exe	67
PID 2676 wrote to memory of 316	2676	DllCommonsvc.exe	67
PID 2676 wrote to memory of 316	2676	DllCommonsvc.exe	67
PID 2676 wrote to memory of 2904	2676	DllCommonsvc.exe	68
PID 2676 wrote to memory of 2904	2676	DllCommonsvc.exe	68
PID 2676 wrote to memory of 2904	2676	DllCommonsvc.exe	68
PID 2676 wrote to memory of 2920	2676	DllCommonsvc.exe	69
PID 2676 wrote to memory of 2920	2676	DllCommonsvc.exe	69
PID 2676 wrote to memory of 2920	2676	DllCommonsvc.exe	69
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	70
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	70
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	70
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	71
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	71
PID 2676 wrote to memory of 3016	2676	DllCommonsvc.exe	71
PID 2676 wrote to memory of 3008	2676	DllCommonsvc.exe	72
PID 2676 wrote to memory of 3008	2676	DllCommonsvc.exe	72
PID 2676 wrote to memory of 3008	2676	DllCommonsvc.exe	72
PID 2676 wrote to memory of 1952	2676	DllCommonsvc.exe	79
PID 2676 wrote to memory of 1952	2676	DllCommonsvc.exe	79
PID 2676 wrote to memory of 1952	2676	DllCommonsvc.exe	79
PID 1952 wrote to memory of 1068	1952	spoolsv.exe	84
PID 1952 wrote to memory of 1068	1952	spoolsv.exe	84
PID 1952 wrote to memory of 1068	1952	spoolsv.exe	84
PID 1068 wrote to memory of 1156	1068	cmd.exe	86
PID 1068 wrote to memory of 1156	1068	cmd.exe	86
PID 1068 wrote to memory of 1156	1068	cmd.exe	86
PID 1068 wrote to memory of 1096	1068	cmd.exe	87
PID 1068 wrote to memory of 1096	1068	cmd.exe	87
PID 1068 wrote to memory of 1096	1068	cmd.exe	87
PID 1096 wrote to memory of 2544	1096	spoolsv.exe	88
PID 1096 wrote to memory of 2544	1096	spoolsv.exe	88
PID 1096 wrote to memory of 2544	1096	spoolsv.exe	88
PID 2544 wrote to memory of 2796	2544	cmd.exe	90
PID 2544 wrote to memory of 2796	2544	cmd.exe	90
PID 2544 wrote to memory of 2796	2544	cmd.exe	90
PID 2544 wrote to memory of 2600	2544	cmd.exe	91
PID 2544 wrote to memory of 2600	2544	cmd.exe	91
PID 2544 wrote to memory of 2600	2544	cmd.exe	91
PID 2600 wrote to memory of 1008	2600	spoolsv.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d758480111dd94213a2ca377f11e3ef6d22fd2c9f9d540667ab01c629b79110d.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2512
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\WCN\en-US\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\locale\cs\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1156
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2796
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        10⤵
        
        PID:1008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:568
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        12⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2012
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        14⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2072
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
        16⤵
        
        PID:1052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2996
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat"
        18⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2108
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
        20⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2960
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        22⤵
        
        PID:848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2144
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Pictures\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Users\Default\Pictures\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Pictures\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\Tasks\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\System32\WCN\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\WCN\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\VideoLAN\VLC\locale\cs\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f61634c1aa72e3350cf0852cf9db1d7

SHA1
d8fb9f405760ece9522fab74d6ad190b14aae7d9

SHA256
72b91d983fd411acc85a8d00e5b9722d2305bf27cf48e0544c6fa198e0cca6b4

SHA512
72a9cc65b1e905fbf00247d70817a0acb03a0080c0052c54a7f4a076e343fcc022218666d19d233ad55335e59b8fb0920c5e3028c3808e51e8d32c518040db2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25e09bd4672d0a136976dc7a57534974

SHA1
6958995d55a40cf096c5fd90c723b9bc484a4515

SHA256
c90e023f0b6b4929d1025e499a8e2c8b1941b297ff251da530a970b9ebd719a7

SHA512
331bff331c3a469154a786bd24221baedaace33191a7658ff1041fe209e5723397848484a2e6f6b0d04b2acafc733a7c7974b205713d243de7b392ac2a0f3834

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f6ca6be56f85a98b0017e6f7afba301c

SHA1
2d7644fe8d8efe5dac09f68ad385a264c10fac14

SHA256
bc8335787580ec8b2810ce9eb38a2346f03dd32a91bc26e28a7f3d5688e9196b

SHA512
81ce9e3d7d9f945fe9022ac6be90cd6e2de6356adf76e8b26edf67ec1b500de09f9817c32babb476d4c7d642dc681b75ff57afa3bb8d5c63d7c6a18f6925f8b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5081bfa337ad9b38b085b2931767f4b7

SHA1
cb8ea3986f8d0688639d0b4de83d096eb6b92667

SHA256
85905f064313011d9c62fdec5e9ba7e0c7d887cd1b0efc57a192ca48aaf0e2df

SHA512
b60543574f7eeb7c37abf064f88079fa054edfd4affeea7c971a77ee8f51f4234f0e78baddc7f655aa70f5191fbeb5aaab7de9edb37310552b889bf0a529d4bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bed5c8227d17cb4da24697afb750cd79

SHA1
c2dd1a073e6c9f180ee8f3d008fd9567ca665412

SHA256
58e10e267a5d6e6c573f5c72886f241df4786d583b0dde399d8640a8eeac3e07

SHA512
8b05c217ce851d7c4ecc5ab52d28924db879a3447a82a8b906e3aef9f5cb477dbbce70d883c2987710d97e81f2145c1e60988a031808d5411e93693678716545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f74f74ec91239a46287912426cec265f

SHA1
b2ba1fae6917434b975b9a9815faef58b94a46e3

SHA256
2194e30e0667f29bf9bf7a14cac9f5e8fa89af95493a78c7a95184e1e065f936

SHA512
c7731c1f6889cbd9a763eca315fe3719f97907b2043324780d4a4e861856ba5ee413784f2cfe2dd86e8c6e91e9b34342412ac25e5b3a649cc59baf7c640dee0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
433590fb1384024555cdbec634d08703

SHA1
a2676e8922d16af55954032c6ecadba7bdf8e693

SHA256
0efce78c7df7d43aa961046d912f3623fc3933ce7ef464936ecb6b5a4d175dc9

SHA512
6ea9ada66f270af730a9b5cb1814e765181666db085da27e6f9ffbe447046dfd3ee2bc4f6fa8e2720324add8ae039308d61b9e5e8a03b41b8c3a23eb5d17091d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ce93b896c49c24d6558e8ce3bbdbe3c

SHA1
3cc1a6e6f58e2594981fd43633942e989e577415

SHA256
eaac7fd6efb0582b9d64a4f1838c46cde90273b413dbd5490eb810b59168cf03

SHA512
89209c89c7f651f82d6268c331249463d24ab0d14b0a11337539b3c4f0f8d57ab7e0a8c953fcc58a55999d70586dd502dd294a4bd42ed44a3086de1a12a715b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
225B

MD5
c781702a28d8c110866e7519194b3820

SHA1
c5fd87de87b7a075d9c1513ac4dc4fb44ce787c7

SHA256
127972a02465d96985d10b0b97376ea38369cb515516ddd57e93540ec63c94f2

SHA512
0dfc5414c0242ee19f78581e2638479c125595ebefd07a5b3848ac6101dd66a35c22f027227b80b59f72ff995d193ee363014e5641015ce9f830aa65f293cac0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1132.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

Filesize
225B

MD5
6037b7302c1ac7844353bae11827a0da

SHA1
175667f537b9c8ec25555607e357fe59df06c83d

SHA256
892c1fb72e1ce6988e1e4e14905d4087c01ab5aff0e8f913cae6bfb1e3c48e35

SHA512
3db8706f6e4a6062fadf036e13ffc915cbe4e2c870c7dc8a8af81e3a42d7873272599c0c0dd59294ab2811b06564ffe5958881e7b60baabb5ec2be629af2ae89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
225B

MD5
72b554316677f271e00b0a33a7eea42c

SHA1
9d03a661b27565ad2ebe11aea65454622f28e3cd

SHA256
d9be2514a5cd26d473d06ee0f6992c0c60766f27269f07225deb28885097c913

SHA512
fa886af6b31aa64d573359193dcdefbcc88c9085547e05c292a7936d5269f20600f12c244988ac26e8f07804d6cd2f9356336b230e97224b5b5de9e2c6bad975

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pkopelt31u.bat

Filesize
225B

MD5
e80d4e4cc2f072f73b4ea50289d43790

SHA1
7142ad09dcc60800d2e0ab96a4c932770610d499

SHA256
7403d6d1d459de70af7c22644a4fee287d790a3d8202273babf178bacdd5f212

SHA512
59f6b1bc46fc4320cc63dbe6f1ad1c525efc0b40d664df9a2fb277cf4f6951b1c976b803ca2e38eb99407a3d61a230ecca7f2e2d782d142a42dc32fc6ab02670

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
225B

MD5
1300f2bc265cb00b84c4a78e2fa0cd0d

SHA1
06c4c68df3c5ac3a6e263a5ded7ef01ffcb1f45c

SHA256
e39adeb1889e28e1f98d9fd26f9821a40edb7a827cf59a1bb50e2de8e058e8f8

SHA512
f7dfc6c1be25810b0701d16bc79bd8124ad4ea788664936bec43e3fef64ca2ccaf00f1a011e92a7db12dfc9324b2dddbe12f25abef0dc0722cefd3a630664363

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1154.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
225B

MD5
62405ff3ea5705b62642fe3b944c4eb5

SHA1
cf261da6b3578244bd4c90bdffe3a6c20d5d8ec6

SHA256
3efa07ad19e4fc352484cab36e2bc7f390204bd9fae3be2bfb69d47943a65042

SHA512
7d5ade6b4aa50d41269b067260196c0cea415d32b80dc1ce7e9d2475eaf322e36eddf476cc02dfaf515d9acc1144cd3ba360b178f3c300bc7c282ef1ac968571

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

Filesize
225B

MD5
2fe1d0021ab740bdca12d589dd5df2bc

SHA1
b6c4ddcb9e8d9a336e272d99af9ed8990821b016

SHA256
759b3dd73cd4218e993fd897d66021717dba4f048ebd485b16f1696c0ef2e44d

SHA512
01626f24623853b14e509a30b47bde7f816734e0b4bbf74df7a453dc6efc52fa8af415124ca770313e95464eeb61f34c67f1f5e02c24d1249e6c8371f2cae58d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
225B

MD5
c040c47dd45d01d813acd3696dbf8dc5

SHA1
f3e0993873a9590db0ebe71adc70c596d823eeda

SHA256
d866ace5e52d4f5f560b9815616dfd9ca7ff9431299281c731d2943ff72268f4

SHA512
14fa3dd4d389f75bf76457b408bf9787c4825e69a482163a64b73e9ee5b3189281d0a3b062b72daeada45b23b9d873d1b92374864ebd4582cd9a3293a9691f48

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWs9jrlB8v.bat

Filesize
225B

MD5
c52285d9758586a46ce2f71f5d9cfe65

SHA1
6bbf7ab6c3b2bf5ebe3f8638913a290578fddc26

SHA256
88754f420f05813055bec25ec9b6ec18d0d8cc5f960bbdf1f572bd59cfa5c537

SHA512
7d9571210a39403ed3bb3a44cda2c71a17ca857613a03d6c262fb2d08e5e12398705351e11b2c54a199e6a860d7a3a3d7964e142c539c8c10165ff0afb021071

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FBSZE3X38P3Q54XCC1X5.temp

Filesize
7KB

MD5
046874081dd02df72c48602bc6c2e4bb

SHA1
603a77143429ff416081c5ec4d67d7d344b6c038

SHA256
74c82c8ee3ec1a9892b4f0941b716eaa4215bdac1faf5503fa571bbecad1199f

SHA512
7d0e105b6b6362b88802abb3dfc436146a271520b3c5996bfc1e243ff02f3b2e8b6df65179ff3a9a1b25bfb02acd16a4dc9f231c99a37e3b25a1c21238462720

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/408-52-0x000000001B810000-0x000000001BAF2000-memory.dmp

Filesize
2.9MB

Download
memory/1096-152-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1952-42-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/2044-332-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2420-392-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/2536-630-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2600-212-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2676-17-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2676-16-0x0000000000340000-0x000000000034C000-memory.dmp

Filesize
48KB

Download
memory/2676-15-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2676-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2676-13-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-272-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2904-53-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/3020-570-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download