dcrat | 025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5.exe
Size

1.3MB
MD5

e8cce8961fe1f188d0b404fd9e0bfd20
SHA1

7e4b248cca7d0640373196a320d670befd818dc7
SHA256

025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5
SHA512

60c559d4b90f05b7e774d3c26a83bba7c3773531692e85494b25f9ec0b2a9bf285fc36c048ee1cc048aecc507d9e6a82da0163c9345a4886478a6b9fd65971df
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1588	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2820	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2820	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001939c-9.dat	dcrat
behavioral1/memory/1696-13-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2784-87-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2080-265-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/2656-325-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2532	powershell.exe
2596	powershell.exe
536	powershell.exe
1960	powershell.exe
1916	powershell.exe
1976	powershell.exe
1840	powershell.exe
2328	powershell.exe
2348	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1696	DllCommonsvc.exe
2784	conhost.exe
1716	conhost.exe
2252	conhost.exe
2080	conhost.exe
2656	conhost.exe
2328	conhost.exe
628	conhost.exe
2488	conhost.exe
1308	conhost.exe
3012	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2364	cmd.exe
2364	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com
21	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\sv-SE\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\sv-SE\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2892	schtasks.exe
1800	schtasks.exe
3020	schtasks.exe
2876	schtasks.exe
1944	schtasks.exe
1584	schtasks.exe
2468	schtasks.exe
2768	schtasks.exe
2872	schtasks.exe
2680	schtasks.exe
3064	schtasks.exe
860	schtasks.exe
2156	schtasks.exe
2112	schtasks.exe
1588	schtasks.exe
2020	schtasks.exe
2924	schtasks.exe
2928	schtasks.exe
1492	schtasks.exe
2080	schtasks.exe
2748	schtasks.exe
2888	schtasks.exe
2640	schtasks.exe
568	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
1696	DllCommonsvc.exe
1696	DllCommonsvc.exe
1696	DllCommonsvc.exe
2348	powershell.exe
2596	powershell.exe
536	powershell.exe
2328	powershell.exe
1840	powershell.exe
1960	powershell.exe
1976	powershell.exe
2532	powershell.exe
1916	powershell.exe
2784	conhost.exe
1716	conhost.exe
2252	conhost.exe
2080	conhost.exe
2656	conhost.exe
2328	conhost.exe
628	conhost.exe
2488	conhost.exe
1308	conhost.exe
3012	conhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1696	DllCommonsvc.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	2784	conhost.exe
Token: SeDebugPrivilege	1716	conhost.exe
Token: SeDebugPrivilege	2252	conhost.exe
Token: SeDebugPrivilege	2080	conhost.exe
Token: SeDebugPrivilege	2656	conhost.exe
Token: SeDebugPrivilege	2328	conhost.exe
Token: SeDebugPrivilege	628	conhost.exe
Token: SeDebugPrivilege	2488	conhost.exe
Token: SeDebugPrivilege	1308	conhost.exe
Token: SeDebugPrivilege	3012	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2564	2556	JaffaCakes118_025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5.exe	30
PID 2556 wrote to memory of 2564	2556	JaffaCakes118_025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5.exe	30
PID 2556 wrote to memory of 2564	2556	JaffaCakes118_025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5.exe	30
PID 2556 wrote to memory of 2564	2556	JaffaCakes118_025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5.exe	30
PID 2564 wrote to memory of 2364	2564	WScript.exe	31
PID 2564 wrote to memory of 2364	2564	WScript.exe	31
PID 2564 wrote to memory of 2364	2564	WScript.exe	31
PID 2564 wrote to memory of 2364	2564	WScript.exe	31
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 2364 wrote to memory of 1696	2364	cmd.exe	33
PID 1696 wrote to memory of 2532	1696	DllCommonsvc.exe	59
PID 1696 wrote to memory of 2532	1696	DllCommonsvc.exe	59
PID 1696 wrote to memory of 2532	1696	DllCommonsvc.exe	59
PID 1696 wrote to memory of 1976	1696	DllCommonsvc.exe	60
PID 1696 wrote to memory of 1976	1696	DllCommonsvc.exe	60
PID 1696 wrote to memory of 1976	1696	DllCommonsvc.exe	60
PID 1696 wrote to memory of 1916	1696	DllCommonsvc.exe	61
PID 1696 wrote to memory of 1916	1696	DllCommonsvc.exe	61
PID 1696 wrote to memory of 1916	1696	DllCommonsvc.exe	61
PID 1696 wrote to memory of 1960	1696	DllCommonsvc.exe	63
PID 1696 wrote to memory of 1960	1696	DllCommonsvc.exe	63
PID 1696 wrote to memory of 1960	1696	DllCommonsvc.exe	63
PID 1696 wrote to memory of 536	1696	DllCommonsvc.exe	65
PID 1696 wrote to memory of 536	1696	DllCommonsvc.exe	65
PID 1696 wrote to memory of 536	1696	DllCommonsvc.exe	65
PID 1696 wrote to memory of 2348	1696	DllCommonsvc.exe	66
PID 1696 wrote to memory of 2348	1696	DllCommonsvc.exe	66
PID 1696 wrote to memory of 2348	1696	DllCommonsvc.exe	66
PID 1696 wrote to memory of 2328	1696	DllCommonsvc.exe	67
PID 1696 wrote to memory of 2328	1696	DllCommonsvc.exe	67
PID 1696 wrote to memory of 2328	1696	DllCommonsvc.exe	67
PID 1696 wrote to memory of 2596	1696	DllCommonsvc.exe	68
PID 1696 wrote to memory of 2596	1696	DllCommonsvc.exe	68
PID 1696 wrote to memory of 2596	1696	DllCommonsvc.exe	68
PID 1696 wrote to memory of 1840	1696	DllCommonsvc.exe	69
PID 1696 wrote to memory of 1840	1696	DllCommonsvc.exe	69
PID 1696 wrote to memory of 1840	1696	DllCommonsvc.exe	69
PID 1696 wrote to memory of 984	1696	DllCommonsvc.exe	77
PID 1696 wrote to memory of 984	1696	DllCommonsvc.exe	77
PID 1696 wrote to memory of 984	1696	DllCommonsvc.exe	77
PID 984 wrote to memory of 2332	984	cmd.exe	79
PID 984 wrote to memory of 2332	984	cmd.exe	79
PID 984 wrote to memory of 2332	984	cmd.exe	79
PID 984 wrote to memory of 2784	984	cmd.exe	80
PID 984 wrote to memory of 2784	984	cmd.exe	80
PID 984 wrote to memory of 2784	984	cmd.exe	80
PID 2784 wrote to memory of 1652	2784	conhost.exe	82
PID 2784 wrote to memory of 1652	2784	conhost.exe	82
PID 2784 wrote to memory of 1652	2784	conhost.exe	82
PID 1652 wrote to memory of 1360	1652	cmd.exe	84
PID 1652 wrote to memory of 1360	1652	cmd.exe	84
PID 1652 wrote to memory of 1360	1652	cmd.exe	84
PID 1652 wrote to memory of 1716	1652	cmd.exe	85
PID 1652 wrote to memory of 1716	1652	cmd.exe	85
PID 1652 wrote to memory of 1716	1652	cmd.exe	85
PID 1716 wrote to memory of 2612	1716	conhost.exe	86
PID 1716 wrote to memory of 2612	1716	conhost.exe	86
PID 1716 wrote to memory of 2612	1716	conhost.exe	86
PID 2612 wrote to memory of 2920	2612	cmd.exe	88
PID 2612 wrote to memory of 2920	2612	cmd.exe	88
PID 2612 wrote to memory of 2920	2612	cmd.exe	88
PID 2612 wrote to memory of 2252	2612	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_025e0acdd869b61eccfa256a357afbd668fa741b8622131a536b5178dfaa33b5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\sv-SE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aYtV9q9Fmt.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:984
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2332
      - C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1360
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2920
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        11⤵
        
        PID:344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1916
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        13⤵
        
        PID:772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2280
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat"
        15⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2716
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        17⤵
        
        PID:832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1548
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        19⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2728
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat"
        21⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2556
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
        23⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:928
        
        C:\Program Files (x86)\Windows NT\Accessories\conhost.exe
        
        "C:\Program Files (x86)\Windows NT\Accessories\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
        25⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\sv-SE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\SysWOW64\sv-SE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\SysWOW64\sv-SE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Recorded TV\Sample Media\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows NT\Accessories\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f39f145d961e5cbb6512f2987deb2efc

SHA1
e723e4ff84419d413c11eb7783f2016af6dc82c7

SHA256
cbf8f416481bea88627aec31eb5e99f543065b400317f97dae8f30645c774364

SHA512
801baf47949bb0bf21123faffc0d413ea845bbd8b6b99c27cccad149b3a8b97839e9d22d2b2e5763c38786427e7e53c8a3227b9ffa2784f400b27bbc1c7e01eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d221819a74ae8fc61c4a47e0c321752a

SHA1
d621c05e84f6c610f487e0b3a61f15adc824b651

SHA256
233c757b17c854b07ed3c97942b57482e744f576778a307b00d7f54157087f23

SHA512
4021d0d989a4be2000f2f0e2f992ac259a3e0fab7f855d2d892f443b7335846edc768cbf3d9b12baf61bc7d88b0d329d8419f3f0d87892b1b8c2f67ededd9eb9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c051109c565249a9a8b0a210ab45cae

SHA1
ca41d7f14a39c524c669f59e8d20874b093c8a9e

SHA256
8fbd7226be43933767979d9b72ebb22f403be347df54477df9768b4ea7672d18

SHA512
8d0c37fabc5990d24105477dc5abad8b628d799030237f3a85023debddd199d9b7eb66e57eb8c83b7e6005c594d65bfe98d55a01ffd2834726bf890c2f94ec34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b516e47d8cb5b7fb645d7e4f43618eb1

SHA1
fa088ecb65ffc47c0708040c09a61d23128e59d0

SHA256
60a126e7e76eab672962671f6d146ed0322e06bde1f773b2e941be14809615c4

SHA512
588ea8ff7103d1d749924c3aab4b850beb828d7e9354961037777dd6a6a03d68747bd585deee506ce54e3d0afeb46c987fdd245e392742fb627902fc2aa8d5b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
848af99f99c5fc4cd3de29068c2cd300

SHA1
21590dcac57af1a7905ceb814bd6c0e3e9555dcc

SHA256
6bc22a43998102b0c9ab76d763cd19e0cb7c1a306c6aace504bf2539ab4c395b

SHA512
d6b7ec78e2967e3dc669d415111411c07e136852690fc93fafbe6d875582e339ee6471444ab4e236774b21c1c6ed56110d65ecbabc32450367dd9f1636d5693c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
715230a696a9bba6f2f2492e97a6ea09

SHA1
f0c2f51b87bc5fb8bf1fc28e76de460821769eeb

SHA256
46e82fd54b430561ea84afb2aa242f049bf83e2ff4218f2fb3521cac1e211ffc

SHA512
9646e81cece1ec69cbca940e4b340ee5c24d27fdb18a08ed0363c61940a1029111a22f91f22794a4e56611c0918d9dd5671975d19fc1974859a8413cbbc19b77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6eb7fc2aa45beeef66c9b072cb60269a

SHA1
8328f7d32dfcf1abc51a79aefce61f6bde1e04c2

SHA256
73864a40056060bb6c89ca8282db94ce224f5aa50ac6959ecff8dd79c3ea2593

SHA512
2b0a48b35a5ff090fc7c0cf3f2bdc8c4f3a7513fca84cd2fc23b90d5ea36262538ea2cb65524d9c899ec300a8c176d48b47af3ca055921c3b43900518123a227

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85056ffbdc253ef4b05539ff9cd3c9f1

SHA1
b2f46c2b9ecf13b5a721d7f2fdab8fb162843ddc

SHA256
c803e8bbd4282c7e77afd4347fef24a8c6557bc8ea113cf4d1b97f675dd91326

SHA512
4e3f92a562b3e18c86eee30c402f76137fca034c59ff8b27be36e3be01e6d342c8f9df34f852f552eed88945adcdc821f129a980e3dfc476691a9355e412f023

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
419b2911ae16933c61b9bb74aebad62e

SHA1
1b6d4590fd34fa220263ad2ab8d84128de492073

SHA256
861aef79dd51487e929809f197b277ac5a801a2e1a632129dc8d2a3389842fb6

SHA512
7fe0432c43d44d3bc27907b826bbb361390ee58bc49c924c7d34c374f097c41edbbf9899478208cf371a6b62b14bc20d8bd42582f859cae42585ce311e0e082b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat

Filesize
222B

MD5
2de1c2331318eaba79d90e0e6cab1c53

SHA1
95a101ff558cea0da5b49a0e443d422298d43373

SHA256
761f937b7c5c87e31e281aec675bece52c96a4b82cbe28947849203a88a74a24

SHA512
e28d35964dca8f940738eccfd9ed12620164338a547b4cadecc3e6718d1a16d7efe0c49f18dd0427134708b2fb8d8b37a07d1eb073fe7f260c4f40e2001c6767

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
222B

MD5
a405ce67651f3c2f97aa4cb412859b95

SHA1
ea6f9c3d5c50e043babd1ce72fa1b920e871db70

SHA256
a82fd9b15a97738f35173dd841a26b39e0adb8781c6c6e31000915c1fadf3fe9

SHA512
0f3bea22210eb8f98df7566544e66e38c731b0a018e108baa39e801ba8114c45f00a8921c32aa306f295844dc64b47f769fb340254748bc8806554fad9d7d19c

Download Submit
C:\Users\Admin\AppData\Local\Temp\79RMekxjZd.bat

Filesize
222B

MD5
1546f7007865bfef06649a78422c6701

SHA1
0bb6db264dbca437eb815572698392da2736d4be

SHA256
1e8b4a19d51a3c5481ccf88479566a88471ee86cebb1ae3651adcc73bdccf289

SHA512
0243e8eecd6ea37fc91f1b183f6d443e48ae94a88e4cb940aebea5f47c098e24e6aef2443732a5e59ff31dc744542f0e2b9b7bd764f6c1f9134e556dfaabd884

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

Filesize
222B

MD5
53445b99843b8798e9e8d50fda3c646d

SHA1
dc69f566bba556dbd67e2854d025b1da5a602418

SHA256
a2ed1ebf18aea628b0d03a184e15d6a5d98ab04541bc8fd51ae00d01cc13b523

SHA512
e293b396e7da70d4b0e07ba7a9b668f8502edb7a6f2b5ac68e4140d33aab408576a82485b87facb70a8e89e20995ea3d82def542fc5aa9a32a027ef3f16d4cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE217.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
222B

MD5
4b3870da9cef73687962dcd63e6ab364

SHA1
00f95506762663c217466e867515ebd863309975

SHA256
b47ae21761e24e1c08a09494c501019f3205036283bb2caa19047047ecc835ee

SHA512
d6e69029955df36b393ad6c821330fc095b573720671cbe01f30e7afdfa07af40370ae19d022dd47347366e413d3e2431815432c1b0e1a72d528eb84242ae86f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jlvf1Vq2YP.bat

Filesize
222B

MD5
b775ef1370041a0a247bd409f38909d0

SHA1
4d50c5570e07c32ee5f44d193bc0fdbc55e10f5a

SHA256
232cdb7b55366412f4ef096b93099ef3ef30b551c28c5f8407aea298baf92e62

SHA512
8928e0796e74cc04a83fc2cb0e3aa9f7e57122355891dde54055eefd9098998a4551d70db715151d075aea8beab58e51cca4c28317e479d31d070868f40170fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE239.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYtV9q9Fmt.bat

Filesize
222B

MD5
83105c72afab7fd7bfe3023446e019ed

SHA1
e39cde0526602a4a862697ddfb94757e88394685

SHA256
8a244649ebcd6d69f8fa72f7e4e1dba02c585524d964fc43c841b69ddb1fa519

SHA512
96fe35d008ef912f1c6aecb2ccc7a1f60a9de62e57e7d1c51c75412c37f33d58c2cd06504ca1ecd1404066627d3181f6ff4727d9a41a81f91f93ebf90e101718

Download Submit
C:\Users\Admin\AppData\Local\Temp\eQ9EwglUAP.bat

Filesize
222B

MD5
d1a4acc5b43859a7fbc1554fab5576f0

SHA1
accb434b6601eb5eafd0b07378475eba37bdf480

SHA256
f600d77ffda150acfd158da180e12de5bd602b7d836e534c8c1b269cfadccf8c

SHA512
6939079b14fcff27c6e231829944769a0940d3e5490797868d74b86daac5dd72e666eacde7b4a5eb73b17d8156bfc6e094d5566dc2c4facaa773ac5917b4b6b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
222B

MD5
89e58a1adaa8f48f962c7f3f7b1f027b

SHA1
53c21f3415816533dbf7cbf4f578623ef5958a1a

SHA256
a39f6da8571e9dfcbddda25118937b5064d96de00e401f16b8a72297ad20a3e0

SHA512
1cd89140cc788a6414639142bfbb9fbc762b475daf730b086bbd9c4a8f0f66e99edfad5ad703cd844d2b7c9ceb1a4e5ac6c0abd5588b5fc91453f783c6822030

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
222B

MD5
2edbe6d5698707f88ae83db3a5a49f3b

SHA1
4d54cef6556a9ab220601491d97657e324f0c8d7

SHA256
3659336aa78c424732917c134c661d18396fada721b2c4114d4ce2d3b301dc37

SHA512
cd1ea8cca1c443934171208a95cf042d6d9efc93ac4e43de2e3c9f84f2be67a109593bb8b8d1025b3257daad70be7ce68fd8c23fb14de1f4082907b27298db8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
222B

MD5
26b5f5dc547f9546326064c47ef5ce22

SHA1
4013309a8c7769a4fb1d7f141ff2a25992553125

SHA256
2283433abf46e1c11a93dca2f0318c4b348a79748fe32f615ba8fe7f4fa44451

SHA512
9defc791965d3295a1d6f340ee1623e7392cbb0645d2ec5b54c24dcfb3ae4a41608057bf91ebedf1ad53929030e083be39236ca04e634da11566e06ff944480a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2A6K6XQ08UO8A1ECZ1QK.temp

Filesize
7KB

MD5
2e4e7c4c475bc342fe8f0dde89351f5f

SHA1
97724275a65ecbbfe66dc50186dbd66267621e74

SHA256
ef096df3e05edbfcdc38b89480cfe22783d92c8bca007a066d447af7278e2723

SHA512
81a3a8ca9785795a86fdcb33bef2c0e282d58ae95228fe181f0226cd96591ebbfc76ee808bff09d84aff3eaf511819944f5c8ce3c930461b1b9fd283eb3d1715

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1696-17-0x0000000000820000-0x000000000082C000-memory.dmp

Filesize
48KB

Download
memory/1696-16-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/1696-15-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1696-14-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download
memory/1696-13-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1716-146-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2080-265-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2348-47-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/2348-49-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/2656-325-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/2784-87-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download