dcrat | 82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 04:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f.exe
Size

1.3MB
MD5

4be442401e2560619ab884ffa5a90db4
SHA1

c7c89548967587c04d87d84be6f51fe12832ccc9
SHA256

82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f
SHA512

20ecdc7d3836a2b8f3f93cc8e570de4a3f8fa1509eec3fbb8f21e2c7697e816d5b244365191f5018fe7b98c8b3cf0c3145dfd3da14161148017d8451b21c3cf4
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2256	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2256	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015e25-9.dat	dcrat
behavioral1/memory/2752-13-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/552-101-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1712-160-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/1440-281-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/2188-342-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/2360-639-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
960	powershell.exe
2552	powershell.exe
2392	powershell.exe
2400	powershell.exe
1148	powershell.exe
1900	powershell.exe
1748	powershell.exe
1328	powershell.exe
1568	powershell.exe
1532	powershell.exe
1284	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2752	DllCommonsvc.exe
552	Idle.exe
1712	Idle.exe
584	Idle.exe
1440	Idle.exe
2188	Idle.exe
2636	Idle.exe
1812	Idle.exe
1784	Idle.exe
316	Idle.exe
2360	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2488	cmd.exe
2488	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\System\ado\ja-JP\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\System\ado\ja-JP\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\6ccacd8608530f	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\smss.exe	DllCommonsvc.exe
File created	C:\Windows\addins\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2540	schtasks.exe
3060	schtasks.exe
1064	schtasks.exe
1580	schtasks.exe
1508	schtasks.exe
2944	schtasks.exe
2264	schtasks.exe
2976	schtasks.exe
1132	schtasks.exe
1156	schtasks.exe
2004	schtasks.exe
1884	schtasks.exe
2056	schtasks.exe
476	schtasks.exe
2108	schtasks.exe
1076	schtasks.exe
1160	schtasks.exe
1608	schtasks.exe
2864	schtasks.exe
2276	schtasks.exe
2244	schtasks.exe
2140	schtasks.exe
2996	schtasks.exe
2876	schtasks.exe
1048	schtasks.exe
3032	schtasks.exe
3008	schtasks.exe
2936	schtasks.exe
1480	schtasks.exe
556	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
2752	DllCommonsvc.exe
1900	powershell.exe
1148	powershell.exe
1284	powershell.exe
1568	powershell.exe
2392	powershell.exe
1328	powershell.exe
1748	powershell.exe
2552	powershell.exe
960	powershell.exe
2400	powershell.exe
1532	powershell.exe
552	Idle.exe
1712	Idle.exe
584	Idle.exe
1440	Idle.exe
2188	Idle.exe
2636	Idle.exe
1812	Idle.exe
1784	Idle.exe
316	Idle.exe
2360	Idle.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	1328	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	2552	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	552	Idle.exe
Token: SeDebugPrivilege	1712	Idle.exe
Token: SeDebugPrivilege	584	Idle.exe
Token: SeDebugPrivilege	1440	Idle.exe
Token: SeDebugPrivilege	2188	Idle.exe
Token: SeDebugPrivilege	2636	Idle.exe
Token: SeDebugPrivilege	1812	Idle.exe
Token: SeDebugPrivilege	1784	Idle.exe
Token: SeDebugPrivilege	316	Idle.exe
Token: SeDebugPrivilege	2360	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2808	2840	JaffaCakes118_82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f.exe	30
PID 2840 wrote to memory of 2808	2840	JaffaCakes118_82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f.exe	30
PID 2840 wrote to memory of 2808	2840	JaffaCakes118_82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f.exe	30
PID 2840 wrote to memory of 2808	2840	JaffaCakes118_82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f.exe	30
PID 2808 wrote to memory of 2488	2808	WScript.exe	31
PID 2808 wrote to memory of 2488	2808	WScript.exe	31
PID 2808 wrote to memory of 2488	2808	WScript.exe	31
PID 2808 wrote to memory of 2488	2808	WScript.exe	31
PID 2488 wrote to memory of 2752	2488	cmd.exe	33
PID 2488 wrote to memory of 2752	2488	cmd.exe	33
PID 2488 wrote to memory of 2752	2488	cmd.exe	33
PID 2488 wrote to memory of 2752	2488	cmd.exe	33
PID 2752 wrote to memory of 1148	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 1148	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 1148	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 1900	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 1900	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 1900	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 2400	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 2400	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 2400	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 1284	2752	DllCommonsvc.exe	69
PID 2752 wrote to memory of 1284	2752	DllCommonsvc.exe	69
PID 2752 wrote to memory of 1284	2752	DllCommonsvc.exe	69
PID 2752 wrote to memory of 2392	2752	DllCommonsvc.exe	70
PID 2752 wrote to memory of 2392	2752	DllCommonsvc.exe	70
PID 2752 wrote to memory of 2392	2752	DllCommonsvc.exe	70
PID 2752 wrote to memory of 1532	2752	DllCommonsvc.exe	71
PID 2752 wrote to memory of 1532	2752	DllCommonsvc.exe	71
PID 2752 wrote to memory of 1532	2752	DllCommonsvc.exe	71
PID 2752 wrote to memory of 2552	2752	DllCommonsvc.exe	73
PID 2752 wrote to memory of 2552	2752	DllCommonsvc.exe	73
PID 2752 wrote to memory of 2552	2752	DllCommonsvc.exe	73
PID 2752 wrote to memory of 1568	2752	DllCommonsvc.exe	74
PID 2752 wrote to memory of 1568	2752	DllCommonsvc.exe	74
PID 2752 wrote to memory of 1568	2752	DllCommonsvc.exe	74
PID 2752 wrote to memory of 960	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 960	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 960	2752	DllCommonsvc.exe	75
PID 2752 wrote to memory of 1328	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 1328	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 1328	2752	DllCommonsvc.exe	76
PID 2752 wrote to memory of 1748	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 1748	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 1748	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 2428	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 2428	2752	DllCommonsvc.exe	84
PID 2752 wrote to memory of 2428	2752	DllCommonsvc.exe	84
PID 2428 wrote to memory of 2320	2428	cmd.exe	89
PID 2428 wrote to memory of 2320	2428	cmd.exe	89
PID 2428 wrote to memory of 2320	2428	cmd.exe	89
PID 2428 wrote to memory of 552	2428	cmd.exe	90
PID 2428 wrote to memory of 552	2428	cmd.exe	90
PID 2428 wrote to memory of 552	2428	cmd.exe	90
PID 552 wrote to memory of 1248	552	Idle.exe	91
PID 552 wrote to memory of 1248	552	Idle.exe	91
PID 552 wrote to memory of 1248	552	Idle.exe	91
PID 1248 wrote to memory of 1132	1248	cmd.exe	93
PID 1248 wrote to memory of 1132	1248	cmd.exe	93
PID 1248 wrote to memory of 1132	1248	cmd.exe	93
PID 1248 wrote to memory of 1712	1248	cmd.exe	94
PID 1248 wrote to memory of 1712	1248	cmd.exe	94
PID 1248 wrote to memory of 1712	1248	cmd.exe	94
PID 1712 wrote to memory of 2464	1712	Idle.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_82ef90d1bdaf196afcb7a26a37cbe4ba8a78b6e2d664527cf4f6fada1aa2ce3f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\System\ado\ja-JP\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7FqYE3ffF.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2320
      - C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1132
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat"
        9⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2072
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
        11⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2752
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat"
        13⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2116
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat"
        15⤵
        
        PID:704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1796
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
        17⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3064
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        19⤵
        
        PID:1872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2320
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        21⤵
        
        PID:2088
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2272
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        23⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1748
        
        C:\Program Files\MSBuild\Idle.exe
        
        "C:\Program Files\MSBuild\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\System\ado\ja-JP\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\System\ado\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\System\ado\ja-JP\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\addins\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\addins\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\MSBuild\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1835a3f33150483b6a26ea55872351ba

SHA1
d1d550d52b087df2cf834f55af16f1cb29186d21

SHA256
0b698c4db3f5df33be9aaea1d078f7cff63fa88349f372acebb55c298126ee5e

SHA512
1e33f286754b33b58358b26ca04feb5ab69c7264a482b199ef562924409c9139fc36ebc9d8e066ec0d24c196d741965f1c1bdb04fe377f266383ebd419c24cb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec2d41a28fa3989592248db620eabae7

SHA1
7e733564724c407f9538a0a6d80c2a29ab7e8f7b

SHA256
f8c1badcaf945677faa2b1965b76e38f024aba5006031df9371d8a16a95c19a8

SHA512
526ec3923088451483fbb019847b3ee5b5407b9ccc8be8e7f3673e6bb7e0ae9ac918482935f5990ce2f6b0a23b95dbd623037592a009605eeef4d880b7827784

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8d83a18627d59a1f0e06336ac39bb05

SHA1
c09c8a00470f1ff4ebffe621940d8ce53ea3d4ed

SHA256
852e2dfd194fea9c32bfc822602106fd0b6dc367e0ba4eb850b8f043e2cd85e5

SHA512
e2de57de26ca71265a757e7355437b8866dab0e9df18fa2018f30920c8ca1ce15163409918d493f458e623e62f6c6ba46d2dc599277e3326807eefab03ebf50f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19b8a7e2cffec501c3cdf505141d7cca

SHA1
926db0e0bfcda55814dc72d27c4be3b7396a79a0

SHA256
7eddbfffbc588b47a5e49d23e6fe9a54941802e5bc310137944823af3c76162d

SHA512
fbdcd69222afbd52bae2dc3619cc67d4bd7bf98f457a389c09d97251d96d055bcd115d5dff461fe68a9869b0852cae730fcc4487d4c9c40f04c356f05525d46a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13b16c0b94de294336e50b16254f9640

SHA1
11527646336a3587a65b47ce475a4f11738ce168

SHA256
249d282349336025945ec6f2c50a77faaec8c07f91bbbe5dc7bc489a367de3db

SHA512
70ad31fe1938d44270c6c4d65f976bd399f4e6432cae5c5e02d65319c44e8e887a9422a271d6d0550ef7f1161a9ca2ba5fef645316f9afd93ea9fcbddab4cf59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bf9f440e1fbc85867fe039a416099e3

SHA1
5e7185346350042b5ccbc2f38012f4a01e8767b4

SHA256
7231289406f3ab2198e96fed7cb14b14dff1d38b3c175ccb8d3c862170dfe624

SHA512
eef9c82ee3d562d3a5574a29a4e17f60966694b1ff7434d2356e7b9e8cee04f3db292467ed532ac49cc92d2c93bf67058751f7eb1fc64ef40486879b267ca7a4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eccc101eb16d0ff8dfa48afacdc62311

SHA1
313ad97c4575ad8b2df43e26bb6c91d02580477d

SHA256
d3ea6b3cbf58c0ceff72ab8dffac7de9ce1882116375839f749c8825f250b04c

SHA512
7cc3d81f1c7d0b0ae9f3e8816e7bc3c1ebe238cbc958f4380a4113ef003fd99e2ff7936accc69b7ecfa83eb39017efcf3c3a8336de58772f675c0de86b840843

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec7ac6138436bf340a665018b329dd82

SHA1
7b93d50b766211b15871980ccc251d1aa8998696

SHA256
0131b233be41ae37dcc06c8018d5f6e8e7c6928e8ff13055ef5917b0e7310d28

SHA512
d90e103641b251156d49254634998837410dedab9f7f1d849a51ca1fcd6b128bed64a01a99f2a2e65085ca31611ab78f18466fbaebe042fedc867f50088039d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

Filesize
198B

MD5
291f23a7f09657e1507b500d1e4999fd

SHA1
90475af9bd7d481938b003b45b9112623744dcce

SHA256
949cf2028066cb53bd1aa4cfd81985a4a55816468f72fb1b7aa39195cda2f098

SHA512
925fbaa33d6883135830d0c9ceb3b5a26ccb19dcac9e538104360b37f21852de31254f1827a6806ec480cf944ef0e592ec4aa75ce76e50c8d7aa9ffb6b9e35a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Bw8qtkvcA.bat

Filesize
198B

MD5
e438d739e71d68c07e59519918ecdd9b

SHA1
aa658e79a7cfbbe76dba75f2bcaf5491a1d553e0

SHA256
54687d4263929d082f96266a45c8b0c495a47b7d4a45dca5622186eba310eccf

SHA512
3fa8e1fa0ff311e9cc78d67ec7098d826112d7cf8d1994029d01183f089bbd59369d9ee50a12b3c1aff506be246f76f575649597ac28da3097c72866eeacd29a

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
198B

MD5
5242c41cda72d576e9b97a7597a4acb2

SHA1
1b590ec2b092aad1502c006402e5f4c5d033d050

SHA256
b4a53c3201ed55ee49a1cff9b011bed873bf785705e0ebd600d6a15de6e0b351

SHA512
1050e4bfdedeceea3cb217821ea8bd7c80d05ec6b1c33a989351d1c39a6eb83c41f0fe1f46583bf6fa80e6a26461532907020062125157dde127f288e9c66d62

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7FqYE3ffF.bat

Filesize
198B

MD5
6dd5bccfa1009731e7813718b41c0fef

SHA1
4994704a4cf17e372338927e948d4bdda1798f65

SHA256
fd4d13c84d30864f588d4206f8c928b0fd354fd8818c52c2336bbadf9c1c0991

SHA512
f39fc039c4f7d38ab856906ddd4bbc5c71e8f425eb1d1f9f763303607d25bcbd1440456f51d3b713c47eb3480890643da55188ebbea0d6f3af31be2ddb58657a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB186.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB1A8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UJpHfzfs2i.bat

Filesize
198B

MD5
b480b87ba4974879d6fea48db1344639

SHA1
dbe290660149bf7507399c3c216e3c74831a5358

SHA256
687a3e180dc43513bd1d626c6d35657aeb13b015e7df11b27cb1ffc89fdbdbe2

SHA512
47e3ac3742cf13c55214e426fe9e6eeac3f09da1f875a4a49ab3a21a0823e974560cf1a799f3f0a117800556f67edcae1040c9d4335424d2941e952723fd8189

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
198B

MD5
2be12b27e30b0a734fc3282598589491

SHA1
8ead3ff0b1ef699a455812b3b448d9d06c347348

SHA256
39989d79b2010523cb814da14b1da25cc4b0d8b4c5d89dfdd67e5538026ba791

SHA512
f4ce75c78c920093985dd6da3ce90124405888698393bbcc0e5c4c9dac73cd261809c08f7719b5bae3c30a77135c25173fa4c61694ba2063d28d13acbaea871e

Download Submit
C:\Users\Admin\AppData\Local\Temp\rmFq19iy8Y.bat

Filesize
198B

MD5
e015967c789baf5d50b268ef7df39bac

SHA1
d4e62425499e443521ea734c1e2cc61c1fcc5703

SHA256
5d5b1e6dbd907ae480895abb79c74325ba29ad7225246dfc4494b8a5c00e1685

SHA512
1f317dd8c764d227785b2a984a273f87dc9cf4147f4fbcb0aa3f687dbeac8eaff52ba6024c65a96f9ab39f341125494e3027c00d4704099cbe83f9e6a4d67b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
198B

MD5
4ff27a99ae4f2e06715f8285b0043ee3

SHA1
ef2724257e6a9f72d3579d541a3948d8fc206544

SHA256
8477e11343d7118e735825ef4f7e9456bfb556569ce0c6c951bf8be7622ed836

SHA512
2bf1376be43df311259146042f3869d01fadf0ff6c45e1096d0e4c502b443279c9efa77f2e9900ecdd203a0cc12e30497875d7fe6527c763d5dc7317299c507b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
198B

MD5
1cea13f08e9d52af8b41d35d53434e64

SHA1
f07f0423d3e7d60bc25a2fec778b0979f2817275

SHA256
5dad4fb8211fe234af9884a42918a69b9a63e011226feb1d519dc972e8a62bdf

SHA512
cb2293da5d3666410d66e926e87f2b4c70304879f73031001a5a9cd2648db8b73b9e1cd7eb3d10e21498574e877ca1108bc486722e0a9ca095b39f0024cdb3ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

Filesize
198B

MD5
5ce56fd7fabe988101cf09c795e34c3f

SHA1
6141c597cad359324659f3411b3677a73172490b

SHA256
0b37bdbd4aefcf5f15ba14e8233eeb78261520ac38517233809385247cd0861d

SHA512
faf8724ea3ea6dccf0a054e1e1c8446a86d9dffce452008bb7bd33489ce993ae76cf4c28edc278990a645156b7470bda4b17ad01c504f98c8268cfaa95f53be9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
84533a588d24fc5a5961835b12708a19

SHA1
b7b003fbdad2f2da3e480061102c8f3712b70ff7

SHA256
8941ffb5756b8f2c007204fba2e9aba3f6ba882a47b9089448f8b67cf4122266

SHA512
28802c03277fd68f7a7d75209ec17db89827f87c36d7c0ba74fec5cc675c24d02a583a178389dd5d7a77f7480474e6a80d44e14e72432a591036be95b3821038

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/316-579-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/552-101-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/584-221-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1148-55-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/1440-282-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1440-281-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/1712-161-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1712-160-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/1900-57-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2188-342-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2360-639-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2752-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2752-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download