dcrat | 4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e

Analysis

max time kernel
149s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e.exe
Size

1.3MB
MD5

5d60d2fe8317c1431bdb77ae9df3d65c
SHA1

74cc37589b351f0edbbafc2b4d0235a9ad7af98d
SHA256

4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e
SHA512

99a081146092aec83f04b1a026b4d33ad44358e2f1925dc318be9db8d236d3a864e6dcd8df5e16ce27fda25eb1b2b0c919a384fbad806c93ca1fb656dbc15d88
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2980	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2980	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016cf0-9.dat	dcrat
behavioral1/memory/2160-13-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/2984-104-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/2704-163-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/588-282-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/1308-342-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/2292-402-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/624-462-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/2992-523-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2872-583-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3036	powershell.exe
608	powershell.exe
1324	powershell.exe
1688	powershell.exe
2128	powershell.exe
980	powershell.exe
840	powershell.exe
2088	powershell.exe
2224	powershell.exe
1940	powershell.exe
2956	powershell.exe
2936	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2160	DllCommonsvc.exe
588	DllCommonsvc.exe
2984	csrss.exe
2704	csrss.exe
696	csrss.exe
588	csrss.exe
1308	csrss.exe
2292	csrss.exe
624	csrss.exe
2992	csrss.exe
2872	csrss.exe
3028	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2036	cmd.exe
2036	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\it-IT\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\en-US\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\en-US\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\it-IT\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\inf\TermService\0409\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\inf\TermService\0409\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\inf\TermService\0409\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\IME\IMESC5\HELP\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\IME\IMESC5\HELP\e978f868350d50	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\powershell.exe	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\e978f868350d50	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
984	schtasks.exe
2344	schtasks.exe
1628	schtasks.exe
2156	schtasks.exe
2484	schtasks.exe
2096	schtasks.exe
1544	schtasks.exe
944	schtasks.exe
1652	schtasks.exe
1460	schtasks.exe
1768	schtasks.exe
1500	schtasks.exe
276	schtasks.exe
1524	schtasks.exe
1804	schtasks.exe
2804	schtasks.exe
632	schtasks.exe
888	schtasks.exe
2432	schtasks.exe
1620	schtasks.exe
2824	schtasks.exe
3024	schtasks.exe
1712	schtasks.exe
1656	schtasks.exe
1552	schtasks.exe
2992	schtasks.exe
1748	schtasks.exe
2524	schtasks.exe
2260	schtasks.exe
2288	schtasks.exe

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2160	DllCommonsvc.exe
3036	powershell.exe
608	powershell.exe
2088	powershell.exe
840	powershell.exe
1324	powershell.exe
980	powershell.exe
588	DllCommonsvc.exe
588	DllCommonsvc.exe
588	DllCommonsvc.exe
588	DllCommonsvc.exe
588	DllCommonsvc.exe
588	DllCommonsvc.exe
588	DllCommonsvc.exe
588	DllCommonsvc.exe
588	DllCommonsvc.exe
2128	powershell.exe
1940	powershell.exe
1688	powershell.exe
2224	powershell.exe
2936	powershell.exe
2956	powershell.exe
2984	csrss.exe
2704	csrss.exe
696	csrss.exe
588	csrss.exe
1308	csrss.exe
2292	csrss.exe
624	csrss.exe
2992	csrss.exe
2872	csrss.exe
3028	csrss.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2160	DllCommonsvc.exe
Token: SeDebugPrivilege	588	DllCommonsvc.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	608	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	980	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2984	csrss.exe
Token: SeDebugPrivilege	2704	csrss.exe
Token: SeDebugPrivilege	696	csrss.exe
Token: SeDebugPrivilege	588	csrss.exe
Token: SeDebugPrivilege	1308	csrss.exe
Token: SeDebugPrivilege	2292	csrss.exe
Token: SeDebugPrivilege	624	csrss.exe
Token: SeDebugPrivilege	2992	csrss.exe
Token: SeDebugPrivilege	2872	csrss.exe
Token: SeDebugPrivilege	3028	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1940 wrote to memory of 1236	1940	JaffaCakes118_4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e.exe	30
PID 1940 wrote to memory of 1236	1940	JaffaCakes118_4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e.exe	30
PID 1940 wrote to memory of 1236	1940	JaffaCakes118_4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e.exe	30
PID 1940 wrote to memory of 1236	1940	JaffaCakes118_4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e.exe	30
PID 1236 wrote to memory of 2036	1236	WScript.exe	31
PID 1236 wrote to memory of 2036	1236	WScript.exe	31
PID 1236 wrote to memory of 2036	1236	WScript.exe	31
PID 1236 wrote to memory of 2036	1236	WScript.exe	31
PID 2036 wrote to memory of 2160	2036	cmd.exe	33
PID 2036 wrote to memory of 2160	2036	cmd.exe	33
PID 2036 wrote to memory of 2160	2036	cmd.exe	33
PID 2036 wrote to memory of 2160	2036	cmd.exe	33
PID 2160 wrote to memory of 3036	2160	DllCommonsvc.exe	50
PID 2160 wrote to memory of 3036	2160	DllCommonsvc.exe	50
PID 2160 wrote to memory of 3036	2160	DllCommonsvc.exe	50
PID 2160 wrote to memory of 980	2160	DllCommonsvc.exe	51
PID 2160 wrote to memory of 980	2160	DllCommonsvc.exe	51
PID 2160 wrote to memory of 980	2160	DllCommonsvc.exe	51
PID 2160 wrote to memory of 1324	2160	DllCommonsvc.exe	52
PID 2160 wrote to memory of 1324	2160	DllCommonsvc.exe	52
PID 2160 wrote to memory of 1324	2160	DllCommonsvc.exe	52
PID 2160 wrote to memory of 608	2160	DllCommonsvc.exe	53
PID 2160 wrote to memory of 608	2160	DllCommonsvc.exe	53
PID 2160 wrote to memory of 608	2160	DllCommonsvc.exe	53
PID 2160 wrote to memory of 840	2160	DllCommonsvc.exe	55
PID 2160 wrote to memory of 840	2160	DllCommonsvc.exe	55
PID 2160 wrote to memory of 840	2160	DllCommonsvc.exe	55
PID 2160 wrote to memory of 2088	2160	DllCommonsvc.exe	56
PID 2160 wrote to memory of 2088	2160	DllCommonsvc.exe	56
PID 2160 wrote to memory of 2088	2160	DllCommonsvc.exe	56
PID 2160 wrote to memory of 588	2160	DllCommonsvc.exe	62
PID 2160 wrote to memory of 588	2160	DllCommonsvc.exe	62
PID 2160 wrote to memory of 588	2160	DllCommonsvc.exe	62
PID 588 wrote to memory of 2224	588	DllCommonsvc.exe	78
PID 588 wrote to memory of 2224	588	DllCommonsvc.exe	78
PID 588 wrote to memory of 2224	588	DllCommonsvc.exe	78
PID 588 wrote to memory of 1940	588	DllCommonsvc.exe	79
PID 588 wrote to memory of 1940	588	DllCommonsvc.exe	79
PID 588 wrote to memory of 1940	588	DllCommonsvc.exe	79
PID 588 wrote to memory of 1688	588	DllCommonsvc.exe	80
PID 588 wrote to memory of 1688	588	DllCommonsvc.exe	80
PID 588 wrote to memory of 1688	588	DllCommonsvc.exe	80
PID 588 wrote to memory of 2956	588	DllCommonsvc.exe	81
PID 588 wrote to memory of 2956	588	DllCommonsvc.exe	81
PID 588 wrote to memory of 2956	588	DllCommonsvc.exe	81
PID 588 wrote to memory of 2936	588	DllCommonsvc.exe	82
PID 588 wrote to memory of 2936	588	DllCommonsvc.exe	82
PID 588 wrote to memory of 2936	588	DllCommonsvc.exe	82
PID 588 wrote to memory of 2128	588	DllCommonsvc.exe	83
PID 588 wrote to memory of 2128	588	DllCommonsvc.exe	83
PID 588 wrote to memory of 2128	588	DllCommonsvc.exe	83
PID 588 wrote to memory of 2884	588	DllCommonsvc.exe	90
PID 588 wrote to memory of 2884	588	DllCommonsvc.exe	90
PID 588 wrote to memory of 2884	588	DllCommonsvc.exe	90
PID 2884 wrote to memory of 2924	2884	cmd.exe	92
PID 2884 wrote to memory of 2924	2884	cmd.exe	92
PID 2884 wrote to memory of 2924	2884	cmd.exe	92
PID 2884 wrote to memory of 2984	2884	cmd.exe	93
PID 2884 wrote to memory of 2984	2884	cmd.exe	93
PID 2884 wrote to memory of 2984	2884	cmd.exe	93
PID 2984 wrote to memory of 1796	2984	csrss.exe	94
PID 2984 wrote to memory of 1796	2984	csrss.exe	94
PID 2984 wrote to memory of 1796	2984	csrss.exe	94
PID 1796 wrote to memory of 1208	1796	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4753a28d6bae05cf846e3b4c8ddc20337e34fa1a16cd0290ebd287dad899150e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1236
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2036
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\TermService\0409\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\it-IT\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:588
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\explorer.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\IMESC5\HELP\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\en-US\Idle.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Gyx7tWaWVd.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2924
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1208
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        10⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1264
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        12⤵
        
        PID:2064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2936
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        14⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2552
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        16⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2172
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat"
        18⤵
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2020
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat"
        20⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2316
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
        22⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3048
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat"
        24⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2212
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\TermService\0409\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Sidebar\it-IT\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\it-IT\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Users\Public\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\IMESC5\HELP\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\IME\IMESC5\HELP\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 13 /tr "'C:\Windows\IME\IMESC5\HELP\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 8 /tr "'C:\Windows\debug\WIA\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Windows\debug\WIA\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Journal\en-US\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e4a3f0312ffb2d6c668c711b7f51aa4

SHA1
49b656ccb64cd4c7487ace237e1b4a15ec5b147b

SHA256
0bd33b58dabdf36885072c60c0f7a6243f298916d5306a3ed5d89eeac14020b8

SHA512
44268926852a448b7f171a8dbabad79969e9513420c73122ee0b71bffbc03e9df437f4ca797be82de6b6c7a623cdc9bc1667f6c86ba6b7aa2fb6fab4086d7e67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a87a35923208ae86724fde5cbf7f78b

SHA1
cf6f3cfb2db6cbbd11414d870a90447df54c74fe

SHA256
246a17d980328cee06af9d5e2f3976a74391f8d5bc43f4013ccc589c2add7682

SHA512
5ff5435703eefd236ad7608df07324041195a3694ed18733217bdd550dbb83bb3a268522bc4c66db7c7babf5e1ee736e04a7a862ed70ddb24c7f2877d3e7658a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01e00b014108c7f05881b57d389d2976

SHA1
89cbe235e3e30023e653acd40e13a1fb9d53d7fd

SHA256
ecac6029e90b02c0bff2f1afd75369ae442a2b1fc742f6885beb675d58ee7eab

SHA512
b80bb0f3f97f3e6c10cdede650dcbb3037d48b578983f28c44aebd8b1b10f0445434488122c0d36bb5b3f62f21d2d5e4ba28c6401ebdf198ab384d5c3c9b06e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19d4fc304a7839dc5053e74b8ae41152

SHA1
c7640189d8f36357472b9206ea1c5e4d1e7a39ae

SHA256
4b07ed8c705e0d0085b790b6ac4403794b37e169ff034ac46b71cd8f4e7e5172

SHA512
7abd2f96dbc81949d09ead491cde53398cf6bfd6c3504a5dfabf95eacb129c61f325e38d76524422285fc62f271da3c2fd4b04f420e7495fe19bcc71b4171dc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07ea62499576409b0c705bf089fa443b

SHA1
7e42d6cebb0b0f4cbdb6de6115a7cc3b546e8082

SHA256
42edfb67ebbf88e0568c3c48d7e4147c059aeb48495e7cd5c345516dfde343cf

SHA512
4a508ae70c9fecfcd58904f1b5f0f2a327f825c09ed54a55341ec710deef5c5ca1a6fb9603c7d64c0614f97d0ad550b075fd37a6ba4c07c7c842d1a930a9a604

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d4fd6559e886a51d873a85fd683d977

SHA1
dcb8ee6c9abd87b8e7d4b19c62057d3aa057c890

SHA256
108cd7bf91dbcb99a5ae7795fd6a9c6e914a1063b81d2fcea263000ff31e11de

SHA512
546dec9e987088e2c5f08a0172f0c8c3aebaf4a4cbaaef61f14ce7c8cb7d9aef167ae4217145c69f76b37d6576866c8b979ce3b0b6c5edcf26d947c539924ae6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abe7d02cd3c9005ea906bb5fa4826c9b

SHA1
f36030eb1ce6e8ae109c1aebda7bb95e30723973

SHA256
63bd19902f6e7c5361011c0ddda73894c92bb2b95755daacfd625538a708670c

SHA512
4da9dd2fd857bb816fca4c781d89bf73b9d8958b7094a294a4355f3d7c0476f311d596cdf4781c21abb3b5454b909f39e7e7d788a1be3584b0ce8ebab5fbfbfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5eddaaab730b94255d308cf51c274adc

SHA1
947a87c0cff863730ed847011a86518cdb3816d6

SHA256
128d6de1de0a6694cae6743c88eaf8ae192c6127fecf19d898c1eb34cbe17f03

SHA512
8fcdde4111a0eb7ac9bcbf3b0979b59b598c431e9aa42795c566a0d7678c5994ef8712da8cc077f55173abcc7e2d21c443a801e73eea8aa6c7d3c94eb6126acd

Download Submit
C:\Users\Admin\AppData\Local\Temp\0tZmJrpaGF.bat

Filesize
223B

MD5
be76024bf538ba62b4dcda00b8bf6828

SHA1
4e3020e2e839ed4a6901fae5f7dadcdf90691dd4

SHA256
850271e3f5460e1088238fe725debe44793c2de2e1372b91c130e89894e9e9bd

SHA512
ac166695d99fdf62fe2daf3898ad0ab0536c33449a818e0dcec5f07b6eb70e05a38cb6ae70f744cb0ffb9fa4d9f043f01a979dad775f8022863a79538fa2bbe8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

Filesize
223B

MD5
e63bb630747b63137a930316d9264ae2

SHA1
4497535923c39f5ba2c364aba689e972b60f23b4

SHA256
63b3fdd605453621a6d7575bdb1adff89574639abef1bd500913e8624f6bb04b

SHA512
51a433576e4ecf3126634ddd79e090abcc812b3dd702f213b29c3bd736a45f5d020abdf35d56a30340fde996947af8e7b58aefaa6b3a76866b74325af4f4df13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab33E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Gyx7tWaWVd.bat

Filesize
223B

MD5
9c3d78b27a685590be4b1ed1a59db01d

SHA1
39e338e68218fe8f003ba19d6bceb9637da07685

SHA256
917082131e01257e1233f0de42c693e13b6c376a0bc7e8ccd1970dc46ffdd1d7

SHA512
9da683095d4599cfeacfea0fa2dd1e0fae0d8b734d18ff70607aba75f9dd6c75ccfaea52633027b2c0d467c3a339814882f63f9b30d89efbe08cb3ab9a01f1a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
223B

MD5
ec0ca7a2fd5bb7a1ba7bdd77fd57415e

SHA1
58ea6eef1bfda0f13d2309fc3c2466ae527ce6a8

SHA256
3ef480cb7475d8ef0705ba767da21952914e75e4dfe7932990e11f625225ce4e

SHA512
a0cfe842630eedea4f40b4544f17964b8bc0e16fadf1d1e40b32956ca213a52d01c07c0415cbfe0b82893cf75e58fe0daea0d72cac92d742271d1ffe0a1aeb6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

Filesize
223B

MD5
0cd06e533edc3c92adf972ca73fff5c4

SHA1
cbdfad76e339041fc90e00a331627b5488dad7c6

SHA256
0fb0bbe30eb731f18a180c247f81513ca84c468cb835d988857e7523c139802c

SHA512
c2c1738041f36bfce10b6429281e1bbdb66b194df0ee73d4f7812a36bcdcf07c92ba96a5e46d749f5fd40e8ca424829696233e09cf25ca107c4a16bea0818612

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XBBOHPKclM.bat

Filesize
223B

MD5
d26b48382eccd0b930106b5847cfed78

SHA1
97ec0e81e0b31d09a4f3f25e570bde91642d8764

SHA256
251df92efb6b9aec32963bc7a82cd004b5bf3e58b43017305a76a15aebea8eac

SHA512
a967ba62c75fb9ad59f7dba4a4fee31ff506fb16db9b68f8e3b3aa2779826532a1ece9b3db8d3311a15be83a472da85e54a80ff68c01f905faf49c33b19160a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
223B

MD5
7777dded4b6582aa34c06e56f9f34dc5

SHA1
2242bd4f6501a11216fcb31daa6661c1f65038d7

SHA256
4cac0c4ec9ec444de8f030f1df85ac3fef07240a72b43f951554a9106655723a

SHA512
625f2c272430a5686f882ab1b8bdf4145bd855a7aea836a7794f7ef61be099093d7c7cad766c484bbb561797df8168a4a3f20f7d0b31d27b73a1d8d36e4e7a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
223B

MD5
bfb7c39d402aaa09a09745a6db5039ba

SHA1
b186b7d684e68a4aa7aa2bac7650e681e8d6ef17

SHA256
9f65e65c538ae432e6e4804a430521ac45e6f940dc3f31a63ea819aa3d10f26f

SHA512
f845409601ac7cd5e1da5754aa7fe425a311a41c7a707f9a8b1848b87472c9751e9c6e45cdbf98ddfe9c4d36fb146b4bd19b4d084aeb8153dd4e752462d4e71b

Download Submit
C:\Users\Admin\AppData\Local\Temp\peQnm3nkJb.bat

Filesize
223B

MD5
92f8f058ccf7c4ac5c6c110a2e139d39

SHA1
4341a307221df7da6695cdd7c1b911b5fa9dc591

SHA256
c6044650a11d787c2428abd00e3587a1fe87937c3f1c62adfc52c5c1b154e70d

SHA512
7b5cf13f63997ff69e06d14f472d3a462b495ee870570033ebecfeda86cbf55e210f4bbabc611f105df841dcb515fb74b9454b39527918832c6b849863bbd317

Download Submit
C:\Users\Admin\AppData\Local\Temp\ph6jqiBtuj.bat

Filesize
223B

MD5
f5b481e476992b0597532b27146b909b

SHA1
30df293bae6c28dd6345c245f486aa1a6f3d6556

SHA256
a71b95c953bd6fa7170c12ec75957e46171a4d8394dbff6f6362f726f2c8002d

SHA512
0b0ad4bc34e7f34d2bda7832a4346872741a0e12786c5e510f7a755d1f10f741c82c7855a9252f404d787cecab297674e8e50e4ac640465f4099f8c57f121996

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\UZ5KQS6U9MGS7CEUNUQN.temp

Filesize
7KB

MD5
74ce5418221fc08cdcbf2d6cc3f9326e

SHA1
6a92e0a5122797bc333d71f1c2aeff531dced4fb

SHA256
3a50c45988bd3622ced995faa870acdd4a979b727465967098aeae7c5499c527

SHA512
fae9d2ba417e1b66d57cdb7a966a4a4d88ecf00797c9f553cfcd2e8164c6bf4a1866c2b3607ddd6615ff28d3ea84cffd2b084e0bba4e5c979e7a1723a32cea24

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/588-282-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/608-53-0x0000000002560000-0x0000000002568000-memory.dmp

Filesize
32KB

Download
memory/624-462-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/624-463-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/1308-342-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/1940-79-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/2128-94-0x0000000002110000-0x0000000002118000-memory.dmp

Filesize
32KB

Download
memory/2160-17-0x0000000000630000-0x000000000063C000-memory.dmp

Filesize
48KB

Download
memory/2160-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2160-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2160-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2160-13-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/2292-402-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2704-163-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/2872-583-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2984-104-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2992-523-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/3036-52-0x000000001B3D0000-0x000000001B6B2000-memory.dmp

Filesize
2.9MB

Download