dcrat | 8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd.exe
Size

1.3MB
MD5

f2b6dc8c924fd879ea84e4f44b800b0f
SHA1

2440d4f7aacecee48e3c9dc8c6b11feede92ed3a
SHA256

8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd
SHA512

e85599a11c6434a0499f1b916413d40ed155046890a79fd60bfdc21b87fb909885d782bdbf144df1ab75abcd3522d36aad785e49515ebe3c69e60c18ef69525a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	472	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2696	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0e-9.dat	dcrat
behavioral1/memory/2504-13-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/764-85-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1324-159-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2104-220-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/1976-577-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2032-696-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
956	powershell.exe
1268	powershell.exe
908	powershell.exe
2084	powershell.exe
2352	powershell.exe
2872	powershell.exe
1364	powershell.exe
1748	powershell.exe
2136	powershell.exe
2364	powershell.exe
1300	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2504	DllCommonsvc.exe
764	OSPPSVC.exe
1324	OSPPSVC.exe
2104	OSPPSVC.exe
2400	OSPPSVC.exe
3000	OSPPSVC.exe
2996	OSPPSVC.exe
2248	OSPPSVC.exe
2812	OSPPSVC.exe
1976	OSPPSVC.exe
2300	OSPPSVC.exe
2032	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2876	cmd.exe
2876	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\scheduled\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2684	schtasks.exe
768	schtasks.exe
1148	schtasks.exe
2180	schtasks.exe
1824	schtasks.exe
2848	schtasks.exe
2520	schtasks.exe
472	schtasks.exe
2712	schtasks.exe
1164	schtasks.exe
1128	schtasks.exe
2908	schtasks.exe
2868	schtasks.exe
2644	schtasks.exe
2656	schtasks.exe
2004	schtasks.exe
2000	schtasks.exe
2784	schtasks.exe
2760	schtasks.exe
676	schtasks.exe
544	schtasks.exe
2564	schtasks.exe
1136	schtasks.exe
1992	schtasks.exe
1072	schtasks.exe
2996	schtasks.exe
2888	schtasks.exe
2788	schtasks.exe
264	schtasks.exe
340	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2504	DllCommonsvc.exe
2504	DllCommonsvc.exe
2504	DllCommonsvc.exe
1268	powershell.exe
2872	powershell.exe
2136	powershell.exe
2084	powershell.exe
2364	powershell.exe
1300	powershell.exe
2352	powershell.exe
956	powershell.exe
1364	powershell.exe
1748	powershell.exe
908	powershell.exe
764	OSPPSVC.exe
1324	OSPPSVC.exe
2104	OSPPSVC.exe
2400	OSPPSVC.exe
3000	OSPPSVC.exe
2996	OSPPSVC.exe
2248	OSPPSVC.exe
2812	OSPPSVC.exe
1976	OSPPSVC.exe
2300	OSPPSVC.exe
2032	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	DllCommonsvc.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	764	OSPPSVC.exe
Token: SeDebugPrivilege	1324	OSPPSVC.exe
Token: SeDebugPrivilege	2104	OSPPSVC.exe
Token: SeDebugPrivilege	2400	OSPPSVC.exe
Token: SeDebugPrivilege	3000	OSPPSVC.exe
Token: SeDebugPrivilege	2996	OSPPSVC.exe
Token: SeDebugPrivilege	2248	OSPPSVC.exe
Token: SeDebugPrivilege	2812	OSPPSVC.exe
Token: SeDebugPrivilege	1976	OSPPSVC.exe
Token: SeDebugPrivilege	2300	OSPPSVC.exe
Token: SeDebugPrivilege	2032	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 1324	2116	JaffaCakes118_8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd.exe	30
PID 2116 wrote to memory of 1324	2116	JaffaCakes118_8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd.exe	30
PID 2116 wrote to memory of 1324	2116	JaffaCakes118_8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd.exe	30
PID 2116 wrote to memory of 1324	2116	JaffaCakes118_8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd.exe	30
PID 1324 wrote to memory of 2876	1324	WScript.exe	31
PID 1324 wrote to memory of 2876	1324	WScript.exe	31
PID 1324 wrote to memory of 2876	1324	WScript.exe	31
PID 1324 wrote to memory of 2876	1324	WScript.exe	31
PID 2876 wrote to memory of 2504	2876	cmd.exe	33
PID 2876 wrote to memory of 2504	2876	cmd.exe	33
PID 2876 wrote to memory of 2504	2876	cmd.exe	33
PID 2876 wrote to memory of 2504	2876	cmd.exe	33
PID 2504 wrote to memory of 2136	2504	DllCommonsvc.exe	65
PID 2504 wrote to memory of 2136	2504	DllCommonsvc.exe	65
PID 2504 wrote to memory of 2136	2504	DllCommonsvc.exe	65
PID 2504 wrote to memory of 2084	2504	DllCommonsvc.exe	66
PID 2504 wrote to memory of 2084	2504	DllCommonsvc.exe	66
PID 2504 wrote to memory of 2084	2504	DllCommonsvc.exe	66
PID 2504 wrote to memory of 2352	2504	DllCommonsvc.exe	67
PID 2504 wrote to memory of 2352	2504	DllCommonsvc.exe	67
PID 2504 wrote to memory of 2352	2504	DllCommonsvc.exe	67
PID 2504 wrote to memory of 2872	2504	DllCommonsvc.exe	68
PID 2504 wrote to memory of 2872	2504	DllCommonsvc.exe	68
PID 2504 wrote to memory of 2872	2504	DllCommonsvc.exe	68
PID 2504 wrote to memory of 2364	2504	DllCommonsvc.exe	69
PID 2504 wrote to memory of 2364	2504	DllCommonsvc.exe	69
PID 2504 wrote to memory of 2364	2504	DllCommonsvc.exe	69
PID 2504 wrote to memory of 1268	2504	DllCommonsvc.exe	70
PID 2504 wrote to memory of 1268	2504	DllCommonsvc.exe	70
PID 2504 wrote to memory of 1268	2504	DllCommonsvc.exe	70
PID 2504 wrote to memory of 956	2504	DllCommonsvc.exe	71
PID 2504 wrote to memory of 956	2504	DllCommonsvc.exe	71
PID 2504 wrote to memory of 956	2504	DllCommonsvc.exe	71
PID 2504 wrote to memory of 1364	2504	DllCommonsvc.exe	72
PID 2504 wrote to memory of 1364	2504	DllCommonsvc.exe	72
PID 2504 wrote to memory of 1364	2504	DllCommonsvc.exe	72
PID 2504 wrote to memory of 1300	2504	DllCommonsvc.exe	74
PID 2504 wrote to memory of 1300	2504	DllCommonsvc.exe	74
PID 2504 wrote to memory of 1300	2504	DllCommonsvc.exe	74
PID 2504 wrote to memory of 908	2504	DllCommonsvc.exe	81
PID 2504 wrote to memory of 908	2504	DllCommonsvc.exe	81
PID 2504 wrote to memory of 908	2504	DllCommonsvc.exe	81
PID 2504 wrote to memory of 1748	2504	DllCommonsvc.exe	84
PID 2504 wrote to memory of 1748	2504	DllCommonsvc.exe	84
PID 2504 wrote to memory of 1748	2504	DllCommonsvc.exe	84
PID 2504 wrote to memory of 764	2504	DllCommonsvc.exe	86
PID 2504 wrote to memory of 764	2504	DllCommonsvc.exe	86
PID 2504 wrote to memory of 764	2504	DllCommonsvc.exe	86
PID 764 wrote to memory of 2788	764	OSPPSVC.exe	89
PID 764 wrote to memory of 2788	764	OSPPSVC.exe	89
PID 764 wrote to memory of 2788	764	OSPPSVC.exe	89
PID 2788 wrote to memory of 2316	2788	cmd.exe	91
PID 2788 wrote to memory of 2316	2788	cmd.exe	91
PID 2788 wrote to memory of 2316	2788	cmd.exe	91
PID 2788 wrote to memory of 1324	2788	cmd.exe	92
PID 2788 wrote to memory of 1324	2788	cmd.exe	92
PID 2788 wrote to memory of 1324	2788	cmd.exe	92
PID 1324 wrote to memory of 2064	1324	OSPPSVC.exe	93
PID 1324 wrote to memory of 2064	1324	OSPPSVC.exe	93
PID 1324 wrote to memory of 2064	1324	OSPPSVC.exe	93
PID 2064 wrote to memory of 2572	2064	cmd.exe	95
PID 2064 wrote to memory of 2572	2064	cmd.exe	95
PID 2064 wrote to memory of 2572	2064	cmd.exe	95
PID 2064 wrote to memory of 2104	2064	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e3f658c239af9dda58be70c5cbb52fc82a6ad67dfe784be80cc281efa3f22fd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1324
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2876
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:764
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2316
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2572
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
        10⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1736
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        12⤵
        
        PID:2676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2744
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        14⤵
        
        PID:488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2264
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
        16⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2336
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
        18⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1524
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat"
        20⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2076
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        22⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3004
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        24⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1044
        
        C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe
        
        "C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Videos\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\AppData\Local\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Local\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\AppData\Local\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e30c7c1c8652219f9b406e8daf3257b

SHA1
417daf7dae220583669ae5b6c5fd378c40dfae40

SHA256
499809522549379c37aa508bdf058f9893a3ff2b0ef80e0da6d3c0791584c123

SHA512
1bab020198226f86d23b07278683a28f4bdb9de8ca565cd664eba10c21910aa46bf02cb36caa4eb9449658f58c9e4a60818ac4b9657e0ede2e4e02035e35f1fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88e7b5a90208bd54b2cb7bc17c360515

SHA1
b455de500686c815c6c4a2f81dd516b7d9d7708f

SHA256
df06a9b796ee96dd7de37e9499389bcd01df8a1bee53dd28f1bf07a556febb86

SHA512
49608f9b0e919fb110a0e4fe8a6042b8fa09d12f2936939c9501bd65db25e9349962256018368b08aa1b18db00f13ded82df05551c8916ce053b4facba7539d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed13050d167a9a5253a566b1074a1958

SHA1
0943b6d35d4aec7f51327cebcb2d9b75644fd4fb

SHA256
ed43a7d1e1baabbb89e59cb211a542f21ce4a60b380b2a593b023860b6aadaf1

SHA512
51143ac325315c6f6bd6418fb7cbf2cf764a924c9c996d93f1c6ed182c4638c148f010d627e30a0b03e6126516827728bd69a3ead848ee2b84688fcbb79ede01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e27bcf8a61064fd65a283f68d9b8e4ce

SHA1
4d4ba73c3a6be659b1b2cad76852f3cf8b506f3f

SHA256
e6bd0a385eab77883a7dc351699b6d9da08d3686df5e33e677e5300379daa92e

SHA512
5e218bdd79e1e6f4b12145393e63e1b0588e8a8cf850d7c743e4fd788c8b9b8ed8590cc1f7cb56459210628b05603a00da3b53c1ca94faffbecd97a81f3f6fa2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
53dbc291847ff35f4e862dba47db3e17

SHA1
55cbb7ae69b4dae0166a70fa9cdf8eabd0d1ed91

SHA256
6aaa5a0fb1eb8df038b4e840c70f4ca32b325da568000a82235bb5ff9ed9c53b

SHA512
52db667a5f5b2473908e366150db7d16e42d40aa35b264c9f9db58c449d227ed3068538e74c9bf790d1f5ecf009f661fb4330f4931f65229fdc7db530902c9d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfad4396da48a72c5213d4de524ee5ed

SHA1
f324275670da68464bdc193a516e861e43892c42

SHA256
47ce3cc9931ee862e2d87f2b0695c86cd6f608a2158d30045515cc2996a9d3da

SHA512
7e37f68271e1ede40ffc005a878f83c7a3c13a62c8839491229c16384886cfb799b91955f267b9e524829cae1e5501b4a869410618e937ee04d0b74b3285fdb3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77e9bfd896806b4b7a1c919d2251dc10

SHA1
d6eb8c49f74417b2e2dad6750604d57f7e514392

SHA256
d09b41bc3ab246cfb40779096250bf54d9c411b29e1ee35b03ed5ab77aca4a7e

SHA512
ed2f0175ef4156f3adea950751885b76c0b55d9b8ed25cd33d3c1614a615f9636e3965c0d98b6924f3764ee4d3401444a2f09859c7425f60857edf4a8a53baae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c65fa6170b27cbb719273057132f9bf8

SHA1
1b459915c749d8749f848ad18f99bd4a4880f2c9

SHA256
336204e407c0018bd894ddf3081ab6350bc89e33b8e0f96d7a09c59a0746f50b

SHA512
14f88e96407a6c2b42f84d4925aee053308b4621b33008b5f88e81573e9aaf1497b376acafaddb9ec8eab29c3dd68dbfcbf438386cb9474e0037fce22333ba3a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78c630a18cdd7bd5980a67dcbb773207

SHA1
04c3d714dd0097623a77ab9ab2d7cafe2abe938c

SHA256
1a1565e3eb8b4bb71b67a4687c6a4126499b56e03faa37350d0f1447464d7039

SHA512
337f872bbae553fe7786f56de636235c1724dd18318310fc0e377437c19b9ec37cf73032bea7bd99e1b0e611b740425a1082ba7e9066eb5df271ebb89df7bdf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

Filesize
210B

MD5
06b85754a657c87e4f533d6839db3bd8

SHA1
a1f09ec43f72b86e1bfe814e2e1506f61ded3acb

SHA256
4bde0d34d17693a57939b97bb01f3e234e23d61c414beb9403f0cebb4021e05f

SHA512
6e64da71337c12a76074adf675c9b94e40400e5a6236775cd9d2a0f1184b3faf02efed429cf1daf782bdf19407cfcfd9d8e4ce55456429e5e6d57587f4aa4b33

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

Filesize
210B

MD5
86d3b9a3bf87cb199971f731689df4ab

SHA1
42a16c8ad3856073b2af195c17c0a1c98f610f0f

SHA256
0f7f804c9486341b9d6e7482dcb3790d1300cf90fd06aa678ba7732cbb1a7959

SHA512
91930e10da583eb9d84823aa8d9ce41cb00611ba6949d5585daadd1e0c2ab63a7247b0415dcd871c4986a0050eda4e7b7bed862ca90c8020568fe2d623dc81ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEA51.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhLzHEla3w.bat

Filesize
210B

MD5
5714b1c13c697f8819c6fd068d8901f3

SHA1
863c10c0a78695ef6d9f6ce8ae4afac18fd06db7

SHA256
6eae2895f4bd7bfa05727d4c25084e278602ead9f7fc682a08635fbaab8bac5b

SHA512
f1e43f56c1b156b5cd8100341be8b24f567dd2cd8d74a4b37872d27cd5034eaa8a7474f1f0027b11bdefa46cca99983d5e5f89e167730ca3de24d12ec5f52222

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
210B

MD5
a5e73148c74dc560081c66949bd6eb52

SHA1
6c84a5d46ca6fbcec524f32a00cab3e49ece0e5b

SHA256
56deb73b6e5f995f5effc00ce6048493aa6f916fc31b31eaca86298197b53181

SHA512
fc6245377de9717748d941b6931ade50fc55414d0526ba321aab34058eceae43e4553f74d304dd89fc7fb1cdd2f2a5be100ffef3cb4910facd51797a61c99514

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

Filesize
210B

MD5
298cec502691a441925d21d6f2ae9f2d

SHA1
1c18e512c593dfc20b1b1eeab8066a8b6e58427a

SHA256
f22bd9683ad44e425b14026cda4d03ced316fdc7aed0e0ee072968a5f54611a4

SHA512
49e30b8244d52695a64ccf03d6ab05cd31d987d30cf204889008e243921646f78192ad15fcfc581a707977ad84cc834f3f378b6cc6bdebf659c0229c84916af7

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEA73.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

Filesize
210B

MD5
a97980f8ab75173d4749530dace46378

SHA1
6edc460a12990580f5837779f8e8caad1e92edc6

SHA256
4c147add69843764cd55a77d007e3757f57eae8203cdeabf6dfa1837be6e6b6a

SHA512
80f5009c5889160e9da490ec514eda70b0c3e4dcec331a7a9055ba588c6ed3258bdad706da88fead3d15d0269912c6e4600a1f84762a914f069df2ccb442082f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
210B

MD5
0cc717c239a2b4ea864cb8d3ea2325f5

SHA1
0a5eb0aa1217e24f86bf6f5fb785aae6d8106651

SHA256
633af9e07c4fcdce407adaf445d00fb571d2409af79585bf184ddb04243241b4

SHA512
6dc3d51b202af1b34390b5096cdb1b65ffab24f9bffefc56c67dd1c0ac6fef19f74e5e559e0b118b6e72083af483538ce874f4223c5839ee45e953ca2c39f9d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat

Filesize
210B

MD5
73fd3286487e897266b9d62bbe9eb63a

SHA1
9c60812f87c169a61e4930f3080c5f3d9dc8c63c

SHA256
a80894c5075e1b1062fee755a99b14c35c6314273ada5d846d340f0997c347a5

SHA512
e255e0d9dda0386592f188bab5892a300c1d48497bb725b948db0858fab11aea38d340b7151843f84f53cf3fc5b048643487e5e83c263ad7d048e9d9913e581d

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
210B

MD5
52bd1d79c495085529549bc0799e9a29

SHA1
f9537bf5738cb490354d5a2d673d9ca3268508fc

SHA256
76b8dfc60fb813a605eafd46f488d2fef9cab88e0dbd74afedf86709f0b255db

SHA512
af23e963ec32963775ffe3607d7bfc24e2fb0e588a10c90d4e320845d24b35c6a7faf17a4f8783164718064da725a36fbcade25cb4ab60f82a286b06f34d4851

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
210B

MD5
d8fba875b159475677e1f12b5943576a

SHA1
13c445e5ffed7b9a3050de5abf95ba55f5f85b32

SHA256
781e09863f46733954c3b3719fc0d8477306b15334a300a2f1a434634b752760

SHA512
d9d16d14d9e26023d2e4c33302886b73bae6497084bc47b6207da258b438650c2d5bba9eb22a65677c3f1893632f8fcf0b523bcd714e9c5e29205d1a227b285d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
72a1ceebd525925e4c5b988786bac159

SHA1
396218b7a6734c3c51e2ed4f97993a7861038670

SHA256
0d0708f77434ea1532e82222e3fbf8ce49678352fad886e14330100ed1f1898f

SHA512
a6101bda241bdef537d2ecb691fa4fff024a0b75a7efbc3dfc8d7c271ab434cb2bafa151ad33cfd817973585f3f1e9c773bca28b7e66e240d51253231efb782f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/764-85-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1268-52-0x000000001B4A0000-0x000000001B782000-memory.dmp

Filesize
2.9MB

Download
memory/1324-160-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1324-159-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/1976-577-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2032-697-0x0000000000780000-0x0000000000792000-memory.dmp

Filesize
72KB

Download
memory/2032-696-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2104-220-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2104-221-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2504-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2504-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2504-15-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2504-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2504-13-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2812-517-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2872-62-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download