dcrat | 36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b

Analysis

max time kernel
146s
max time network
148s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b.exe
Size

1.3MB
MD5

fbe3b30f6579111de2c0e8764fd8a06b
SHA1

ccda2d47c0a8250238f6f9fc0ee3d625c16acba1
SHA256

36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b
SHA512

55f8c6c2e198da577c7d2114ef33253897e571c6384f2f1f7bca300ff8c50ab71722d08c862f1624ea4e316d4e1e86628d372aa91bd5455a2123e1fb8776983d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	836	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2204	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2204	schtasks.exe	35

DCRat payload 4 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cd7-9.dat	dcrat
behavioral1/memory/2640-13-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/1752-68-0x0000000000C70000-0x0000000000D80000-memory.dmp	dcrat
behavioral1/memory/2956-212-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2120	powershell.exe
1124	powershell.exe
448	powershell.exe
2424	powershell.exe
1008	powershell.exe
1864	powershell.exe
1076	powershell.exe
1764	powershell.exe
2952	powershell.exe
3016	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2640	DllCommonsvc.exe
1752	Idle.exe
880	Idle.exe
2956	Idle.exe
2640	Idle.exe
748	Idle.exe
1492	Idle.exe
1404	Idle.exe
1864	Idle.exe
2376	Idle.exe
948	Idle.exe
2812	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	cmd.exe
2480	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2700	schtasks.exe
2212	schtasks.exe
2892	schtasks.exe
2860	schtasks.exe
2552	schtasks.exe
836	schtasks.exe
2744	schtasks.exe
1768	schtasks.exe
1664	schtasks.exe
2836	schtasks.exe
2516	schtasks.exe
960	schtasks.exe
2548	schtasks.exe
1948	schtasks.exe
3056	schtasks.exe
2360	schtasks.exe
1620	schtasks.exe
1848	schtasks.exe
2980	schtasks.exe
1836	schtasks.exe
944	schtasks.exe
2588	schtasks.exe
2104	schtasks.exe
2784	schtasks.exe
2872	schtasks.exe
2712	schtasks.exe
2004	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2640	DllCommonsvc.exe
448	powershell.exe
3016	powershell.exe
2952	powershell.exe
1124	powershell.exe
1076	powershell.exe
1764	powershell.exe
1864	powershell.exe
1008	powershell.exe
2424	powershell.exe
2120	powershell.exe
1752	Idle.exe
880	Idle.exe
2956	Idle.exe
2640	Idle.exe
748	Idle.exe
1492	Idle.exe
1404	Idle.exe
1864	Idle.exe
2376	Idle.exe
948	Idle.exe
2812	Idle.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2640	DllCommonsvc.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	1124	powershell.exe
Token: SeDebugPrivilege	1752	Idle.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	2424	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	880	Idle.exe
Token: SeDebugPrivilege	2956	Idle.exe
Token: SeDebugPrivilege	2640	Idle.exe
Token: SeDebugPrivilege	748	Idle.exe
Token: SeDebugPrivilege	1492	Idle.exe
Token: SeDebugPrivilege	1404	Idle.exe
Token: SeDebugPrivilege	1864	Idle.exe
Token: SeDebugPrivilege	2376	Idle.exe
Token: SeDebugPrivilege	948	Idle.exe
Token: SeDebugPrivilege	2812	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 1736	2412	JaffaCakes118_36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b.exe	31
PID 2412 wrote to memory of 1736	2412	JaffaCakes118_36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b.exe	31
PID 2412 wrote to memory of 1736	2412	JaffaCakes118_36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b.exe	31
PID 2412 wrote to memory of 1736	2412	JaffaCakes118_36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b.exe	31
PID 1736 wrote to memory of 2480	1736	WScript.exe	32
PID 1736 wrote to memory of 2480	1736	WScript.exe	32
PID 1736 wrote to memory of 2480	1736	WScript.exe	32
PID 1736 wrote to memory of 2480	1736	WScript.exe	32
PID 2480 wrote to memory of 2640	2480	cmd.exe	34
PID 2480 wrote to memory of 2640	2480	cmd.exe	34
PID 2480 wrote to memory of 2640	2480	cmd.exe	34
PID 2480 wrote to memory of 2640	2480	cmd.exe	34
PID 2640 wrote to memory of 448	2640	DllCommonsvc.exe	63
PID 2640 wrote to memory of 448	2640	DllCommonsvc.exe	63
PID 2640 wrote to memory of 448	2640	DllCommonsvc.exe	63
PID 2640 wrote to memory of 1124	2640	DllCommonsvc.exe	64
PID 2640 wrote to memory of 1124	2640	DllCommonsvc.exe	64
PID 2640 wrote to memory of 1124	2640	DllCommonsvc.exe	64
PID 2640 wrote to memory of 3016	2640	DllCommonsvc.exe	65
PID 2640 wrote to memory of 3016	2640	DllCommonsvc.exe	65
PID 2640 wrote to memory of 3016	2640	DllCommonsvc.exe	65
PID 2640 wrote to memory of 2952	2640	DllCommonsvc.exe	67
PID 2640 wrote to memory of 2952	2640	DllCommonsvc.exe	67
PID 2640 wrote to memory of 2952	2640	DllCommonsvc.exe	67
PID 2640 wrote to memory of 1764	2640	DllCommonsvc.exe	69
PID 2640 wrote to memory of 1764	2640	DllCommonsvc.exe	69
PID 2640 wrote to memory of 1764	2640	DllCommonsvc.exe	69
PID 2640 wrote to memory of 2424	2640	DllCommonsvc.exe	71
PID 2640 wrote to memory of 2424	2640	DllCommonsvc.exe	71
PID 2640 wrote to memory of 2424	2640	DllCommonsvc.exe	71
PID 2640 wrote to memory of 2120	2640	DllCommonsvc.exe	74
PID 2640 wrote to memory of 2120	2640	DllCommonsvc.exe	74
PID 2640 wrote to memory of 2120	2640	DllCommonsvc.exe	74
PID 2640 wrote to memory of 1864	2640	DllCommonsvc.exe	75
PID 2640 wrote to memory of 1864	2640	DllCommonsvc.exe	75
PID 2640 wrote to memory of 1864	2640	DllCommonsvc.exe	75
PID 2640 wrote to memory of 1076	2640	DllCommonsvc.exe	76
PID 2640 wrote to memory of 1076	2640	DllCommonsvc.exe	76
PID 2640 wrote to memory of 1076	2640	DllCommonsvc.exe	76
PID 2640 wrote to memory of 1008	2640	DllCommonsvc.exe	77
PID 2640 wrote to memory of 1008	2640	DllCommonsvc.exe	77
PID 2640 wrote to memory of 1008	2640	DllCommonsvc.exe	77
PID 2640 wrote to memory of 1752	2640	DllCommonsvc.exe	83
PID 2640 wrote to memory of 1752	2640	DllCommonsvc.exe	83
PID 2640 wrote to memory of 1752	2640	DllCommonsvc.exe	83
PID 1752 wrote to memory of 2252	1752	Idle.exe	84
PID 1752 wrote to memory of 2252	1752	Idle.exe	84
PID 1752 wrote to memory of 2252	1752	Idle.exe	84
PID 2252 wrote to memory of 764	2252	cmd.exe	86
PID 2252 wrote to memory of 764	2252	cmd.exe	86
PID 2252 wrote to memory of 764	2252	cmd.exe	86
PID 2252 wrote to memory of 880	2252	cmd.exe	87
PID 2252 wrote to memory of 880	2252	cmd.exe	87
PID 2252 wrote to memory of 880	2252	cmd.exe	87
PID 880 wrote to memory of 2584	880	Idle.exe	88
PID 880 wrote to memory of 2584	880	Idle.exe	88
PID 880 wrote to memory of 2584	880	Idle.exe	88
PID 2584 wrote to memory of 1776	2584	cmd.exe	90
PID 2584 wrote to memory of 1776	2584	cmd.exe	90
PID 2584 wrote to memory of 1776	2584	cmd.exe	90
PID 2584 wrote to memory of 2956	2584	cmd.exe	91
PID 2584 wrote to memory of 2956	2584	cmd.exe	91
PID 2584 wrote to memory of 2956	2584	cmd.exe	91
PID 2956 wrote to memory of 2776	2956	Idle.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_36f9cfd9cf8cc6c4ccf4ff1dad28d3f883d50c9ae540945aabced87b3247255b.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:764
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1776
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        10⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2244
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat"
        12⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2804
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
        14⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2068
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
        16⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2636
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat"
        18⤵
        
        PID:1760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:888
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
        20⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2968
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat"
        22⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1740
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
        24⤵
        
        PID:2612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2676
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat"
        26⤵
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\PCHEALTH\ERRORREP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PCHEALTH\ERRORREP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
181841ce7c5a11fd04102132ff4dcc48

SHA1
73cbc87ca607d597d671cafd9892fe0d65b70b5c

SHA256
fe8554f8c403abdfb10f5d2f424980623136f500be5aa85490208fec904498c0

SHA512
edff196e3da0bafc85b09a564a398601b7e9097e3c84be123fa230b7685f05e206adb03c4a45659ea4bf61dfbdc12e1e7699e6fbb3f4f345fb7a0df5b2f7c10c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8675399a73960d01881a3ee6d319e725

SHA1
23349ee0736b5cfbaef64809a072139b026c1014

SHA256
18f7a24e9924b78de04ac3aaa2d67c424fad6c453db5d8eb377c06f54cbeaa09

SHA512
dada2ff9a83f9612e87729581ebb5f1b0ef3633a1a9b28a02563360e1828d9f58030b4ed737cb376f238e1d1aa3c86eaa6a22961e412d220a678977750c0df61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efd3e7be9549a8f707d5f810e3507cf3

SHA1
e0b198c631c68972b720b94dd6032ac22ea31168

SHA256
5b9c250594c1f356c366ba2dd5008012618ccee270d34f79cdf4783cae451b85

SHA512
5d0eda6f7572c0c1bc15d839fae7771be2545354835de4aa0ba3de8906b4c2b70d5a8e1f7e0b6c7abd7d381a21efc8b44f23f83d98a924aaeca0257d810dff1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a6f2ea46dd3dd1bff58398c6e9a772d

SHA1
2b55cdfd6dd208c0939be1a496ddf96beaafbbbb

SHA256
b25afe86854f7d940f0f4d2265d7b6099f57e2db75cfc1944d2ec4de31eaf488

SHA512
d35a480413b0b59567c1d0d044f61fa662a55276fea6c61c73d6ecb9e9030c1a359c31feda807492cce5ba2b46bb9c52da34fd59c337465f270d789a403ad79f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b41ccede4219c9d94d6fcbd6c0920614

SHA1
d0678f49e27a7565ba43963033142ae67685b4ba

SHA256
7eb0a01b9dd636a9fc464d5d3d3aa2f28ac887e9118c2c9a8de63192cdedaa93

SHA512
d31f25b36a8c0f0f397e9e2c375d94e690460af7c37cb788dcba60129d5e015536d4e383a074e29c81cd3405a05f831e2f4883563586fb073177c4e3c6c182fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f5e4128490044825e03cac6a2c1578dd

SHA1
608bfb9d2ae1c076e11435beed5feeccce8fcf46

SHA256
3317481590c012d3f55016de9a84eed758a1eef76110ddc67ae1d7fadc0ae3ca

SHA512
7fcc4a48b908548b399a4e75cbfb51774a6dbc6d2bc4109ab3abd8a69488a3c40e2053dd6b5a5f299bc4d2121e9e96183164eba8a89d38185f37bdd3fbdd48da

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5823189532f5c9ecc50ce322cd32f5d

SHA1
feb6c250f5e31f1a14cc5c32d5c8bd13a61435fd

SHA256
962d42909d05becac3a092601fa5453b111fb33beb310ff7e32f99ca6ae7f86c

SHA512
1234908fe1041e55d692778a0d05fe4ad194c779ccfb0bdbbe886c2d43d6fbaedf244ed296148b29c2d50f593bcc3fa10781bb6c29c24e0786b32c63d7ae60e0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4f997a428982e5130367ce9a12a1bc5

SHA1
9f0758243c0f1983383183783fb0a50515b04fb4

SHA256
3ef6774c927d252b0512cd6f30e33b083372a2145a98782fcd591f081053ec0a

SHA512
27ce037908322981333b01c2c22b2b5ba8c89b09f1dba569074a3e865f1a8f1cabb11f75a8e3fd3d699412739d3f1beb15c442668bda8201c9b1a699b2aa8c28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a433a95c1c2951269b0c0e7ff4cd1fa

SHA1
6bcd9766ff4f1fb35232aa6df3b40b8ffc4aac91

SHA256
1885ef2fcb59ac5a6ab9e2af0e3d921ecbe7655392a9289d33d4f1c24667e4fa

SHA512
921553dee9b943f831dd4301796133ff80c9ca78eb7f3c89fd4126e8efffb526ccced653f45e5c2ff6d84e89b8e4e74e8d270e39750c19d20214f4510db592ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0eba6afe6606e20750fbadc7fe95e8f8

SHA1
99e57a2c750bead9dd00e8fec17baa2f639b8ce8

SHA256
6ae86137bd9c819199ca8c15b4c32002dfce3a30a7aeaac3d6b6c0a239deb2ea

SHA512
fdd96fb4241a8e087d9a8fc34c956b49be4628112df4940ab119d8c217976e4b815b5ace3b860bab62925dc548034c6d8da939d21f9d781f6716c9b900f5af63

Download Submit
C:\Users\Admin\AppData\Local\Temp\04VLARgLyy.bat

Filesize
191B

MD5
12aace713038afd453e564bd2e405dc6

SHA1
c81bc74c77b2322a7128ed365a9e0162a3f5d191

SHA256
6a531cf91330dd9c059da1541035895c0b57abcb044c737ff6189f68233b442a

SHA512
347f6b4773bdd9dfc1f36ac72b776fb5fa5cf6c9fdb32b28e7e45fcfd3c8e596d3849a2e1fdd697732f3dd9d83058229a1f32ab6bdc86369108668d9f4220df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1C2A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H34YhpUhHp.bat

Filesize
191B

MD5
df85db5a3aea2ade8d25b7fdc959db9d

SHA1
43451ac2f50b73a88cd2fec45df28dfd2be34c35

SHA256
10d6aac8503a0fb588efd20b58b807dce079bca8429e454261a5ac8ce8951d83

SHA512
73f10c0fe2504cb83bfc87ad35345993281b6b87d8ef7a3b60633845cf0f6a70ba71536bfe8ed1f55c2b07edfc52c603468e6787d19542012f0878d80c5655cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

Filesize
191B

MD5
98402fd56ce97535a22edd94122f5877

SHA1
19cbac0cccab21e39777396a84fd3a1c9acfa703

SHA256
d4c1df01084080453929d68948d3665e136b0f2ad9138e5b5a21c893fa4425c4

SHA512
9c2bb0373453bf1316e0a38b6985d1c13a73b3ddb088435b8511a48f910abc28fdac3b831d23dc97a0b5958028957e2b0cbd2d1fd644f9f43788e68ac20568f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C4C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VDNADHaqjn.bat

Filesize
191B

MD5
ab5008f0b2b4085561e6f1cc21ecc83f

SHA1
d980d62bfa2da748ca1f3280966d506ecd514645

SHA256
60773bfa926299320f7510f56c6ceeb9de33bf0c06fb2bbd52919f6b3a1169db

SHA512
88b4ea02e22c42fa9674fab792f4812605e2732504115f927e2e29a85f0dd7750b9388e132979bc64b86537b6c4ce625bb4f6ca72046b833c924d72c53e49d27

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
191B

MD5
fabb2bb67c99c4e62d644c75b5507458

SHA1
e65ba4ece338f75cd4cf3c1a80778d78ee4716c8

SHA256
d6b9f10e98909e7b8a98fd42e80d04c44125a972731e7f98a9a44f8f1f4fc21e

SHA512
d77ae1bda41c1f19f76d65d23c431d985fa4f816a6310bee7546d83f10f8f847e7381f78932a9022683285e00b4177f3daf9dbeaf626a58773f43bbede9dc5cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

Filesize
191B

MD5
2ece0bbba5ae594a6b9db6bf26134723

SHA1
f7388eddf515d9ef1c47e5e4f4a36607581021b8

SHA256
03a2e72a45f05cbd1696303bc5724ffb6fd236fc3bf0c28d135678bf73cf2d8f

SHA512
029c263a302947de17dc6216730c45df271460b47392e153e60b586b412bc7a47400bd42d179b6bb963045ea23d655a9dbce543b69256b71e97bc94efb32ec69

Download Submit
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat

Filesize
191B

MD5
6f31a78eee2dc8f8f328be8323f4f79e

SHA1
b32c316572a044b772f532007274ada7726eda1d

SHA256
ebed92f877f85d00704f916a50532a0d3a76c2097dc8d6ef354a93020d2f84f9

SHA512
437b30c59dcaf2f73f2f8517a9f03d79dfe2c254a34d4bf68ca2cdcb78f542d9a8937aed477c28fab6cccbe663c25e31e0223019d1c7279caee89f2b62fc0336

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat

Filesize
191B

MD5
4f6517e813d6bb8129a05977c8591d66

SHA1
6dff1ac6f86fc58811ed542e6d3b2c5bd6f2a693

SHA256
97c8e16d21d84945df79d5cd1ea073bc59984349e5892f2865e5b9a01c5cda60

SHA512
0a20c63b800b5045de1a5f54dfb44a4a3107f7e1ec7bed7291fc6e410c409dadfa1d75b40855d0a0dd168579f549277442f426ab37537fc13dec9835a500bf00

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
191B

MD5
5c1706760b82a4b953624da9a498738b

SHA1
44eddd2f9c651a8c2ed2861304dc01253886c8dd

SHA256
b38fac9c78f01567778e2442f00222a760421cf068810311e49ecc738414175d

SHA512
881d9d813d0c054a1b27f8b80a1349309fd7e87d4a44a1b5cb85a0068fd8c0b5d9979a6fc64484685ca8513b9eff944b052f4d8f69d1fc518e1e824f70159274

Download Submit
C:\Users\Admin\AppData\Local\Temp\qUPyb5cGVE.bat

Filesize
191B

MD5
1836dfb0ba94023019f26f10c249e57d

SHA1
7d1cf601d054406a2bff0bd7c88a0af3a1a1f697

SHA256
435108b0acf11870427b1ea0429e342c7817172bda41715429357b7e267722da

SHA512
f9dde80a39fc1737834dc9ff51783b9c63a44ee70081d1c61994767686836ea563ea2084927e86b0c2e21105892e0977aaa84d9bfd9b2675f638119f4b578df7

Download Submit
C:\Users\Admin\AppData\Local\Temp\xB9FX11cFJ.bat

Filesize
191B

MD5
dd7cf2b7ba7445bee12b84af354a9d1d

SHA1
ff7f69495cdd220e600c02f8e58ea9e8a41b03e9

SHA256
caba5bb23b0f91b1ae4ce8cf6bf38a2b23bdf2a6fd8b5e53a6ea3eeabf794a52

SHA512
b00d9956c9087f33fb38f3d57e2368bc9c073d06049052a267cd6c9dee05e61860859c72fb98d20214e9c4d657cce49a071ca81a8df0f945774ef0a246c20981

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
da99d2d2fdf33e484f60f7a073b646eb

SHA1
47553e6279b4308de11ea720cad000d1028f7458

SHA256
20646f85037f995222f956ebbd0be1d64b9ad33cad6a6c75c8325add1e023a16

SHA512
84ed0ff17cd2200ee572aa12ec20ad05b47592e081e70b69f72f8219b0c0f6bf7d3ca3e54090500245b3818d74643a85b801be27992f1a8cfb5c58d7b295ca25

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/448-50-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/448-45-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/948-628-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1752-94-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1752-68-0x0000000000C70000-0x0000000000D80000-memory.dmp

Filesize
1.1MB

Download
memory/2376-568-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2640-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2640-16-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2640-13-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/2640-14-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2640-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2956-213-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2956-212-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download