dcrat | 0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a.exe
Size

1.3MB
MD5

a4048a502f9de5c7d7cd02716b2af1ec
SHA1

2037276489cf18ce7a38b2c2db7c79435d46a872
SHA256

0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a
SHA512

4e2303012f313761176214f956bb198a0291f827aa7c8b6d2678b1540be7c611fb8fbdcfccba5fa5f8321c1ae88cfdb8346cdc0b8e40adc5970aa55b76d09027
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1368	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2612	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2612	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017079-11.dat	dcrat
behavioral1/memory/2052-13-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/664-44-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2808-159-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/380-219-0x0000000001120000-0x0000000001230000-memory.dmp	dcrat
behavioral1/memory/2092-399-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2152-459-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2572-579-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2696-639-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/2952-700-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1228	powershell.exe
2432	powershell.exe
1640	powershell.exe
2448	powershell.exe
760	powershell.exe
2496	powershell.exe
640	powershell.exe
2200	powershell.exe
1740	powershell.exe
1864	powershell.exe
1716	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2052	DllCommonsvc.exe
664	WmiPrvSE.exe
2808	WmiPrvSE.exe
380	WmiPrvSE.exe
2460	WmiPrvSE.exe
1588	WmiPrvSE.exe
2092	WmiPrvSE.exe
2152	WmiPrvSE.exe
2432	WmiPrvSE.exe
2572	WmiPrvSE.exe
2696	WmiPrvSE.exe
2952	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2384	cmd.exe
2384	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\scheduled\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1996	schtasks.exe
2148	schtasks.exe
1580	schtasks.exe
1700	schtasks.exe
1792	schtasks.exe
3004	schtasks.exe
1096	schtasks.exe
2276	schtasks.exe
1760	schtasks.exe
1444	schtasks.exe
1480	schtasks.exe
1112	schtasks.exe
2316	schtasks.exe
1368	schtasks.exe
1424	schtasks.exe
2760	schtasks.exe
1720	schtasks.exe
1960	schtasks.exe
2020	schtasks.exe
2608	schtasks.exe
2404	schtasks.exe
2732	schtasks.exe
308	schtasks.exe
2044	schtasks.exe
2028	schtasks.exe
1712	schtasks.exe
1708	schtasks.exe
1936	schtasks.exe
2320	schtasks.exe
1604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2052	DllCommonsvc.exe
2052	DllCommonsvc.exe
2052	DllCommonsvc.exe
1640	powershell.exe
2448	powershell.exe
1740	powershell.exe
1864	powershell.exe
640	powershell.exe
2496	powershell.exe
760	powershell.exe
2200	powershell.exe
664	WmiPrvSE.exe
1716	powershell.exe
1228	powershell.exe
2432	powershell.exe
2808	WmiPrvSE.exe
380	WmiPrvSE.exe
2460	WmiPrvSE.exe
1588	WmiPrvSE.exe
2092	WmiPrvSE.exe
2152	WmiPrvSE.exe
2432	WmiPrvSE.exe
2572	WmiPrvSE.exe
2696	WmiPrvSE.exe
2952	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2052	DllCommonsvc.exe
Token: SeDebugPrivilege	664	WmiPrvSE.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2808	WmiPrvSE.exe
Token: SeDebugPrivilege	380	WmiPrvSE.exe
Token: SeDebugPrivilege	2460	WmiPrvSE.exe
Token: SeDebugPrivilege	1588	WmiPrvSE.exe
Token: SeDebugPrivilege	2092	WmiPrvSE.exe
Token: SeDebugPrivilege	2152	WmiPrvSE.exe
Token: SeDebugPrivilege	2432	WmiPrvSE.exe
Token: SeDebugPrivilege	2572	WmiPrvSE.exe
Token: SeDebugPrivilege	2696	WmiPrvSE.exe
Token: SeDebugPrivilege	2952	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 2820	2232	JaffaCakes118_0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a.exe	30
PID 2232 wrote to memory of 2820	2232	JaffaCakes118_0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a.exe	30
PID 2232 wrote to memory of 2820	2232	JaffaCakes118_0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a.exe	30
PID 2232 wrote to memory of 2820	2232	JaffaCakes118_0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a.exe	30
PID 2820 wrote to memory of 2384	2820	WScript.exe	31
PID 2820 wrote to memory of 2384	2820	WScript.exe	31
PID 2820 wrote to memory of 2384	2820	WScript.exe	31
PID 2820 wrote to memory of 2384	2820	WScript.exe	31
PID 2384 wrote to memory of 2052	2384	cmd.exe	33
PID 2384 wrote to memory of 2052	2384	cmd.exe	33
PID 2384 wrote to memory of 2052	2384	cmd.exe	33
PID 2384 wrote to memory of 2052	2384	cmd.exe	33
PID 2052 wrote to memory of 2448	2052	DllCommonsvc.exe	65
PID 2052 wrote to memory of 2448	2052	DllCommonsvc.exe	65
PID 2052 wrote to memory of 2448	2052	DllCommonsvc.exe	65
PID 2052 wrote to memory of 1716	2052	DllCommonsvc.exe	66
PID 2052 wrote to memory of 1716	2052	DllCommonsvc.exe	66
PID 2052 wrote to memory of 1716	2052	DllCommonsvc.exe	66
PID 2052 wrote to memory of 1864	2052	DllCommonsvc.exe	67
PID 2052 wrote to memory of 1864	2052	DllCommonsvc.exe	67
PID 2052 wrote to memory of 1864	2052	DllCommonsvc.exe	67
PID 2052 wrote to memory of 2432	2052	DllCommonsvc.exe	68
PID 2052 wrote to memory of 2432	2052	DllCommonsvc.exe	68
PID 2052 wrote to memory of 2432	2052	DllCommonsvc.exe	68
PID 2052 wrote to memory of 1640	2052	DllCommonsvc.exe	69
PID 2052 wrote to memory of 1640	2052	DllCommonsvc.exe	69
PID 2052 wrote to memory of 1640	2052	DllCommonsvc.exe	69
PID 2052 wrote to memory of 760	2052	DllCommonsvc.exe	70
PID 2052 wrote to memory of 760	2052	DllCommonsvc.exe	70
PID 2052 wrote to memory of 760	2052	DllCommonsvc.exe	70
PID 2052 wrote to memory of 2496	2052	DllCommonsvc.exe	71
PID 2052 wrote to memory of 2496	2052	DllCommonsvc.exe	71
PID 2052 wrote to memory of 2496	2052	DllCommonsvc.exe	71
PID 2052 wrote to memory of 640	2052	DllCommonsvc.exe	72
PID 2052 wrote to memory of 640	2052	DllCommonsvc.exe	72
PID 2052 wrote to memory of 640	2052	DllCommonsvc.exe	72
PID 2052 wrote to memory of 2200	2052	DllCommonsvc.exe	73
PID 2052 wrote to memory of 2200	2052	DllCommonsvc.exe	73
PID 2052 wrote to memory of 2200	2052	DllCommonsvc.exe	73
PID 2052 wrote to memory of 1228	2052	DllCommonsvc.exe	74
PID 2052 wrote to memory of 1228	2052	DllCommonsvc.exe	74
PID 2052 wrote to memory of 1228	2052	DllCommonsvc.exe	74
PID 2052 wrote to memory of 1740	2052	DllCommonsvc.exe	75
PID 2052 wrote to memory of 1740	2052	DllCommonsvc.exe	75
PID 2052 wrote to memory of 1740	2052	DllCommonsvc.exe	75
PID 2052 wrote to memory of 664	2052	DllCommonsvc.exe	87
PID 2052 wrote to memory of 664	2052	DllCommonsvc.exe	87
PID 2052 wrote to memory of 664	2052	DllCommonsvc.exe	87
PID 664 wrote to memory of 1924	664	WmiPrvSE.exe	88
PID 664 wrote to memory of 1924	664	WmiPrvSE.exe	88
PID 664 wrote to memory of 1924	664	WmiPrvSE.exe	88
PID 1924 wrote to memory of 2872	1924	cmd.exe	90
PID 1924 wrote to memory of 2872	1924	cmd.exe	90
PID 1924 wrote to memory of 2872	1924	cmd.exe	90
PID 1924 wrote to memory of 2808	1924	cmd.exe	91
PID 1924 wrote to memory of 2808	1924	cmd.exe	91
PID 1924 wrote to memory of 2808	1924	cmd.exe	91
PID 2808 wrote to memory of 1724	2808	WmiPrvSE.exe	92
PID 2808 wrote to memory of 1724	2808	WmiPrvSE.exe	92
PID 2808 wrote to memory of 1724	2808	WmiPrvSE.exe	92
PID 1724 wrote to memory of 2868	1724	cmd.exe	94
PID 1724 wrote to memory of 2868	1724	cmd.exe	94
PID 1724 wrote to memory of 2868	1724	cmd.exe	94
PID 1724 wrote to memory of 380	1724	cmd.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e977271c6aff2bc690cc8ad1eaa8250471fe24948ab291a0f8077662718010a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2384
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:664
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2872
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2868
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        10⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:848
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat"
        12⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2144
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        14⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1240
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
        16⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3064
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        18⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1688
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        20⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2836
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat"
        22⤵
        
        PID:1280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2368
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
        24⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1732
        
        C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22bf41e16e1f488acaa8e3c5b2d17c9e

SHA1
8035db1b3ab2f3dc796ae04c273c7169d9ec36ad

SHA256
f6b5cfdc047b9b93b98dd95c5958df63bd6b6aedf271a40c9c35b99c8de12c76

SHA512
1439aae404a5e51d3abf176223f254db41d7c328e6235a2219c23c789e4ac934a29508de4abc437c4c39fa8579319bd455e3008acc6ba814064c7cf5593e7fb0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
52767d191cdc181e7f3a150ca5bdef94

SHA1
8f05f4c8366129e1541043d954b6c53871209377

SHA256
b977a10dee8760280a7c3423314efda7629e58c35ea9892c6c9ef904e3030dc7

SHA512
362e173f952f52f00189061daf7f6c062f6870132912b30c21b253263056c3da2086b30d12710fb5f600ad3ed055f30838d7ae39e31b130bf72a609dc53ab5cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e25f2c2b367905d3a0400a1fe0f150c

SHA1
6458139a5c034f453a1228db7da9f16598ddbc56

SHA256
c513b779c300d16cd3e4641a915fb214936b6c08da6a3f63b1b989d48e1a1347

SHA512
cb4a57b564324fa55f34a1f2fa00b7d0743a3d213237e4dfcf2a1ac061d3bbeb71e601ed83c123b3d0f1f3341e02ba1f2a84d1d44ca52d412ba550d4a2241e82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a7788dfd7da1b064931e70352a7b2e1e

SHA1
6c622bf9c065d6f2e9cc411f68b2b8b77b93269e

SHA256
54aa5f324a9aca011f27b29f01743f3c5032b97f9477989dcf134e468b25b2d0

SHA512
776bc557efc4b2553c48105bde0f59d0bacb9c4edac160588a724823a9bdad1fc1db2c6b055c1d9d9848e54baf8be2a3a06d75d30ebf7a8acd511f456e0f329c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a9ae6271718c366026bee0c864cdd31

SHA1
d469d5d5b86c5c6044db98abbcb55a160055bc85

SHA256
962fae1d4a6cb3f3c13afec3bb4cf4ea31c76be998b82e8f3e1e3caa3aa67e93

SHA512
6c22f530fe6c6bb880bcb0e7e1859a23bccc2d08411586e1081a5860b6a5b0f2e74b30749a08949ffe2c2191c5e6770cad14b768c8335b87c6f96c91d21be616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
11bdc32633d721de92d70aa98c0af6b1

SHA1
74452db4f2905a8a7c0ed16b2ef08cb6826f2ef8

SHA256
d66e634ed612dd148c1214ce696a99212fb231a2b258f2871dcfd38d54a908c5

SHA512
4b16960a968afef64b9bf4a60c16047eb1ece3f91840bea70367af20b060843261e979a9c8ab415365ca76252b59cb808de5688ee9d098fcea25b191de7ff57c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bb1bc6b84cc55d5e9229eeb7cdd3e08

SHA1
a9c4857efaa7a46f1528d3dae2d91865a70fb37d

SHA256
91c6e625734b1d6ba839ef9334209fa53f0b6919b8082751300062a7c65b2341

SHA512
b9ee84b93c6ad222332c9842e128706508d85b9a8bedac9808e0a111fcbb2e68b5a1901aadb6fcb969937899d307f097f2ee07a287b0aa1a3ce9697eca40ca15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4951eb2d4f0b84c3b67b2e2386fc85ed

SHA1
f05ec8f1b3c3b198e64d16de91e553127b469ad5

SHA256
08cb48699a753b842ce40a899111baa465aba63e4c9553764c514395c1fa8cfd

SHA512
cb5973693ae3f72a2dbbc0fce7f8a223fdf085ede977aa8cbb3949c95a7b30863aeff39c28eedc553a2b7170c1b12a8127b1bda4759243faf5ef385f51f58320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48a5385ba865060e6749af4d5f8234d5

SHA1
19e73f20f4e5d92df85fd7726bce6777f5d31067

SHA256
c91c6ede5fd80812d2086118925c0e95a226165e6b367127791963ca4b2db246

SHA512
7e851cc08b106027b6ee6f5a87721ad9af9205bbfa1645995013aa585ace18692b1c5e82a5d1e79ac2e06d81b537d5cda3a058682d7948c42370db69e2da027a

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
211B

MD5
194c30b9a7511c678eb9a275cd002762

SHA1
eaa49887076fc2c7fa1df3cc1acf65d72d7aa77c

SHA256
3c4441bc31e7664013c502bb26f6254157a4b3c77c72b18cecfe44d67fc2f8e6

SHA512
8eb3a982aab76341186afd09f8c94ae2da698853274860c1eb3b7c1bd221d9a5413ada17ec9114bf4cbf6284b7b6b4bffeb44edc30624ff5d65e05ee671228c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
211B

MD5
1922cf53ef8ab114d9f6c8c128ec3e48

SHA1
a35533c27ae61074c31e4cf1c66a2a4e3e038cfc

SHA256
cf665d5597e2315c2163054a912002a99e9642b9bdabc00963118ce336eec8b7

SHA512
35ecc4520060fabf94939b335355091fa772f94b17f8fac3eab649e5f15f06080106a681d43fdd986def7098b4b4ed5c1f45c9cac19b84e396f7f54dff939f0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2D98.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J6RTVEKunr.bat

Filesize
211B

MD5
c68bb2d12f733dac576c6ad555609720

SHA1
b89921e6775f893bdb93fb83036f1a65019a5f69

SHA256
e9cb30e0a0f835f657b06fe8b3879d770670440736ce7543d8008cd65c586654

SHA512
317396b8109dcf08cf7a09067e3c197f4ba2bdf9f83e9fae6634e6e32825d1921cf7b484baab4fd9b2756f326893efa37961a46788d600825935f780f7967024

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2DBA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
211B

MD5
460de82915357bcc30dba64fadd42c5d

SHA1
bc500da2deb00c8b8e2febd693bf8e18e1db8105

SHA256
79eedc28b7004e2f30020e7219b4f605600fe941524d45252606e6bdbdbac3ea

SHA512
292a4e88b6efd0af91895d6bbf6db7caf5aedcb31a64fce8b2707cc51f54039023c32dc7e4c2fd5d423652dce99fcf7eb5b54360427c1a39178de943ee3273e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eG7Plib0M1.bat

Filesize
211B

MD5
fab69b2b7f38233f759c7f29af918302

SHA1
55ac3a9d037a7f4074c0d74fb9182451759e2664

SHA256
3c564ebccf3b42f83193f934ddecd65150ee22d6694c6a954c9bdfc6a199aadb

SHA512
09380f313b3ac28f4c88e1bf6b43606be358cec1ae54ccac3696d2e7ee04d352ecc1071da58b4e491ee5c8ba699fb1f2027cf9443d42bc6f12851142d8ff646d

Download Submit
C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

Filesize
211B

MD5
afb0f1df0ebe839d95833d90719a8cbd

SHA1
8c9596029f8e4790bde6c78b24ec20f6fc54c638

SHA256
ffbd9ffb727ea74cc948d55f39d03721de3d330c79b5e13978de7068d61adf68

SHA512
e12d4b473c227b8cfa1964c723eb30e310ffca0d4ea28dc38bb38c7aa96ff609235dbae56099fa4c5a1ae8fe7af75045ed457872a48890ec8e39b4124240f540

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
211B

MD5
3fcb82bcd0441cbaa72e707c0bb9c64d

SHA1
c282c8f18c24ded178aaddcdb1d73cf6241d9d01

SHA256
12403edc18d34a95739e91c2a2d2963b8c3d0ff052a336ec042c2e461bb78bee

SHA512
5ac56bbde5fc4d31bddb1cc5ab1babe9779f6ceda232a298c9fc7455d251d40a71877a22b9b2c58e30fdab81cc28f203428aca259bd7d6d36825da3865deced9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat

Filesize
211B

MD5
baba36b08d8ba0d353b0f0db0d80debb

SHA1
7a83615f00d9b42cd1634f9e463fb22faa3dd232

SHA256
51de1cb375f4bf8d97dae553e3b093fd7283a0f7bc6f80d172157c4f9d112ce0

SHA512
6f1eadcf1b3e8d6c8dd9e2a797e23b1ed43abca7a929afa4f8a52fdda265c26f2b70181ff61c3119271e11b9f49d66b478b024c8cf2f8f12a7f4fd9fd9658272

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

Filesize
211B

MD5
c5fded9785ce8934ee95f8667f626d0b

SHA1
cd3167260c1c6bc2f7caf7e866d598cca6d0de26

SHA256
7e99e38ebb0e747c53dcf256ac4ecf64872a41b631ac4f0c643bbc97648e31c0

SHA512
6d9968c61e14fd8ee0cc492eb0b0e30c5cd59f7424ab5927ffc5ffc5ac73717aeabc1798f33cec530fcf4c459d8da2eacb51dfd3cb660642988e05add0e353e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDWALPrpmL.bat

Filesize
211B

MD5
b09d44eb154662316897f59373604b60

SHA1
90b046ed34ae214ab7880c088c85c3c9f341df56

SHA256
fea742ead6090fbaa101cba9a8c7b969831b3a40be04464047bb53aee60a49a8

SHA512
f2591ab7f86f00acfa77b6f38ceac1abf3178020fa00a7d94572fc831a92542a3a0a1d93162afbfccc77d5b49c9932e4ea7dbdaee94a8956b4a6f7ccc66c6718

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3b3dd8a5527d01a603a86cae9dfc8817

SHA1
4e5b52427cce4aea84679dd1d3e262a430f6f57f

SHA256
bb561ac4a9ce9bf14764f157284cf193244adda7eae172d3b84b3ac8b8483c1b

SHA512
2f923ab3a067cfe4388cf2884b455da261d43eac7a3e4d866c0732c185c5880d362f6c6297d1494eb1f96e2efaabc7d8c086ffb6a355127e6801559ff75a668a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/380-219-0x0000000001120000-0x0000000001230000-memory.dmp

Filesize
1.1MB

Download
memory/380-220-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/664-44-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1640-63-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1740-62-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/2052-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2052-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2052-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2052-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2052-13-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2092-399-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2152-459-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2432-519-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2460-280-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2572-579-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2696-639-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2696-640-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2808-159-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/2952-700-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download