dcrat | bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf.exe
Size

1.3MB
MD5

b6fe87839652bf93976f17ef15991e4e
SHA1

689cc68a4cb3877a16ffde0493219a4e7a7905d7
SHA256

bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf
SHA512

8c7ad7bb7abb24551a726879aaf974304201416dafc013258896cb2dd59794f8eca7e30519df11b0c68a7d5055dd23349699e70e78f19fe87ee9f7a7d874236e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	376	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2688	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	964	2688	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016da7-12.dat	dcrat
behavioral1/memory/1708-13-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2968-44-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2660-159-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/964-219-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/1700-279-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/2184-340-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2768-400-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2900-698-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2380	powershell.exe
900	powershell.exe
2904	powershell.exe
1968	powershell.exe
1744	powershell.exe
1692	powershell.exe
1732	powershell.exe
1032	powershell.exe
908	powershell.exe
1680	powershell.exe
892	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1708	DllCommonsvc.exe
2968	System.exe
2660	System.exe
964	System.exe
1700	System.exe
2184	System.exe
2768	System.exe
1808	System.exe
2280	System.exe
2552	System.exe
1280	System.exe
2900	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2860	cmd.exe
2860	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Java\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2352	schtasks.exe
1624	schtasks.exe
2908	schtasks.exe
964	schtasks.exe
992	schtasks.exe
2080	schtasks.exe
1128	schtasks.exe
2724	schtasks.exe
2872	schtasks.exe
1300	schtasks.exe
1496	schtasks.exe
1780	schtasks.exe
2988	schtasks.exe
1960	schtasks.exe
1760	schtasks.exe
484	schtasks.exe
1716	schtasks.exe
2268	schtasks.exe
844	schtasks.exe
1964	schtasks.exe
860	schtasks.exe
2632	schtasks.exe
620	schtasks.exe
1408	schtasks.exe
584	schtasks.exe
2844	schtasks.exe
2736	schtasks.exe
376	schtasks.exe
2612	schtasks.exe
2572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1708	DllCommonsvc.exe
1032	powershell.exe
900	powershell.exe
908	powershell.exe
2904	powershell.exe
1680	powershell.exe
1744	powershell.exe
1968	powershell.exe
1732	powershell.exe
1692	powershell.exe
892	powershell.exe
2380	powershell.exe
2968	System.exe
2660	System.exe
964	System.exe
1700	System.exe
2184	System.exe
2768	System.exe
1808	System.exe
2280	System.exe
2552	System.exe
1280	System.exe
2900	System.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1708	DllCommonsvc.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2968	System.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2660	System.exe
Token: SeDebugPrivilege	964	System.exe
Token: SeDebugPrivilege	1700	System.exe
Token: SeDebugPrivilege	2184	System.exe
Token: SeDebugPrivilege	2768	System.exe
Token: SeDebugPrivilege	1808	System.exe
Token: SeDebugPrivilege	2280	System.exe
Token: SeDebugPrivilege	2552	System.exe
Token: SeDebugPrivilege	1280	System.exe
Token: SeDebugPrivilege	2900	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2344 wrote to memory of 2044	2344	JaffaCakes118_bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf.exe	31
PID 2344 wrote to memory of 2044	2344	JaffaCakes118_bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf.exe	31
PID 2344 wrote to memory of 2044	2344	JaffaCakes118_bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf.exe	31
PID 2344 wrote to memory of 2044	2344	JaffaCakes118_bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf.exe	31
PID 2044 wrote to memory of 2860	2044	WScript.exe	32
PID 2044 wrote to memory of 2860	2044	WScript.exe	32
PID 2044 wrote to memory of 2860	2044	WScript.exe	32
PID 2044 wrote to memory of 2860	2044	WScript.exe	32
PID 2860 wrote to memory of 1708	2860	cmd.exe	34
PID 2860 wrote to memory of 1708	2860	cmd.exe	34
PID 2860 wrote to memory of 1708	2860	cmd.exe	34
PID 2860 wrote to memory of 1708	2860	cmd.exe	34
PID 1708 wrote to memory of 1032	1708	DllCommonsvc.exe	66
PID 1708 wrote to memory of 1032	1708	DllCommonsvc.exe	66
PID 1708 wrote to memory of 1032	1708	DllCommonsvc.exe	66
PID 1708 wrote to memory of 2380	1708	DllCommonsvc.exe	67
PID 1708 wrote to memory of 2380	1708	DllCommonsvc.exe	67
PID 1708 wrote to memory of 2380	1708	DllCommonsvc.exe	67
PID 1708 wrote to memory of 892	1708	DllCommonsvc.exe	68
PID 1708 wrote to memory of 892	1708	DllCommonsvc.exe	68
PID 1708 wrote to memory of 892	1708	DllCommonsvc.exe	68
PID 1708 wrote to memory of 1680	1708	DllCommonsvc.exe	71
PID 1708 wrote to memory of 1680	1708	DllCommonsvc.exe	71
PID 1708 wrote to memory of 1680	1708	DllCommonsvc.exe	71
PID 1708 wrote to memory of 1732	1708	DllCommonsvc.exe	72
PID 1708 wrote to memory of 1732	1708	DllCommonsvc.exe	72
PID 1708 wrote to memory of 1732	1708	DllCommonsvc.exe	72
PID 1708 wrote to memory of 1692	1708	DllCommonsvc.exe	73
PID 1708 wrote to memory of 1692	1708	DllCommonsvc.exe	73
PID 1708 wrote to memory of 1692	1708	DllCommonsvc.exe	73
PID 1708 wrote to memory of 900	1708	DllCommonsvc.exe	74
PID 1708 wrote to memory of 900	1708	DllCommonsvc.exe	74
PID 1708 wrote to memory of 900	1708	DllCommonsvc.exe	74
PID 1708 wrote to memory of 908	1708	DllCommonsvc.exe	75
PID 1708 wrote to memory of 908	1708	DllCommonsvc.exe	75
PID 1708 wrote to memory of 908	1708	DllCommonsvc.exe	75
PID 1708 wrote to memory of 1744	1708	DllCommonsvc.exe	76
PID 1708 wrote to memory of 1744	1708	DllCommonsvc.exe	76
PID 1708 wrote to memory of 1744	1708	DllCommonsvc.exe	76
PID 1708 wrote to memory of 1968	1708	DllCommonsvc.exe	77
PID 1708 wrote to memory of 1968	1708	DllCommonsvc.exe	77
PID 1708 wrote to memory of 1968	1708	DllCommonsvc.exe	77
PID 1708 wrote to memory of 2904	1708	DllCommonsvc.exe	78
PID 1708 wrote to memory of 2904	1708	DllCommonsvc.exe	78
PID 1708 wrote to memory of 2904	1708	DllCommonsvc.exe	78
PID 1708 wrote to memory of 2968	1708	DllCommonsvc.exe	88
PID 1708 wrote to memory of 2968	1708	DllCommonsvc.exe	88
PID 1708 wrote to memory of 2968	1708	DllCommonsvc.exe	88
PID 2968 wrote to memory of 2400	2968	System.exe	89
PID 2968 wrote to memory of 2400	2968	System.exe	89
PID 2968 wrote to memory of 2400	2968	System.exe	89
PID 2400 wrote to memory of 1696	2400	cmd.exe	91
PID 2400 wrote to memory of 1696	2400	cmd.exe	91
PID 2400 wrote to memory of 1696	2400	cmd.exe	91
PID 2400 wrote to memory of 2660	2400	cmd.exe	92
PID 2400 wrote to memory of 2660	2400	cmd.exe	92
PID 2400 wrote to memory of 2660	2400	cmd.exe	92
PID 2660 wrote to memory of 1288	2660	System.exe	93
PID 2660 wrote to memory of 1288	2660	System.exe	93
PID 2660 wrote to memory of 1288	2660	System.exe	93
PID 1288 wrote to memory of 1872	1288	cmd.exe	95
PID 1288 wrote to memory of 1872	1288	cmd.exe	95
PID 1288 wrote to memory of 1872	1288	cmd.exe	95
PID 1288 wrote to memory of 964	1288	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bbf2f4ce678123a7662a7f5eabb822f4c292eb8ef58c51e973d578d8f051dcaf.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Documents\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2968
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1696
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1872
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        10⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1556
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        12⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2664
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"
        14⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1508
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        16⤵
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2876
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat"
        18⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2832
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        20⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1696
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
        22⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3040
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat"
        24⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:484
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Java\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Java\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\All Users\Documents\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Documents\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Font\PFM\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:964

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
979ed372064c17463e723d11f70c885e

SHA1
faf0db451f4e84ba2f2e5b1ff6a46988fca328dd

SHA256
8cd7bc5e83312cb571de7c9939997a7d74a9a84042d369039a962e0049ec663c

SHA512
d69a8c1657549ba50fe7acd8ee3bce3afa0ba3316008ff423555c0122235c585d1bb4729eb699a628672bde4cd7594eb2546dec3f1d62ef580a7b442f6a277cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c85bc54f927e1d383e48a823c4e1d44f

SHA1
4a253653eb5806b420bf58dbeb4b51c80ef96077

SHA256
afaa576374e690ebd3fcb8986b2d8885ecc4d554ee09b536a6437a311f40e4c4

SHA512
71e37480665071129fb16826196f02c4e6c0da5d1322732f190f4dae223040a8e4b20c60af6577e97414e707146e69aa37202471339a40ce62e4d0b51bbfc81c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a6c5e28962cde54ed77d75a7d01bbdd

SHA1
3d233e73e1c1d139318bbf87ac3258295dc038bb

SHA256
7e599f6ba14be67e6b06a82bb95c299255d4f104deebdda9406fa3010c3f462f

SHA512
407b9cabb1043cb34899a634faea93a5766e9c40fe6e201d75df944a97ee04e66f9a312fde1192d057a320a98346b051f7a3111e20eea6012f71761eccabbd79

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a9307c2a669f36191c0e94c56007aaeb

SHA1
220b84c6e307dd7616dfb7af88f594af34d317ec

SHA256
b4fa2f5f826b09ef9e6565c8d778a9d78bbcdecf4955dbdd7903eb328ed32cef

SHA512
9a0608e421e0740990929158ac67afd104d65a5f1eb4e53569b7326a1f059b4aea120b8c576bff07f4a7075de13867d88cf35acac1a292dd3dfd20a57156dec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f63efe9c27939fd25628349ad1b960e

SHA1
094423dde23f04aafb401eb7e6c70f7169fed479

SHA256
ee729bf2c138e1c112f7885c7d6b7dc303ce98d67a98dbfc1d6fc89975a18f31

SHA512
54a273aec062fb82dd3a90c71922f654adc8e1a899609d61d75cfdecf96f1f17daf40078d01228ea38f9b75c3c9503ad20d7d374a9948e86186ba1bbe6a3bd3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a358481ad46f4889173a5f318abf0c3

SHA1
e5ecd252ef99d5033c445d6c5a3288da27ba6f9d

SHA256
5d0e960b20c5bd3883d4a8aaa7f2579f4f4359fad22dbca761fd75b108f88b6a

SHA512
3163dc6f439379d5f66bcf3d7a9904dfbb35ab05ae1827c6557a563a2b4fa957a8680d22f0f7304d28db3bf5766cfff9fdc043b908c5faf2ef6fa057b28a36d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
169941fd9cf87ef5fd772a5cb157901b

SHA1
dad6676ccb3fe10da176a4c47f4246b5f4b02ead

SHA256
0ed91d255881afb69ecbdfdbb62bf2c3b647e29d5ce9426e17e78c7189620e13

SHA512
7342b10b25c8aa66e8a2d26d343368ecd19ec1dddab0556c1f1e1058262cc4b261432ff46bddcc8d4055cd02ece4ad8f016e4c9d71e3f07e5fb267de1fc9e27a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a3d37d5ea1134bdec615ed6204f6821

SHA1
02199ff09a4f6501d81892f0e8076b5600cbf0fe

SHA256
c0369ec68496f59402d3a3e4316c474c0e243c91a8f0512f7c356221d81c772f

SHA512
a7c870cd9c09e8f0789f77b4163d3de1eb3e7bacdc1575bb6bccf1ccf413d0fb79ebe7633218ce1ac74646b3fe40181dcbcafeb9338873ef4d2750f48ee3157e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8e775a01031453897d046661f4fc5a9

SHA1
7352c6867e21b57b9df3317de919e2caf5c1f029

SHA256
007afd2f1fca4f6f1ce2c265c1bb48f17c4edf538d262cd5b0527e6b03fe34f6

SHA512
157525c3bb2f4f0bbd59054a212b50ca50387907ce833651ed52371d6c3efabbab6157e7ae057f713f4edfffb8ad94b2ce9a68435a4ab5aebe9e70798aa1d512

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab61B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EUl4QLAvAv.bat

Filesize
224B

MD5
e0aa8130a347a7aab1b9cde39b97620c

SHA1
4a27f76237e5f83c1186cc1edbf5dd2690341004

SHA256
26de40d2d3eccb9534e00084fb07aa315e63af1d43711a69d1686fd9cce5417c

SHA512
7595dd096515509403da05f36034eee5317feea5cde8f88d08d89cc48f61f9bf240d12fc0b60f23e1e976aa2f310bf583785b8daa7f5bc1cd28be61660f47a3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\HD5NsnfB5C.bat

Filesize
224B

MD5
8fd0b259896eff624633398517b1efc4

SHA1
eedf13a38c60dfc8b7b9fa6b9db8a62f63d1a479

SHA256
bae8752443f7daec128d9da0a3186c1d5c491407444221d171bc02b4cb25e61d

SHA512
0d6f00cee3812f959627569f94a6d4f4eac74080ff885c8521aa3a939ee2f95a8900d449492fd93c4ef5f74e55e2971c506e476acb403b15059a16929d4bef92

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

Filesize
224B

MD5
5c8a59dc95dea51c4cc8f674a7609c2b

SHA1
02c48eb0ab6dde17b4d71844ab568f16d28e8933

SHA256
a637f920d2c1361dc110eb21e6ba95f831dc9e5002aa433a5af445123ffd4658

SHA512
2ef9fcbcacbf4c063733bcc8720973e3c6c297c27ba77cbcad14ec12b7c2b83e8d7b391288d384c9d72d110599d39db5e9bcc5dc9308191082cf225034a8def5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat

Filesize
224B

MD5
7997c2429782930dbdba61398a14682f

SHA1
496fe5c1131378053633aa2b865d373dfc0a5ab1

SHA256
b72dfff2d20f7a80151f35a089ec1d0fe5bc35f0e64fba24e2a68b152a276dcf

SHA512
744b33064a76bbe232ad9d91717aaff0399c05f9ec1e257a43430c090a1dc1ffc332a559b27ec8f320a209224456c4f8a6d765611db3f1de890d38d667f3f788

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

Filesize
224B

MD5
1c1d611431c3e563e55761882f61c391

SHA1
e6ca8eee900251825cde5ad072901394b5c77645

SHA256
9c17806128b7ba93221415f2aeed0753d94e6379b8de581f1e12c25194790b08

SHA512
f620a9923a4d1785c67c01286a2e44baeb04de8c2d9e1c85e214230ec15421fc796b9cdd0ba4f21cd8f86249a22c460ef71449f0e834bcf7b7830b12ddbc3e77

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar63D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
224B

MD5
a842936f5c05909469f259f918e499b7

SHA1
eea78fe751ad463f48f10eade91be2d9b6d107e3

SHA256
52eccba29a91d7fc6b88c0d0a0e2928b969bbadc95d130fcb74da5f53950b0d9

SHA512
d185e569779f1784b12b597b9dac732003efec7acb26c45364897a542fd75499e787c5c68fc8aaf46d54b64a2a6a3525dbb45eb306b88aafe45c4fa50d983d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
224B

MD5
5c088913728899b6a41afb2a2eef6221

SHA1
6230bca9781186f9ee98291a2eb98581c9e797cb

SHA256
63fa36dc6c652c01df76059a499543957459176f1608a8856b34556b9b140814

SHA512
5402ba2b53ce7401f2a3a0abfd22e313f0b9cf298584bfde43bc8101356ac3f9458cba452e7910b3bc503e17e37f506f58d33e265ac135d5d5d1e5ea223df71f

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
224B

MD5
07b274be8945cea01f083627171eaa99

SHA1
e9daf15b50a9f704a4ef538597dcf27738faf64f

SHA256
6552ee83a8bb457aa6f64e2443b61bf6810b4f77a2195eb097d02de9ce4467b8

SHA512
697c6f5e72e55e9269bd31a26162b92ac835aa8fb1a530c694edefcf27639c591f65a02043a28302e8691ecc9c0080f4c9c57280ff2fa7ccd5f285f21bf9382c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yvlYFj4oEg.bat

Filesize
224B

MD5
ff4291e632a56fadeead4a5588544b93

SHA1
7cb511b9ecd520e0fb3960dc645a2a202906ba91

SHA256
a708898c5d5b0d424efcf33d6aa1aeb0e58cae6201eacf9e8286c89373acbc17

SHA512
12f57cff5d8824f3b986e5ef42f4ecac25297b62485d01f17243cd82ec49dc95a915cb60ec162171f4ec6729fa234482aa6d62b7510a36bd465d4b47075d0e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
224B

MD5
6c0e4147fbc057a43b289edaca432a0b

SHA1
5e4b076088b61ffa4376067b56a74b913c39b3ea

SHA256
ab2bb8bf30f20512c3878337738eb75b0b4689ca776b79f672c9af08df68b1de

SHA512
d802b26587c2e6e8bddef73e3052c47a0278d202d3fae5821288b8c078bbefa1baa7a730566c810c64415c2797654b8463cff0bbea436e59fe325b4321c574ce

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
813dd2a92f968434ef150a5d3114d9bc

SHA1
795f2d176a1201f33e7c708ac3df60033f5617de

SHA256
bc1546842ad8b1c28f39d832b17fe1bdb12cedd4495ecf3d4d9794bacc4f94f8

SHA512
a3b80fc4ebbd1916726d4eb9be307feafb9c874690d581c473b73b9c298ebb7d3717fa9b5c6260ea3960b996031979a33af161c71a96f66f6b939902dc8015ba

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/964-219-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/1032-56-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/1280-638-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1700-280-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1700-279-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/1708-14-0x0000000000620000-0x0000000000632000-memory.dmp

Filesize
72KB

Download
memory/1708-17-0x0000000000650000-0x000000000065C000-memory.dmp

Filesize
48KB

Download
memory/1708-16-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/1708-15-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/1708-13-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/1808-460-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2184-340-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2660-159-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2768-400-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2900-698-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2904-55-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/2968-44-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download