dcrat | eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3.exe
Size

1.3MB
MD5

332689eecebb6efb192ba3e971ab1e3b
SHA1

1c53f5a608d2d55a110d2b1aad9faeb68f799fb6
SHA256

eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3
SHA512

bc4521fa1a5e1f369c6480552f8bf7b0f6b61bd0a05181bbb40239c55e38881d6eac8813b9a7c045ea6c0009ad79253e38debec7c80bcbff6a9146e4f2676137
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2444	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2444	schtasks.exe	33

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016be9-12.dat	dcrat
behavioral1/memory/2764-13-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/1340-94-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/2656-213-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/1388-332-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2092-392-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/1896-453-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2072-690-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/580-750-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1604	powershell.exe
536	powershell.exe
2064	powershell.exe
2240	powershell.exe
1084	powershell.exe
280	powershell.exe
2492	powershell.exe
1424	powershell.exe
2076	powershell.exe
2164	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2764	DllCommonsvc.exe
1340	conhost.exe
652	conhost.exe
2656	conhost.exe
2216	conhost.exe
1388	conhost.exe
2092	conhost.exe
1896	conhost.exe
2760	conhost.exe
2984	conhost.exe
2712	conhost.exe
2072	conhost.exe
580	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	cmd.exe
2924	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
17	raw.githubusercontent.com
26	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2900	schtasks.exe
2244	schtasks.exe
2452	schtasks.exe
3060	schtasks.exe
1988	schtasks.exe
1196	schtasks.exe
1712	schtasks.exe
2840	schtasks.exe
2600	schtasks.exe
1876	schtasks.exe
1612	schtasks.exe
2012	schtasks.exe
2620	schtasks.exe
3000	schtasks.exe
2732	schtasks.exe
2252	schtasks.exe
2660	schtasks.exe
900	schtasks.exe
1476	schtasks.exe
2068	schtasks.exe
2680	schtasks.exe
2928	schtasks.exe
2460	schtasks.exe
2520	schtasks.exe
1260	schtasks.exe
608	schtasks.exe
756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2764	DllCommonsvc.exe
280	powershell.exe
1084	powershell.exe
2240	powershell.exe
1424	powershell.exe
2064	powershell.exe
1604	powershell.exe
2492	powershell.exe
536	powershell.exe
2076	powershell.exe
2164	powershell.exe
1340	conhost.exe
652	conhost.exe
2656	conhost.exe
2216	conhost.exe
1388	conhost.exe
2092	conhost.exe
1896	conhost.exe
2760	conhost.exe
2984	conhost.exe
2712	conhost.exe
2072	conhost.exe
580	conhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2764	DllCommonsvc.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1084	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1604	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1340	conhost.exe
Token: SeDebugPrivilege	652	conhost.exe
Token: SeDebugPrivilege	2656	conhost.exe
Token: SeDebugPrivilege	2216	conhost.exe
Token: SeDebugPrivilege	1388	conhost.exe
Token: SeDebugPrivilege	2092	conhost.exe
Token: SeDebugPrivilege	1896	conhost.exe
Token: SeDebugPrivilege	2760	conhost.exe
Token: SeDebugPrivilege	2984	conhost.exe
Token: SeDebugPrivilege	2712	conhost.exe
Token: SeDebugPrivilege	2072	conhost.exe
Token: SeDebugPrivilege	580	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2604 wrote to memory of 2204	2604	JaffaCakes118_eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3.exe	29
PID 2604 wrote to memory of 2204	2604	JaffaCakes118_eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3.exe	29
PID 2604 wrote to memory of 2204	2604	JaffaCakes118_eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3.exe	29
PID 2604 wrote to memory of 2204	2604	JaffaCakes118_eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3.exe	29
PID 2204 wrote to memory of 2924	2204	WScript.exe	30
PID 2204 wrote to memory of 2924	2204	WScript.exe	30
PID 2204 wrote to memory of 2924	2204	WScript.exe	30
PID 2204 wrote to memory of 2924	2204	WScript.exe	30
PID 2924 wrote to memory of 2764	2924	cmd.exe	32
PID 2924 wrote to memory of 2764	2924	cmd.exe	32
PID 2924 wrote to memory of 2764	2924	cmd.exe	32
PID 2924 wrote to memory of 2764	2924	cmd.exe	32
PID 2764 wrote to memory of 2492	2764	DllCommonsvc.exe	61
PID 2764 wrote to memory of 2492	2764	DllCommonsvc.exe	61
PID 2764 wrote to memory of 2492	2764	DllCommonsvc.exe	61
PID 2764 wrote to memory of 2164	2764	DllCommonsvc.exe	62
PID 2764 wrote to memory of 2164	2764	DllCommonsvc.exe	62
PID 2764 wrote to memory of 2164	2764	DllCommonsvc.exe	62
PID 2764 wrote to memory of 1604	2764	DllCommonsvc.exe	63
PID 2764 wrote to memory of 1604	2764	DllCommonsvc.exe	63
PID 2764 wrote to memory of 1604	2764	DllCommonsvc.exe	63
PID 2764 wrote to memory of 1424	2764	DllCommonsvc.exe	64
PID 2764 wrote to memory of 1424	2764	DllCommonsvc.exe	64
PID 2764 wrote to memory of 1424	2764	DllCommonsvc.exe	64
PID 2764 wrote to memory of 2076	2764	DllCommonsvc.exe	65
PID 2764 wrote to memory of 2076	2764	DllCommonsvc.exe	65
PID 2764 wrote to memory of 2076	2764	DllCommonsvc.exe	65
PID 2764 wrote to memory of 536	2764	DllCommonsvc.exe	66
PID 2764 wrote to memory of 536	2764	DllCommonsvc.exe	66
PID 2764 wrote to memory of 536	2764	DllCommonsvc.exe	66
PID 2764 wrote to memory of 2064	2764	DllCommonsvc.exe	67
PID 2764 wrote to memory of 2064	2764	DllCommonsvc.exe	67
PID 2764 wrote to memory of 2064	2764	DllCommonsvc.exe	67
PID 2764 wrote to memory of 2240	2764	DllCommonsvc.exe	68
PID 2764 wrote to memory of 2240	2764	DllCommonsvc.exe	68
PID 2764 wrote to memory of 2240	2764	DllCommonsvc.exe	68
PID 2764 wrote to memory of 1084	2764	DllCommonsvc.exe	69
PID 2764 wrote to memory of 1084	2764	DllCommonsvc.exe	69
PID 2764 wrote to memory of 1084	2764	DllCommonsvc.exe	69
PID 2764 wrote to memory of 280	2764	DllCommonsvc.exe	70
PID 2764 wrote to memory of 280	2764	DllCommonsvc.exe	70
PID 2764 wrote to memory of 280	2764	DllCommonsvc.exe	70
PID 2764 wrote to memory of 2260	2764	DllCommonsvc.exe	81
PID 2764 wrote to memory of 2260	2764	DllCommonsvc.exe	81
PID 2764 wrote to memory of 2260	2764	DllCommonsvc.exe	81
PID 2260 wrote to memory of 2880	2260	cmd.exe	83
PID 2260 wrote to memory of 2880	2260	cmd.exe	83
PID 2260 wrote to memory of 2880	2260	cmd.exe	83
PID 2260 wrote to memory of 1340	2260	cmd.exe	84
PID 2260 wrote to memory of 1340	2260	cmd.exe	84
PID 2260 wrote to memory of 1340	2260	cmd.exe	84
PID 1340 wrote to memory of 1528	1340	conhost.exe	85
PID 1340 wrote to memory of 1528	1340	conhost.exe	85
PID 1340 wrote to memory of 1528	1340	conhost.exe	85
PID 1528 wrote to memory of 1484	1528	cmd.exe	87
PID 1528 wrote to memory of 1484	1528	cmd.exe	87
PID 1528 wrote to memory of 1484	1528	cmd.exe	87
PID 1528 wrote to memory of 652	1528	cmd.exe	88
PID 1528 wrote to memory of 652	1528	cmd.exe	88
PID 1528 wrote to memory of 652	1528	cmd.exe	88
PID 652 wrote to memory of 2156	652	conhost.exe	89
PID 652 wrote to memory of 2156	652	conhost.exe	89
PID 652 wrote to memory of 2156	652	conhost.exe	89
PID 2156 wrote to memory of 2516	2156	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eb242dbb64c456f3b514243d502af2f7e489bf118d32b38eec122e50acb389d3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Microsoft\Search\Data\Applications\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K0bbLiBhSW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2260
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2880
      - C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1484
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2516
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        11⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2784
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat"
        13⤵
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:768
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat"
        15⤵
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1180
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
        17⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2052
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        19⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2920
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        21⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2272
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        23⤵
        
        PID:1316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2464
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
        25⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2468
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat"
        27⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:264
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Recent\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Recent\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Microsoft\Search\Data\Applications\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Windows\SchCache\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f33f6333980c78a6bef899d1c4a26897

SHA1
319c03d9b139519812520ebd0b88d79a940f4cab

SHA256
ceb040c84f037c9ff4ccf866180f4c8cb8fa0279d466738140893b6db8d0973a

SHA512
d27548ab4c0c281fc8440f082f2af5cdd58bd5fb711929143bbdadff0b912ca03427499419f2a2c450a8f9a8720fd1981a67de27aafdbc14a0eb65ba572e057f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b711ee9e23469946660f2e74e177c083

SHA1
e00b3d126e635c4a0f164912fef2aeb9db518296

SHA256
4005e0c584ea7410f55a48b1d78809c3b03b142c4ed030b1ff2d96f7ce58b2ae

SHA512
5e40fec3315460384f160db9538a90fce1a2eb52d3603d444b05eb3a7655d04ac548c87f531bf64c1a6fbd4906cb619686fe2f3b3e06edc7b819300003ee1ac5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
763ebd91f34d2806a5aa232711fd389a

SHA1
8794aa32dd80db2c95ea847fc96c347f2e2c2d60

SHA256
56ba89f7f5aa25a50d538f50f1a8b0ebe4d6e6db213739d62386109167791279

SHA512
d4276a0460ee51376cb330f60a1c11a73540e8fa8e0b4873f5d452ac57dcfc02cb03690ee14f860817aab5d6f9cc45b84132e4dca54e44ecbf835b884d67dd81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60ca305d2ac96c95fdfcd0a5b568b339

SHA1
9269dd834875d62a9f237fe11a31283998d97643

SHA256
00ee14109b97830c20618113bb0b8ff21c52d0404eb8cae5abe58322245d35da

SHA512
b68cbdac4378f4f7163a2f79bdbdfb95e0abdc6a4529b3e90f5b74f823d353baba4d623691956f75b776b6a98e7e4feb1e0150b92a014908b8175c23aef88b25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f33a41bd91ae72a31acc2e5aeec92527

SHA1
f249dff36308d859ebff4a46a3779503fb696c32

SHA256
de4ccfe082a68e804812e273efd412c9d836675b11b5e4cbabcff62c786414a0

SHA512
c971cd80662acfd1b8d816d89844710af72f4ab1dfe519f5718f95c8098938a6bf2e15a0464b654ea8d3a5d784221409b002abee847e528818713793b4284a3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27f9148e08b2a12477196ed5332032ea

SHA1
e8021acbdfca17b8a0279b4badc377363777fb4d

SHA256
59d6d4f0370a3839e76d62d54a7656e4f33fc7ee9c201ccf9bcf6ddc3d9a93b9

SHA512
d92269774b0020c247d0e3e64dff55c5ecea92adc5acb975cda5430190854beab5574321621c0d1fe06e610ba58fafb23b7fafd9d7ad0e48bf4fd9a0fc437bbc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f682e0d9e5a905ae72835f4bdc7fa901

SHA1
0caa94d54e70a95571f9bfa334b25f1c81119e9d

SHA256
203c740682e7070bd412f74c4866cfb0998bb6a422430be61cd168d60d513052

SHA512
907f887d7c5746d13af22b4f109f4938ffd40d870cbfc4b814f30e71e676b55ed28c142d3eea411cb009f392e1947f3ad373d6edbc531629bee40de2aef29536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47cdccf17bb262fd04c315505100f01a

SHA1
f7ea8fb674d71034e56d17e2be9eb39b8b3689d4

SHA256
fd2b76364fe7c26d9ead9dce84c01e7185e9701852a16d4adfdc9de64ca27fc3

SHA512
72bef425b2c30d9279ac1ff7d00d3e3e66f38c2b89394e144324a71d40b16291e88c05fe44b04b88f40b6528e39690a363ddd5d78694119c7817489e54ca04aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ca283c659a52d9d4e3cdb4b31dda843

SHA1
dc9d9f61e1cd1d78cc90d38f9fca2114b9af7684

SHA256
06b1578f61ee866c6ed7754caedba39565fdf9fd476264dd1a9afd9438742c7c

SHA512
fad6cb485fe8ce5a92ef91e295dee1b9deee9a0f0e33885832e7a880a85af024169ca12591b557e5529eb3529f355e90507eab2cb46e0020b2a71c725caa5a5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fe138ea45cc63163ebd073b85c7ab1a

SHA1
4303f7c667ddfcb6d0fb507987d49487e1f9e696

SHA256
781c743c82a377d4ccf48c59e1d62dead380f74756dc3e95a8fb138842724deb

SHA512
437d30c1ce90580f6254e817c0ef4c983e3b77d605601c71f84b6525e3526bb8d03b182d76eab18464620ece84d0ed65737e0e833fbc1603e9668e17fe1e43b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat

Filesize
194B

MD5
a87883e32846d97e2532dfae44d9d389

SHA1
34fae67999cb36736ff1626c36af7ffb54d72209

SHA256
f43004d2aa0dec732d7cf97f1c34b9e1e1351103dbc21a8c32d7cc95f2662667

SHA512
e8939d5892294e87bf534dd1893b79ff370143ddf544c43abc2beac2009448e3c65d5a7f16a33ed0ad9df5b7036d103f411760ac8d9c64fee9bec7466212242a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab47EB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat

Filesize
194B

MD5
9d2d410f69ee6ecce44b80f5b2dba36a

SHA1
e9a8996cb0f0abb3c8e07e45baaf0f23ebdee5cf

SHA256
fa1ad68319aea146fdef0302d2a3b8ed3473e34a1ef8657b5cb42580dfb55dd3

SHA512
029ac26139dcbc01403067ae681f2883f4713ffb3544fd25c19c8c26efdb8b1047c90f9de3bbbc01325d6a786d289c18adf239ab4b42499e7c69538110e280c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
194B

MD5
45a11057109841489e0fb7c7758f7760

SHA1
78600f518a3c732159140160a62f595c052ab321

SHA256
3a74d419a3ee7819e77da723036db69ca8502f9e41fbd14e121fba988cca206a

SHA512
d917ad37eef5866b4249c4748eef90091db2026a3b626b03243ff87d162a78784cba6a9f89c32c7572a479df173612f45b9732fee67bf111641531e805db8ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
194B

MD5
ff89404c88883ae448cd491270ee648d

SHA1
f11ef186f44919150533c291e08a3716c46292cb

SHA256
3aa3c55c12481e83f7f5e61f8b6d819c13063da698d4f5940766410f16372dfb

SHA512
e387dbb7de73a234be054415a25db01c564fab4ff5931c94437353bf69e0bc6dd58174d3c14f76477724087d5c4a6bdda671416f4d7b5728916eb6f437a57c6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\K0bbLiBhSW.bat

Filesize
194B

MD5
cb01ecab4093269260e44e1f1f552e71

SHA1
1e37586bbfc6a3d35ee7ba14bc49cb7700b9ee0c

SHA256
4786e5b02a0db0ef9cf343db70f6ac763db17b63c68d488e4f5f464c009f849f

SHA512
b448519521b70f4e7d713394f85fa16f38bbe94ff24a7754138aedd1f29e3686de7cf0dabecbe3430e9e61da1e64a32439a7d16d08e5f78f3e93e866d9ea5dbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
194B

MD5
b33faae05768638987ca5d266c4bd83b

SHA1
88b6026d4c54ca538ecf20835e3252288a36daa0

SHA256
4eaca343a78611cf5bcd83851779ca3be70b30105b3ca3eb247f50a4104fecf7

SHA512
2d9e6d9ee3526af45c9f2839a85cde2a16851983f204cca1db309c61dc6a5b14de525a61449d1b26080ad45e8ea05b5c1537ea55c91fd40f993992bc2063c836

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar47EE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\c38FLB8gIG.bat

Filesize
194B

MD5
31d9df1b0af475fd8e141bfe6c74aad3

SHA1
87affefbbb03ab659618fda0e61c60db83eae29b

SHA256
e6d97e53b74c80e405e17f6bb7c6c61f38ee7dc15df491aa5f2ec61009217c3e

SHA512
be2b8807b5e5c46342ce08e67d378fbed958a54d5000787e14e13553861c28170c8c1bef6541e4cf02f67a7c12501b92f966b1e9d3bf9058a94e2b8ec94d68ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
194B

MD5
c8353e38366dcd91d2c5dd23a6741031

SHA1
a679d686969bbf06bc9cf66feb96f13ef29a0206

SHA256
6b96ea862c4b4093cb8d0c8bba2622c62f8d6a5364c430ae300a41e071c06de8

SHA512
c451d7acc9cac17d0887e1f6000c727cc88601c278019e91271549b44d6a63e965a1c81e250b30f54f40adf9845b69f5504a15b7993005df0ff28d2450c037a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
194B

MD5
1c7f63617c6835382176b7cf06061fe2

SHA1
8f3e95defc089e5cc5bbc0caa937c51e047e73ca

SHA256
e5083562341a7284d1e9d3dee7be8e1f0d8bb358c5358d463394cd2ef49421cd

SHA512
c2737708a21aa683e52aeef59719c33c8e5167b52c2b4717e83eec67d21ead08e4597c747bcff93277d33adb2df27897c391945c3576ee25182ca711ff6d404e

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
194B

MD5
bfa81c112dfacb93afb5ed566ea5b47b

SHA1
9dc391039f5e7f1ae58f4395a475a89f55f8ad28

SHA256
6c29bc94290b8edf6f9ee99a66cc09cfd5f7f954cdd4d842aa0e74aa20fa1741

SHA512
b100134d1d5e4f53acd71a1748de198d4b21b3ce0d38cafac877fb1f37cd1cba4c88928a4a996aaf25e64fc822ac7273ca99bf447d0d8a2d71225a9b470f10ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\qsbi9TUILn.bat

Filesize
194B

MD5
fa31f96fe529ac2bb9b9ae055defda5e

SHA1
351ee31cf4e0848ffa6fd0d6754b57771b8b42d7

SHA256
7f3bda394d8cfef7c4962b98faf2514ea6f17f04a05b1b0ce1639af6129e2332

SHA512
9b8ccff831db21b2614fddf65122b03f714aceb01ac3b02f8ccf81cec587efcd0a9dc6f0c4316b3e5efd09dbf98839c19a15048ee9bdda4eda3d893760395221

Download Submit
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

Filesize
194B

MD5
43a48270c66fa7a715c0fc6d9c03d0a6

SHA1
2031606064659fe8164c44011fa5d66b97bd2b76

SHA256
c49656bf21009a2fb51fad7e3f6e47d84baa1d4c4e6f6c541840d46526217ac2

SHA512
4a1af9a8d4960cfbd78e25e7814238d1de87c1f7a562567329ca8d6c4d5c6484e28f6bada32c4e8ab7a00f91476fe9cf490c09b2f6610af41597c761ab9131be

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
00792e343a0e4f55ef3ab454db4a647f

SHA1
d571a1168f25523289b898dd38cb3434ef2af8e4

SHA256
3e01f625a58aa4f5abe053e013eb385c31a00caebcc2d30d40182c726e903293

SHA512
9c60ea12209c736822b7ac1854e5ea630c53d8a940a8d789833b64b918ff7079c52640e60778c29f7f4f0cb89b629767f7b79c4f767c81a1b80d8602213466c3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/280-64-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/280-71-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/580-750-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/652-153-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1340-94-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/1388-332-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/1896-453-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2072-690-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2092-392-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2092-393-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2656-213-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2764-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2764-13-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2764-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2764-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2764-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download