dcrat | bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b

Analysis

max time kernel
148s
max time network
152s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b.exe
Size

1.3MB
MD5

44692f82c024db995ad7d62853290bee
SHA1

e99fb067d37779e976d7f34c53f63e5ecbc5b49b
SHA256

bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b
SHA512

22dd20619f72dab78e14cea4c509744b642d412f22ce28d1c15222da343db7381318cb977fdb4462b5e0d2fdb8d6395b8e4f572bbd68593472e0d0abeaaaba19
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2872	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2872	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c23-11.dat	dcrat
behavioral1/memory/2500-13-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1648-44-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/3024-159-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/1120-455-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2980-515-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/2360-576-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2088-636-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
972	powershell.exe
2832	powershell.exe
1680	powershell.exe
1836	powershell.exe
1620	powershell.exe
1684	powershell.exe
1160	powershell.exe
944	powershell.exe
1732	powershell.exe
1744	powershell.exe
696	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2500	DllCommonsvc.exe
1648	audiodg.exe
3024	audiodg.exe
2960	audiodg.exe
2672	audiodg.exe
2068	audiodg.exe
868	audiodg.exe
1120	audiodg.exe
2980	audiodg.exe
2360	audiodg.exe
2088	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2324	cmd.exe
2324	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\System.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Offline Web Pages\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1168	schtasks.exe
1796	schtasks.exe
2100	schtasks.exe
2664	schtasks.exe
3004	schtasks.exe
1572	schtasks.exe
2672	schtasks.exe
756	schtasks.exe
1480	schtasks.exe
1944	schtasks.exe
1144	schtasks.exe
2980	schtasks.exe
2952	schtasks.exe
2068	schtasks.exe
2212	schtasks.exe
2204	schtasks.exe
2632	schtasks.exe
2752	schtasks.exe
2244	schtasks.exe
1932	schtasks.exe
1824	schtasks.exe
2656	schtasks.exe
2988	schtasks.exe
2808	schtasks.exe
2120	schtasks.exe
2868	schtasks.exe
1016	schtasks.exe
1056	schtasks.exe
2612	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2500	DllCommonsvc.exe
1836	powershell.exe
1684	powershell.exe
1620	powershell.exe
1732	powershell.exe
972	powershell.exe
2832	powershell.exe
1744	powershell.exe
944	powershell.exe
1680	powershell.exe
696	powershell.exe
1160	powershell.exe
1648	audiodg.exe
3024	audiodg.exe
2960	audiodg.exe
2672	audiodg.exe
2068	audiodg.exe
868	audiodg.exe
1120	audiodg.exe
2980	audiodg.exe
2360	audiodg.exe
2088	audiodg.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2500	DllCommonsvc.exe
Token: SeDebugPrivilege	1836	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2832	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1648	audiodg.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	696	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	3024	audiodg.exe
Token: SeDebugPrivilege	2960	audiodg.exe
Token: SeDebugPrivilege	2672	audiodg.exe
Token: SeDebugPrivilege	2068	audiodg.exe
Token: SeDebugPrivilege	868	audiodg.exe
Token: SeDebugPrivilege	1120	audiodg.exe
Token: SeDebugPrivilege	2980	audiodg.exe
Token: SeDebugPrivilege	2360	audiodg.exe
Token: SeDebugPrivilege	2088	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 2556	2540	JaffaCakes118_bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b.exe	31
PID 2540 wrote to memory of 2556	2540	JaffaCakes118_bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b.exe	31
PID 2540 wrote to memory of 2556	2540	JaffaCakes118_bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b.exe	31
PID 2540 wrote to memory of 2556	2540	JaffaCakes118_bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b.exe	31
PID 2556 wrote to memory of 2324	2556	WScript.exe	32
PID 2556 wrote to memory of 2324	2556	WScript.exe	32
PID 2556 wrote to memory of 2324	2556	WScript.exe	32
PID 2556 wrote to memory of 2324	2556	WScript.exe	32
PID 2324 wrote to memory of 2500	2324	cmd.exe	34
PID 2324 wrote to memory of 2500	2324	cmd.exe	34
PID 2324 wrote to memory of 2500	2324	cmd.exe	34
PID 2324 wrote to memory of 2500	2324	cmd.exe	34
PID 2500 wrote to memory of 1680	2500	DllCommonsvc.exe	66
PID 2500 wrote to memory of 1680	2500	DllCommonsvc.exe	66
PID 2500 wrote to memory of 1680	2500	DllCommonsvc.exe	66
PID 2500 wrote to memory of 944	2500	DllCommonsvc.exe	67
PID 2500 wrote to memory of 944	2500	DllCommonsvc.exe	67
PID 2500 wrote to memory of 944	2500	DllCommonsvc.exe	67
PID 2500 wrote to memory of 1160	2500	DllCommonsvc.exe	68
PID 2500 wrote to memory of 1160	2500	DllCommonsvc.exe	68
PID 2500 wrote to memory of 1160	2500	DllCommonsvc.exe	68
PID 2500 wrote to memory of 1620	2500	DllCommonsvc.exe	69
PID 2500 wrote to memory of 1620	2500	DllCommonsvc.exe	69
PID 2500 wrote to memory of 1620	2500	DllCommonsvc.exe	69
PID 2500 wrote to memory of 972	2500	DllCommonsvc.exe	70
PID 2500 wrote to memory of 972	2500	DllCommonsvc.exe	70
PID 2500 wrote to memory of 972	2500	DllCommonsvc.exe	70
PID 2500 wrote to memory of 1836	2500	DllCommonsvc.exe	71
PID 2500 wrote to memory of 1836	2500	DllCommonsvc.exe	71
PID 2500 wrote to memory of 1836	2500	DllCommonsvc.exe	71
PID 2500 wrote to memory of 696	2500	DllCommonsvc.exe	72
PID 2500 wrote to memory of 696	2500	DllCommonsvc.exe	72
PID 2500 wrote to memory of 696	2500	DllCommonsvc.exe	72
PID 2500 wrote to memory of 1744	2500	DllCommonsvc.exe	73
PID 2500 wrote to memory of 1744	2500	DllCommonsvc.exe	73
PID 2500 wrote to memory of 1744	2500	DllCommonsvc.exe	73
PID 2500 wrote to memory of 1684	2500	DllCommonsvc.exe	74
PID 2500 wrote to memory of 1684	2500	DllCommonsvc.exe	74
PID 2500 wrote to memory of 1684	2500	DllCommonsvc.exe	74
PID 2500 wrote to memory of 2832	2500	DllCommonsvc.exe	75
PID 2500 wrote to memory of 2832	2500	DllCommonsvc.exe	75
PID 2500 wrote to memory of 2832	2500	DllCommonsvc.exe	75
PID 2500 wrote to memory of 1732	2500	DllCommonsvc.exe	79
PID 2500 wrote to memory of 1732	2500	DllCommonsvc.exe	79
PID 2500 wrote to memory of 1732	2500	DllCommonsvc.exe	79
PID 2500 wrote to memory of 1648	2500	DllCommonsvc.exe	88
PID 2500 wrote to memory of 1648	2500	DllCommonsvc.exe	88
PID 2500 wrote to memory of 1648	2500	DllCommonsvc.exe	88
PID 1648 wrote to memory of 2492	1648	audiodg.exe	89
PID 1648 wrote to memory of 2492	1648	audiodg.exe	89
PID 1648 wrote to memory of 2492	1648	audiodg.exe	89
PID 2492 wrote to memory of 2744	2492	cmd.exe	91
PID 2492 wrote to memory of 2744	2492	cmd.exe	91
PID 2492 wrote to memory of 2744	2492	cmd.exe	91
PID 2492 wrote to memory of 3024	2492	cmd.exe	92
PID 2492 wrote to memory of 3024	2492	cmd.exe	92
PID 2492 wrote to memory of 3024	2492	cmd.exe	92
PID 3024 wrote to memory of 2452	3024	audiodg.exe	93
PID 3024 wrote to memory of 2452	3024	audiodg.exe	93
PID 3024 wrote to memory of 2452	3024	audiodg.exe	93
PID 2452 wrote to memory of 1484	2452	cmd.exe	95
PID 2452 wrote to memory of 1484	2452	cmd.exe	95
PID 2452 wrote to memory of 1484	2452	cmd.exe	95
PID 2452 wrote to memory of 2960	2452	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bae88b928015b14f51b85d3a44ec746141d3ca7cb3eae39e2e73171bd4f7a06b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2324
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Offline Web Pages\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1648
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2744
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1484
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        10⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:696
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        12⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2384
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat"
        14⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2760
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        16⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2308
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat"
        18⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1368
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        20⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:560
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        22⤵
        
        PID:1916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:880
        
        C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe
        
        "C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat"
        24⤵
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\SchCache\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\SchCache\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Windows\SchCache\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Templates\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Offline Web Pages\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67ae746cbf590ed50053f112ee1db47e

SHA1
8b28b3946de4324b10aa70547cfeec778ac1c57f

SHA256
67d2257b6bd63c88ecd9634091c7cae96c4f382db8fbaad26a550a007e51b336

SHA512
e9902f7ec112ba6e700eb0895e1dbd21edb79cf6b4c668c768250f0f8dbef66fe3e38b6b19daa1bc58684715bbac646b317b69473f74d9814e082f1fde334a80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b8c0dfe4aae05ca83a2c4a07b943b9d

SHA1
23590ebfcb8b809c67ede94f7e8c52603c5f3060

SHA256
937f1c72c6f91f958a4f0c729926e532b49adbf429008071dfb5aee3380fefcc

SHA512
daf48cac5db2961485fd1b1412b67719387ecf49e704aa1a891b0c95f951ac1adb50ee8bc83b7cff6ace70b7985de8800e8d70e79609106ac28ced04ab0c8d48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1951c68169243a8c0fa79157d97562e

SHA1
6b4ea588c4e829dceb7b4dce2803130414dddb10

SHA256
986c8c2cd6ac632355ae08e4a6fa83fb1569c68a7a379612ee83260e225b3696

SHA512
c7c41f225b19dffadf158a79f398bf2f1ffff828cc42269361c89bc08be7f68fad05bfc79d7693b222edf71c28cbbab1761fb2357fdecbf96fe0efcd7bd204ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31c28bc0a876bf21d90967a7d7303908

SHA1
8d9803e4276e86d99ad7e5c27cd09a8dad585b03

SHA256
04ab235d54765af485b818545fa0631865ab757e765287b36ac43140be23c443

SHA512
919a1dfdccad359a2391f9c71d5b8a8cef6b6943904ef343c45f6a5f9cbc621d8737a32734dcd6a3d37b41e2fcb36a464cf1f54c34446b9a60275740e9bc5bca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca87031d76fd9175b5ca47f282a01221

SHA1
0bb551ae48d5430bf98ef19cc76b0257b2ada5f3

SHA256
4c6fa89d407ce3ac1d84ae252a4e38d0245b817866e1f53ef74dd8233e339264

SHA512
dd6c6208637d31871e286bfd40524f922bbd93e3274ad13cf0bc4b517a48b9545f6be73c3cfada9cfa26ae3c47deb394aa472405f315f9bde33d76c62cbea90e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f55d883823a806f3ec41a9553b44f996

SHA1
36c4360598efd33acaac0787f0fd86ef94a081d9

SHA256
81a542ded3d2fd2148e39475e5425804b1f6bbb435fec6ae1ba59d48b4b91235

SHA512
968bdd431792d48b675e21b1ee3d95ac774360322f6c2a0bfe8b81d7c039648b4849bad61099141d1a2ed2ffb7923e739818afb6d127ed395b4309be58e7235a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d75dfed62382077a28508613e8e5f3aa

SHA1
ebd9e8b0d9fdda413e6a236ad2d04d46f6d5ed49

SHA256
80b56a2655a7ac23422b970ca1ee9d4f279f7bf18ecd7a6e125b3cb24a0900fc

SHA512
0e6535423162eb9e7d8524789821bda6363a95dd6b9c7443ec48f3357a59e7ab588852a32ecb52c21138a181bfc15c8166e81ee9dc240e361036cfb225e1078e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eeee6251a20e904cc80657cc098148e1

SHA1
12c7f859a1862bc636e004ac341d9634f6fbbe45

SHA256
9a4c50559df69836133f84597e655f7513f52ad655cf99fe171a72a8fdebc2b4

SHA512
bb4434c4d267e2a6cf5fec1b30b538b6a764dbd0311b0f6625366478c3f516fa68872666901a2aa9dbecfb8b9c2128bd60732c13cb1d862952b692618dda3c3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
607d1a0827b082e283c8c2fa792241fa

SHA1
9ade6cefb39816b17a637f9fdefb86f228372070

SHA256
67118ae0d6b904f8c00c2c2d139faf92d29561120e3519e96b578f2cf997b868

SHA512
ebb8f1f2fc4f881b0595bb9895c7a5b150ffdafae3509b02f985d046d6255308ec97e0a29bd0e0e2dd1a22f6b4314a758d297506dc0dc70f6b66d2de0c0e9659

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
233B

MD5
0461ee641f575f9b7f4b27453299a5be

SHA1
8f29ef489cf100d53220c30e20047ce7d32744e4

SHA256
3a069c286411e54363f4996ba1c11e5146f40cd18ec4006f7e3967006fcdafb8

SHA512
fb65af5b20db4f00d9a7554b18b3a7ec7348c67290fd5d0676c32bb0eb91887ceea1569e489fb0119e3f51ea7316f13ad8d84d08a78034e937269c8b4c0dcb5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
233B

MD5
f51956618adf0ef6e404ca6d3fb1062b

SHA1
554bd3ec5558314dfc312657da3595776ee62164

SHA256
3bbf1190ca2eb8800529d1e9240e37e3a03ec5b15331230df6ab50b9721b9279

SHA512
690852e05464eac9209362b83232f11727e1782443b44831e1a1d6a70658c2c90f077a517e307919f18cf9ce093a195a0089b3fa635ec4893cbb7d3f84b2fa0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab392C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
233B

MD5
14f6637e3f3a7f313c0791ed331ce6f5

SHA1
045e95641e1b5ea10cc3ad12597cf27f458fdb77

SHA256
d7c17976ab751f205f357409c59e995c564f55fe7812af2863236bb937eba816

SHA512
624cc2f93565f27d866ba2292bf32350d9121953dd193615879df40fe62f6d73cb9f3536b367404496b1b129644613e3a82e62c2e8a197a158c466a2c0ad3aac

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
233B

MD5
ed9c86ac244fa2ce3a9ee4ae7e03ff1b

SHA1
3511799b2e1dd01011e3476f169a4c64b750b1f6

SHA256
e327a2c5b57192a1d3a6dcda1adef871371c9e77c3e056d019a82b154cc00fd5

SHA512
a7ce789e8d43d3f367a92dda3fe34e1afa1c05a69dc14af1e6a3646d84b4ca1c86c8a5c0b43e41f7a5115de5ea31cf98915da22c07f29789e11366a4a973b80a

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
233B

MD5
64f073c0dd1208d77b94997428b98c1c

SHA1
531f3dedda4cd2ad952e9f7b153fec8bbbdb98ff

SHA256
38ceffe058e638265f388f1bc993b9f8c027099d72a5e92343dbf47e4191d936

SHA512
7f65f7243cba8d9f6bd4f2fd5defe51f87b8e13a1989f7467dfe0ad0c0f833232fdae296e687b7357c0501f21e30149fa38004bef57af5b455181414695f1fbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\PGGCz4Ehy5.bat

Filesize
233B

MD5
334d90eb5a748640df44183a866a8830

SHA1
a831f8c15ee683680badb729bb3175c101542a50

SHA256
fd05a8f0235d55f144ac062b076a7818f53b0191e8ede694746b976c051af543

SHA512
9a8702ffbf6f60bcd051112b5e60bc57cb62dd8922d9a010e21b883c7f0ae6c518617c742e75be76b0f178bcd3080711172dd58658a6b59c902b45fe4a4ebd0e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39EA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
233B

MD5
74e5b09cf780ca3a36db4a507ae2754a

SHA1
59081a6b8bf50f1cd12f01172af66ba553b78793

SHA256
372e4fd104b958acc204929ecb8e30c15a56a13fe001918af93d195f8f38d059

SHA512
809186a57cb7334f2489a4355bad5022e827a990e66f411031869c9fcf3488065fa2db098d1723f1734a66d0ea1392eb1c7e3b1af47698d1684e877697bd71fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
233B

MD5
57995cbd8bd8efd1d866dfe6c47d3807

SHA1
48f68584ced5a0675e488ad18088caaee6b203e5

SHA256
901ed3a8fc6d1e9cf1068861ca7fc213c2cbdeebec47c82d92c02143432e7901

SHA512
13bc96270345e0c35de52fa43bcc38add98bb6778b634e4e6b192e02f30279bb5da2ca4659fa29f8c8e95acab019a2290e90f8a552cec363bdcd00f0ffd8ceed

Download Submit
C:\Users\Admin\AppData\Local\Temp\tcplHXgq9Q.bat

Filesize
233B

MD5
f1ddadcbeae9f521111dd178842f519e

SHA1
805e7e66a6825a4bd4b365c740decc625ab85aa2

SHA256
8a990023c14fa5809637bb5111e42eb4d66badec5d338a466aa2fe587dae36e3

SHA512
757b10cd20429979d36c77b7e92477c10d53539bfb5f28498aa243b12e18707df83eb21c608b48433eff631fee06903a7ec9bedb0c5c89a04c2f1eaa97e60ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\uItNEyebdJ.bat

Filesize
233B

MD5
c32fa5260f88eeb5b39233b0f649ecfe

SHA1
0ce529b42955f90fdba897465332faaf0b2f83d3

SHA256
0180dcd8b054695883a29a10f6dc1175b89c43680e824fb8b22f4e8831704612

SHA512
a6d73b885dd72de38d7787b51a8ecf7ccf5faeb1cd8a32b4f081e5d0a5430f5a51c0b7d8eec157467e3fd47e8a0997a214667dcdfdae3d058495f91e70bb7cf9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
84ced77a9d17257480f79b5ea4b604d0

SHA1
0c27ba37ea9eba89c808426d3f350f99a3207d49

SHA256
18ee632db5d6a923d213fd7b629dfd7191ae9c5a2962595b4ae84984d1529232

SHA512
cff9734134fc2f54eac00cd7590a8200734e25b3c1d8ac6e57200de34692c126e1d7a5405a6d6b772c3cb9091051e25e0db5dcccf15449bb9c1483d41fc55922

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1120-455-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/1648-44-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/1836-95-0x0000000002370000-0x0000000002378000-memory.dmp

Filesize
32KB

Download
memory/1836-89-0x000000001B350000-0x000000001B632000-memory.dmp

Filesize
2.9MB

Download
memory/2088-636-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/2360-576-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2500-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2500-15-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2500-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2500-13-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2500-17-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2980-516-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2980-515-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/3024-159-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download