dcrat | c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28.exe
Size

1.3MB
MD5

46a162aa551b9645033f129e70053936
SHA1

364ad4d06363b5eec92f67b813fa5bec36c91cbb
SHA256

c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28
SHA512

acdab4b1452d8852ea84e8b11968ad4356bd7daf2ad10cb38ee522e199e8796a66ca010b5e141f8b0977e806e8758caf52595f9b5091398b526c33c979d10058
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2584	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0b-9.dat	dcrat
behavioral1/memory/1488-13-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2840-84-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2408-143-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/1756-262-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/536-500-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2000-560-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
772	powershell.exe
2676	powershell.exe
1944	powershell.exe
1832	powershell.exe
1828	powershell.exe
712	powershell.exe
2220	powershell.exe
2456	powershell.exe
1732	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1488	DllCommonsvc.exe
2840	smss.exe
2408	smss.exe
2944	smss.exe
1756	smss.exe
2628	smss.exe
2212	smss.exe
2636	smss.exe
536	smss.exe
2000	smss.exe
964	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	cmd.exe
2668	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\SIGNUP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1764	schtasks.exe
1152	schtasks.exe
2128	schtasks.exe
2876	schtasks.exe
2608	schtasks.exe
2740	schtasks.exe
2576	schtasks.exe
1020	schtasks.exe
1936	schtasks.exe
1428	schtasks.exe
1420	schtasks.exe
2616	schtasks.exe
2768	schtasks.exe
2240	schtasks.exe
2292	schtasks.exe
1700	schtasks.exe
2480	schtasks.exe
840	schtasks.exe
2116	schtasks.exe
2844	schtasks.exe
1836	schtasks.exe
1940	schtasks.exe
372	schtasks.exe
2696	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
1488	DllCommonsvc.exe
1488	DllCommonsvc.exe
1488	DllCommonsvc.exe
1488	DllCommonsvc.exe
1488	DllCommonsvc.exe
1732	powershell.exe
1828	powershell.exe
712	powershell.exe
2676	powershell.exe
2456	powershell.exe
1832	powershell.exe
1944	powershell.exe
772	powershell.exe
2220	powershell.exe
2840	smss.exe
2408	smss.exe
2944	smss.exe
1756	smss.exe
2628	smss.exe
2212	smss.exe
2636	smss.exe
536	smss.exe
2000	smss.exe
964	smss.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	DllCommonsvc.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	2456	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	1944	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2840	smss.exe
Token: SeDebugPrivilege	2408	smss.exe
Token: SeDebugPrivilege	2944	smss.exe
Token: SeDebugPrivilege	1756	smss.exe
Token: SeDebugPrivilege	2628	smss.exe
Token: SeDebugPrivilege	2212	smss.exe
Token: SeDebugPrivilege	2636	smss.exe
Token: SeDebugPrivilege	536	smss.exe
Token: SeDebugPrivilege	2000	smss.exe
Token: SeDebugPrivilege	964	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28.exe	30
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 1488 wrote to memory of 2220	1488	DllCommonsvc.exe	59
PID 1488 wrote to memory of 2220	1488	DllCommonsvc.exe	59
PID 1488 wrote to memory of 2220	1488	DllCommonsvc.exe	59
PID 1488 wrote to memory of 772	1488	DllCommonsvc.exe	60
PID 1488 wrote to memory of 772	1488	DllCommonsvc.exe	60
PID 1488 wrote to memory of 772	1488	DllCommonsvc.exe	60
PID 1488 wrote to memory of 2676	1488	DllCommonsvc.exe	62
PID 1488 wrote to memory of 2676	1488	DllCommonsvc.exe	62
PID 1488 wrote to memory of 2676	1488	DllCommonsvc.exe	62
PID 1488 wrote to memory of 2456	1488	DllCommonsvc.exe	63
PID 1488 wrote to memory of 2456	1488	DllCommonsvc.exe	63
PID 1488 wrote to memory of 2456	1488	DllCommonsvc.exe	63
PID 1488 wrote to memory of 712	1488	DllCommonsvc.exe	65
PID 1488 wrote to memory of 712	1488	DllCommonsvc.exe	65
PID 1488 wrote to memory of 712	1488	DllCommonsvc.exe	65
PID 1488 wrote to memory of 1828	1488	DllCommonsvc.exe	67
PID 1488 wrote to memory of 1828	1488	DllCommonsvc.exe	67
PID 1488 wrote to memory of 1828	1488	DllCommonsvc.exe	67
PID 1488 wrote to memory of 1832	1488	DllCommonsvc.exe	68
PID 1488 wrote to memory of 1832	1488	DllCommonsvc.exe	68
PID 1488 wrote to memory of 1832	1488	DllCommonsvc.exe	68
PID 1488 wrote to memory of 1944	1488	DllCommonsvc.exe	69
PID 1488 wrote to memory of 1944	1488	DllCommonsvc.exe	69
PID 1488 wrote to memory of 1944	1488	DllCommonsvc.exe	69
PID 1488 wrote to memory of 1732	1488	DllCommonsvc.exe	70
PID 1488 wrote to memory of 1732	1488	DllCommonsvc.exe	70
PID 1488 wrote to memory of 1732	1488	DllCommonsvc.exe	70
PID 1488 wrote to memory of 1204	1488	DllCommonsvc.exe	77
PID 1488 wrote to memory of 1204	1488	DllCommonsvc.exe	77
PID 1488 wrote to memory of 1204	1488	DllCommonsvc.exe	77
PID 1204 wrote to memory of 1604	1204	cmd.exe	79
PID 1204 wrote to memory of 1604	1204	cmd.exe	79
PID 1204 wrote to memory of 1604	1204	cmd.exe	79
PID 1204 wrote to memory of 2840	1204	cmd.exe	80
PID 1204 wrote to memory of 2840	1204	cmd.exe	80
PID 1204 wrote to memory of 2840	1204	cmd.exe	80
PID 2840 wrote to memory of 1852	2840	smss.exe	82
PID 2840 wrote to memory of 1852	2840	smss.exe	82
PID 2840 wrote to memory of 1852	2840	smss.exe	82
PID 1852 wrote to memory of 1536	1852	cmd.exe	84
PID 1852 wrote to memory of 1536	1852	cmd.exe	84
PID 1852 wrote to memory of 1536	1852	cmd.exe	84
PID 1852 wrote to memory of 2408	1852	cmd.exe	85
PID 1852 wrote to memory of 2408	1852	cmd.exe	85
PID 1852 wrote to memory of 2408	1852	cmd.exe	85
PID 2408 wrote to memory of 1976	2408	smss.exe	86
PID 2408 wrote to memory of 1976	2408	smss.exe	86
PID 2408 wrote to memory of 1976	2408	smss.exe	86
PID 1976 wrote to memory of 2672	1976	cmd.exe	88
PID 1976 wrote to memory of 2672	1976	cmd.exe	88
PID 1976 wrote to memory of 2672	1976	cmd.exe	88
PID 1976 wrote to memory of 2944	1976	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7414c4ed010f356d7a78fdb8ee1bcbf7d715b155765534d4371462d9b9c6b28.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VSjxgpKhh7.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1204
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1604
      - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1536
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2672
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat"
        11⤵
        
        PID:2920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1944
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
        13⤵
        
        PID:1172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2652
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat"
        15⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1680
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat"
        17⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2240
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat"
        19⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:316
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        21⤵
        
        PID:860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2976
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        23⤵
        
        PID:408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:988
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat"
        25⤵
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Pictures\Sample Pictures\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
052100068ce96ef285bad4d966e57738

SHA1
abe582a4cc884fd83267874e6a16956e5f8917c1

SHA256
9a652d1555a7771f285434be9df9dc469735475a0150b247db77cfa480b5c111

SHA512
bf8f33c6cde91575ac984e2433930b35058bb056b9ae2c2b1ebf021b4588ef1537ed9a40f8ec2618f1805fcd2317ff4e345bcb8e280f98085079a23c9ca05ad2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2081cad75eca3a89b8f1f39fe8251770

SHA1
d279524737c8565b9c488b996260a2f4f6bd6e84

SHA256
24fdc5a78d5a2a4d33f0fa92cacf37087573f16e3549c87597c9fa7860e66edf

SHA512
3203a6abd61f5cbb2e0095bc9cbc9bde2b4eccb55e5e82e7cb9d4b1c5ef3da2a6689d9a380a9db941c6268d0460c61ead0030658c26b1eb509d896633a06851b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5538998a284046ac2569d4a1e9bea085

SHA1
baddd79e91dfa8ee36ed12164493457e4e05cb2b

SHA256
59036ffa8f47db57ef6b423d939891833d4c1259714974241b79e3b94f8c9574

SHA512
6005e502beb21062eb882dec3bc3b5eb57d1b04aac87ffe897bbe72735df5a80a1c8e51a74d360a79a3330e635c669257f41c534dbeca631e7f618a73886f34a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4132205fcb3907854c6c5021a2f37281

SHA1
45eb15c5f35ab0b973cbf001df7b829109f1bfad

SHA256
d283ce4e8bc89f04e3bdf3d0b0b556d8e71a129817b2fa73ace9a0c525d1240b

SHA512
c32270f7b9818eea3c3fd078a79c72df81ccdd2d8ef0b01857bf300569bb441158c6476e745a9d984bb5cc69ed46fcbc6b38d506e0a2083f72b52a5695ce42d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7ac909c9acf317b20e348460589ce8d

SHA1
43c396cc85ccd368c5f82a602af4561315be3613

SHA256
65095e04350703c1d16ca4a80f111f97acda0f6ee46ab245427fd37e44908747

SHA512
40f0d363d8f693c08d549b4ef9772099000019341e941f358dcdcf9804ac22f50569436ee44e4501ca54caac36d92b58212ffd7cb8fb43c3d57e118e30e2a051

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a356da88d71a0a7e2d209189c3b8bc50

SHA1
05d6069678e2a30683b1e75f3ef369c182056312

SHA256
2cbd6905ae5aa25f9695b013f84bfcd2628fe195a78b018ea465118af88677bd

SHA512
323b53c892088410990a4a595e87ae8ec78ef72ac99bbd502fa5029c4186f6017c59691fda1771498d9c5c1df045aee43d0f518c79643418c7fb5db9dfb696c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d2d3ecb9ee276c10d1650adcec5a79ce

SHA1
cc8aae056655e635f122f1674500e59046ee484c

SHA256
d2c592dddbbb51ba5253f6ac1d34cac66cb4d5237e7291647e98acff74788b34

SHA512
07b4470772c939a023286b7f59dfbfe0df727608a61b824ce7ff811af50b94c1b5078221c04a734184889e4cc4e583e5c7fba882b8d5fe4dedd7c39064531545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6c9a73c25a0916a012aaee6911aa7c5

SHA1
d36142e6e0c28c9fa74b90ad877ea075529c6fc9

SHA256
6ad2a035b546ac79c332c85bb76ddc96e04cefc7cb1e2bd870a1d2f14554aa20

SHA512
78c28b4f9855019a627d5a2d2ecadba30ff179cf2d09f0bddcd8123bd976e5ef02439fd9668924a2480124a915d2360050f46664ce9c0d33ebc1d0a3f13805fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff638cf9b876e16112609119ecdf6349

SHA1
fab7fc9440b74246851f1e75aa10fd4f67eeef1b

SHA256
ac2693b5b020abc799508e5c8706efc6f442645c2e30cdf31fdd44d542d325ec

SHA512
7f0c71dc1c8db260abc54ba1fa5d3170541d38bae2384919c31ac673762a9ea544d38cea4bb68b72385c8450225a538d72626eada3a1afdc835a47887d1d40cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
236B

MD5
6486cb4f6d6b7f4a2b275251501a9e19

SHA1
f085bcf3009264fae81945bb8fbde265954a201d

SHA256
f6e60f877b9f30977db44168f279a8a4b6ebfabceaf0ab7672d76d234072f92a

SHA512
1a042c471ecb9e3de971b0a3864a9c340e83ebc97cfe4c5f3b60635a421104104e32d18357886ecb7e0427cd0156dc1f09c7d091b3db80d254b22cd6c3733dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCFA0.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\E3sOpJujjE.bat

Filesize
236B

MD5
3b82801563513e0a549bf429921f3f5b

SHA1
fa09636696f46711c2f9fef81e4c3ff1aba3f630

SHA256
9371c2af07e6bafd5a4f87855bd34f0cd7c29b7096b7101a53eb72d8d1d8f154

SHA512
c988ea370a77dbeb67122f7be2ae3fe2127030bf8c0b316bea0cb5d0d84f21e18c64ddaa2d2c604504918c80441b4658e6503c0c1cb18300315713d7583a4fa7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
236B

MD5
5631ad1b538b3b2d951f661a85e1c8a7

SHA1
4bdd9fe1e3f4c5cac3568a32cdb600e46b898623

SHA256
0bcaee7acef80690dabcb0163550e3c6605d6c4a90e325008f3606eec327359f

SHA512
e773b7b78110b922bda26f123112fe8b1bf08ee659a69b0e1b481b9e6da9579a54a70c6420dc802990a3d466a18b5212a851d645e2249a8b0e19e5e410a78bd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\R8cJcUuQgj.bat

Filesize
236B

MD5
75b696a9862acf9f2517fd5250e3a7c0

SHA1
b5b09d98f1de617ff11b76df31256f4c14e71e91

SHA256
6f4f5c2e9e05fb83bca18b893c20e19155e133c8cb214da6fec2c01186ab2485

SHA512
31fefc3718af128e0925973505f43684c4e3e347041ed66dcce355395f11e151f38ea752b829cdc639635e9ce583005e89e57444ea96a5710e221b3c6b5ec94a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCFC2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
236B

MD5
8e0ae636ace0816a1038b3f25773a7f6

SHA1
2135728e3d9dcc5ed1018332485e102caac97c7b

SHA256
05929fb1b99bfaf34f69cbf5f1f5231258a92903135f09b22ebaaac96a7c69fd

SHA512
c4420877acd53446d084e8beecc75e945b5abebb965557420fcc48f860d0c932190848b1fdafe82dc66b54aff32527b6d28156713bef37774964a13bf47ea77e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VSjxgpKhh7.bat

Filesize
236B

MD5
bd63e1762cd099f52b9f7208433069b8

SHA1
2852cc9c9e328318b3a5e770f5623f3a2404be0d

SHA256
d5c0406bf37b147d3641659a29f9f740affbcef3026704d3ccadd1ae37cb21d6

SHA512
e4324b14b4535b1dd0ab67b3ed3bd578e5f0404443c1a29e92c3520f937f0fd707b05ff5da615ea595c75023b350f4b6f18ae3452d063ee350958b9080435e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
236B

MD5
ebd92c2b33a1ae69d35682df8f56def9

SHA1
f9e9aa3725b3224d2c406475adf7bdc0a19cf984

SHA256
0d1f1ec4d4f1e95004422b86755ea1bcce1e8d6ba4e9b3e9d6c02343196eadd8

SHA512
afc9c88f4abcc50142027343eb4524e48a7196726e18cccc61ac1f745cc1d27adbd60ad61cfcf7076fd599ae5bd3c8233d01ab714ccd6b40732689b4594bf182

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

Filesize
236B

MD5
1792f8be43726dbd006802b96cdcfa6f

SHA1
9a140d8eeb905fff8067c431c5974b32f28a16a2

SHA256
fe387f4478a88d35741024abbd5340aaead161cff5f6b2147d200f48b3ad6f62

SHA512
61241fcdc8f2415093efa24d7182e049d7a96daa1406b408f055a890f1f68f4ae6b8acb545eb0249f4890f98d477c5e7519a4e17bd140d0c241b9f58ee08ece5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bkUsYtfOrG.bat

Filesize
236B

MD5
91e140f2bc960f8aae85fef2bcd196e0

SHA1
caf42c2dbd257aede8979ba7cb157918217212a3

SHA256
20fca4012a7b6e8da72404a8829dfd2bffbe88d37423b2dc3ad2e2658b1aff59

SHA512
27607dd4263d35ba3f87c5fdf641ad8b90f945f86cfd2c42850e3e2dbf1ccf5b81c528f6dcfacc79a13c6fd8d4d8f308dda44beef2a0d818f63282fad81f1dde

Download Submit
C:\Users\Admin\AppData\Local\Temp\cxnNEsMM51.bat

Filesize
236B

MD5
c7934cb028b01531c75246e9614e6955

SHA1
e4c10de7debe6ed0a37a13314046912858f9f712

SHA256
c64d7cb18ef4cf8c8db8567f4ee3f375b89e224d1350960e68bb70d1f07628f7

SHA512
d488b899c9b1e08b3fae287a1647269c9a5cf6b4eb11afb150090b23580db787370d2dd2a1acd8ac5bd611844c54c6a06a4d33a4b159f85c05f0bb6ce03da822

Download Submit
C:\Users\Admin\AppData\Local\Temp\kyAhxuXJBD.bat

Filesize
236B

MD5
9cff29f1ac0fb0a599d897c7ae4abee7

SHA1
932c24c2d5b4f1e1b83d023ab7fd6051e10663c0

SHA256
c8884a0bb9b8eb96cb23207ab000a2667bcb315391ca8fad292e86ddebdd3213

SHA512
8a91a6717f62245dd7b91393b40b9720cacbf418f1fe7b414a368bbc4711e925b65b175636d93fbabaf203e9f2b41f189ff7ffca3482dd9dcbc8f07421a7f11d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3eeef9ee4a2f24c32e0fa0b998c0cde0

SHA1
efa013c070e1d5bd0b08aac9f64de09ba17d6aa1

SHA256
378ebc4261b7f9b564a2a283df0d2cfebfe85a1077eedfa2e2bfd402eadf0c29

SHA512
0020b9112659d5b484bfe67a8ad2dee471a773d16d73421d0b9c1e404d92e080cdd5844fb7a30eeb5fabc9ccc91f6d66d4d3756fb3e0ec58f88a36665eadf35a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/536-500-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/712-54-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/1488-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1488-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/1488-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/1488-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/1488-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/1732-60-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1756-263-0x00000000006A0000-0x00000000006B2000-memory.dmp

Filesize
72KB

Download
memory/1756-262-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2000-560-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/2408-143-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/2840-84-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download