dcrat | 0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892.exe
Size

1.3MB
MD5

b6b6bd974c14620180777c7c4605d877
SHA1

d962d5e99ccf99d8ba51b3c21fcaf1caa8fe1a86
SHA256

0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892
SHA512

fd27827c11daf3b07fa7e20f54ffd19ea1896634ac53914a8fa9f8e50e2e3a29b58c2b1966ab58dd86031221c1c60cad702c608258ea59f082d956404fb12a9c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2760	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2760	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015697-12.dat	dcrat
behavioral1/memory/2800-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/1728-80-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/1960-139-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2216-318-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1036	powershell.exe
2096	powershell.exe
2696	powershell.exe
1796	powershell.exe
2104	powershell.exe
2116	powershell.exe
1816	powershell.exe
1800	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2800	DllCommonsvc.exe
1728	csrss.exe
1960	csrss.exe
2548	csrss.exe
2800	csrss.exe
2216	csrss.exe
2788	csrss.exe
2548	csrss.exe
2464	csrss.exe
528	csrss.exe
1376	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2260	cmd.exe
2260	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com
23	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1944	schtasks.exe
2940	schtasks.exe
2908	schtasks.exe
1032	schtasks.exe
2364	schtasks.exe
316	schtasks.exe
2768	schtasks.exe
2652	schtasks.exe
2252	schtasks.exe
1548	schtasks.exe
264	schtasks.exe
2948	schtasks.exe
2640	schtasks.exe
2312	schtasks.exe
992	schtasks.exe
2668	schtasks.exe
1964	schtasks.exe
1720	schtasks.exe
2588	schtasks.exe
2028	schtasks.exe
1012	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2800	DllCommonsvc.exe
1796	powershell.exe
2116	powershell.exe
1816	powershell.exe
1800	powershell.exe
2696	powershell.exe
2096	powershell.exe
1036	powershell.exe
2104	powershell.exe
1728	csrss.exe
1960	csrss.exe
2548	csrss.exe
2800	csrss.exe
2216	csrss.exe
2788	csrss.exe
2548	csrss.exe
2464	csrss.exe
528	csrss.exe
1376	csrss.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	DllCommonsvc.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1036	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	1728	csrss.exe
Token: SeDebugPrivilege	1960	csrss.exe
Token: SeDebugPrivilege	2548	csrss.exe
Token: SeDebugPrivilege	2800	csrss.exe
Token: SeDebugPrivilege	2216	csrss.exe
Token: SeDebugPrivilege	2788	csrss.exe
Token: SeDebugPrivilege	2548	csrss.exe
Token: SeDebugPrivilege	2464	csrss.exe
Token: SeDebugPrivilege	528	csrss.exe
Token: SeDebugPrivilege	1376	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2480	1736	JaffaCakes118_0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892.exe	30
PID 1736 wrote to memory of 2480	1736	JaffaCakes118_0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892.exe	30
PID 1736 wrote to memory of 2480	1736	JaffaCakes118_0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892.exe	30
PID 1736 wrote to memory of 2480	1736	JaffaCakes118_0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892.exe	30
PID 2480 wrote to memory of 2260	2480	WScript.exe	31
PID 2480 wrote to memory of 2260	2480	WScript.exe	31
PID 2480 wrote to memory of 2260	2480	WScript.exe	31
PID 2480 wrote to memory of 2260	2480	WScript.exe	31
PID 2260 wrote to memory of 2800	2260	cmd.exe	33
PID 2260 wrote to memory of 2800	2260	cmd.exe	33
PID 2260 wrote to memory of 2800	2260	cmd.exe	33
PID 2260 wrote to memory of 2800	2260	cmd.exe	33
PID 2800 wrote to memory of 1816	2800	DllCommonsvc.exe	56
PID 2800 wrote to memory of 1816	2800	DllCommonsvc.exe	56
PID 2800 wrote to memory of 1816	2800	DllCommonsvc.exe	56
PID 2800 wrote to memory of 1800	2800	DllCommonsvc.exe	57
PID 2800 wrote to memory of 1800	2800	DllCommonsvc.exe	57
PID 2800 wrote to memory of 1800	2800	DllCommonsvc.exe	57
PID 2800 wrote to memory of 1036	2800	DllCommonsvc.exe	58
PID 2800 wrote to memory of 1036	2800	DllCommonsvc.exe	58
PID 2800 wrote to memory of 1036	2800	DllCommonsvc.exe	58
PID 2800 wrote to memory of 2096	2800	DllCommonsvc.exe	59
PID 2800 wrote to memory of 2096	2800	DllCommonsvc.exe	59
PID 2800 wrote to memory of 2096	2800	DllCommonsvc.exe	59
PID 2800 wrote to memory of 2696	2800	DllCommonsvc.exe	60
PID 2800 wrote to memory of 2696	2800	DllCommonsvc.exe	60
PID 2800 wrote to memory of 2696	2800	DllCommonsvc.exe	60
PID 2800 wrote to memory of 1796	2800	DllCommonsvc.exe	61
PID 2800 wrote to memory of 1796	2800	DllCommonsvc.exe	61
PID 2800 wrote to memory of 1796	2800	DllCommonsvc.exe	61
PID 2800 wrote to memory of 2104	2800	DllCommonsvc.exe	62
PID 2800 wrote to memory of 2104	2800	DllCommonsvc.exe	62
PID 2800 wrote to memory of 2104	2800	DllCommonsvc.exe	62
PID 2800 wrote to memory of 2116	2800	DllCommonsvc.exe	63
PID 2800 wrote to memory of 2116	2800	DllCommonsvc.exe	63
PID 2800 wrote to memory of 2116	2800	DllCommonsvc.exe	63
PID 2800 wrote to memory of 628	2800	DllCommonsvc.exe	72
PID 2800 wrote to memory of 628	2800	DllCommonsvc.exe	72
PID 2800 wrote to memory of 628	2800	DllCommonsvc.exe	72
PID 628 wrote to memory of 1700	628	cmd.exe	74
PID 628 wrote to memory of 1700	628	cmd.exe	74
PID 628 wrote to memory of 1700	628	cmd.exe	74
PID 628 wrote to memory of 1728	628	cmd.exe	75
PID 628 wrote to memory of 1728	628	cmd.exe	75
PID 628 wrote to memory of 1728	628	cmd.exe	75
PID 1728 wrote to memory of 576	1728	csrss.exe	77
PID 1728 wrote to memory of 576	1728	csrss.exe	77
PID 1728 wrote to memory of 576	1728	csrss.exe	77
PID 576 wrote to memory of 496	576	cmd.exe	79
PID 576 wrote to memory of 496	576	cmd.exe	79
PID 576 wrote to memory of 496	576	cmd.exe	79
PID 576 wrote to memory of 1960	576	cmd.exe	80
PID 576 wrote to memory of 1960	576	cmd.exe	80
PID 576 wrote to memory of 1960	576	cmd.exe	80
PID 1960 wrote to memory of 1840	1960	csrss.exe	81
PID 1960 wrote to memory of 1840	1960	csrss.exe	81
PID 1960 wrote to memory of 1840	1960	csrss.exe	81
PID 1840 wrote to memory of 3004	1840	cmd.exe	83
PID 1840 wrote to memory of 3004	1840	cmd.exe	83
PID 1840 wrote to memory of 3004	1840	cmd.exe	83
PID 1840 wrote to memory of 2548	1840	cmd.exe	84
PID 1840 wrote to memory of 2548	1840	cmd.exe	84
PID 1840 wrote to memory of 2548	1840	cmd.exe	84
PID 2548 wrote to memory of 1488	2548	csrss.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0df401385cd9147284e353efd835a05e2f757b5eed64e259f484177434469892.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2260
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\im3mRbeZZ1.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:628
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1700
      - C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:496
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3004
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat"
        11⤵
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2696
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"
        13⤵
        
        PID:1236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2468
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        15⤵
        
        PID:1540
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1760
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat"
        17⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2472
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        19⤵
        
        PID:1152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1036
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
        21⤵
        
        PID:1556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1768
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        23⤵
        
        PID:1332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:552
        
        C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat"
        25⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Default\Cookies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33fe7ea7cdd12fa2c85a60754af1f4ce

SHA1
6a98488d67ae24ade3da3ca8f2dd1f63cff87bc2

SHA256
4175fd3aeb2026497fc1a42840495f10c04b529fcb87d3dcb83554c0f9394b1a

SHA512
818d8ad5802bd43c4e963f6cf8c0fb1c3bf5e805280f7f14ad0c5260181428de39ba1e19371d487e10a82fae064c4ab306916bb0b9b7da450385e705a458a9ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94c728ddf52154778140274529881c4d

SHA1
5e05c725b13a3c30b196c24bf18f5f8adf95dd2d

SHA256
ab5bd8093f106d94d74c616261d15bca3b6c413be4c3ec5955f9cf807c5d4aa5

SHA512
fa79bf47cd0cc8ad3b7c288876cea94877cdf8c463e6cf4761ce980d6e4c31cf07f3e96329904f7743ba7f2ad1b23adc62ab581053871883aa10fbfe6c70feca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
348d70a7e1e1ff6a49b8ca3eb89843b3

SHA1
157b4c30f391c94533f4d6c2e027ebf1bfbf1a01

SHA256
530f48871870c4c42e9129ae35f5ad8198cb267a41cdeb92405ad90bbfd5d7f3

SHA512
90f5768b5bafb2f5c08037955463eb0fcc888aef22c12382cef4d290fb56d128b6022ba8c9f71204cc77e6d9607b7e3b6a143ebce27728c09fefe59570e85da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
498c2875df5679178644a65086a68498

SHA1
a4b7e0bc6f0f71446f626face08d37f70705139a

SHA256
f0a2c8a0e1b35b8977d85ceb4251bfaa8132d7ed31fd7e4843c8f4b04b2a695f

SHA512
8a554500bf05b7adaa936d933c0b768ab564e0301922ece914590f06ba54b62ef2fe0b8f7e23d83e961c596bbbb8296c07738c84fd32c44db586d061461f9c81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b24bbb9ee62ee9a5c268ed0a9c221b0

SHA1
d7ee4e148ec51277017627701398da8d5ee4d624

SHA256
574e9d10ad58ac560366aa44b3e52b005e14a4a692829ec2db9555da22ee8d11

SHA512
a489e07a6fe9891c14043b3c98356c55b8f54c805bbe447aedb08e1d7c7aff3c34342f04157869bd694fd0f3cc076ca5e9477a1e5301437d90f690d5698a4f44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07da07c00e958a9d64ebdf56473f98e5

SHA1
6d25abb36b95d7264afc266f02941e991028f5bf

SHA256
39474634c9912a2998253de7d56e798983efbf082bf266743ac9c9a156c38c7c

SHA512
35bda660f1d632a85ae04997af07662fc358028ed778b565bb00eefbf72d0a40420cae29fd854d3627b196b566964d3bc80b12558cd69b3701d47de5ff530db0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72c75c03b2c5e0988318272110f15a2c

SHA1
65241813e1dec61bb7ba0d80547f9ec2d7254fc1

SHA256
06ef7d69e4d1de6d407b2d8600b44433205cf4039738102c7614272b522286c7

SHA512
8eed786526bf16d2b51441325b7342948b5862090f86eed4d9662726301dd49175c8002598165d01f5af4b8ef3b2a9e1b2a85f919f1f2f7e8366b35c59688bec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72b1b37a0903adc194ce39944a74d3d1

SHA1
e0bc257d33827bd364e6bb2543f4401047c3d2db

SHA256
bfe66ecdf61e98548fa10771f358f189d8137df6819a2ca4b7fb860c75054411

SHA512
8eb27ddcf5d897317ea724e455e8474d3451fac5cdf8afeaa4b18b7d6eba98d3efe6dd985e5ee258a43b3d15f116b4ec2079dbcdac203a4f2a8c1be4bfbddb3d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68767f563be8716fcdb1466957afa0b0

SHA1
5970d1f9807fc49a77c46feb62c3b399a5e5abd5

SHA256
be6a968864fc6f2b75dee8d8e1713da6573917c7c7153914503faf0a4585d9be

SHA512
fba6e8fe7c9425390afe33a759f8a010fe22b96af2401e9fb99183a0eeadd8b65deac3d0f7be6d03be0d2af896b0f68cc7aeec7169823b584b2f64c0e9e18c50

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
238B

MD5
2bd1ec965e3f43a94129118259ee6cb8

SHA1
38eeaff24ed2f397155e7f5a4a99e7b217292993

SHA256
74592f19548eed90316482cdd19b7a3ebdc592250c158912400b9d37dfc9ee99

SHA512
31b37b2cec59ed63d50ba1670215db7e76b13e1e802252af86cef054c7819c6aa2a5f5de23ff9196b4aedb5f574b942b7bfa49913980691acf8b831f104d000d

Download Submit
C:\Users\Admin\AppData\Local\Temp\574RqM7W2b.bat

Filesize
238B

MD5
78ae77699ff4f814fa6a59167990ff86

SHA1
a295270ee493959af1aba058def03742b28f6d35

SHA256
23e014d2f880494bcba43b218b0ae47504f4df22b11952f6dc440db919b30383

SHA512
34f3df50c8d9979deb3cafb93400f26025b415640ac14a0024d80e4d8703dc2aa7650aad598f90d4d2d2c99b452b61b84cbd8aa2a6cd2ef8e81a92986b054d7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

Filesize
238B

MD5
82a5c5104aa2d86e8d8a9dddf279ea55

SHA1
28da8c362fbf9f908b47c1af55006765f347f2ee

SHA256
bb13117411cc43635d199c70387a2b6ff7a19a7731cb3a298023e83dfe23b2bf

SHA512
f938c18f81b78e68be8b9e222c1ee76d79b31733d701544e5ed513faa5c9900f76224bd83147fc31a97006431d0ae8f88e60b71d1fb2ca21156f3ae62037818f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE82F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
238B

MD5
7f9075a9021ae5ccaa444a1599edb200

SHA1
3f5eed6dfb1d9aeb504f7e0cb9f5fb062653ddcd

SHA256
ab085d279219c0ea0513bb029599788f862fe74be873e1306999212cde087d9f

SHA512
2a4f2de2afc45f94a32c3fd15115b034802854e15581e4f73df8a80208e6d4f0e8b8400911b5a209f0ce94f98c1cce4cfb96ae29883cca21ae505e6875967bc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE851.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

Filesize
238B

MD5
2abbcec75a8a5d1d634721a0a5497c18

SHA1
a5f18389f95cda95bae848bcd4dbe884fd548f56

SHA256
c5f2f070bca7c560af59ec435d35616316027df684f3ee93439c060dd40c3372

SHA512
187b887730f772a8a95e2bcf9756cf2bb6a97b931a00c51851e47c6cac76b5381d447bb8572e9971147bb1774e6711a48a06fc36a9b8af18b291fc9a87fe0111

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
238B

MD5
77878ebc5ddadccb1624109a972ef586

SHA1
91f84dce80bbcf670229046d96070a4e9db0c256

SHA256
bf88947c9cc6b26e56af341723f73aab3f54080be5c923a92884c97a11bf2aea

SHA512
41aa56d3d07a5aebc359d44c27c7b977767e78ba60e2b93571ecd1282ee8616276043aab6ba9508ca75284003ab39b93a01179ad777523238a679c02138e2d8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKh6VzgSrU.bat

Filesize
238B

MD5
bc6211c55301ff734b3f5961bbe559e8

SHA1
11a6935674b600a80b6d897f69a9ab722ad00031

SHA256
c6ed743331aa1a70ceeba6b46d8ed560c3a2659a726d6d9a852b636a876dbb3d

SHA512
7df6cb9b9ac0e565194c941ef7c9f2a885dda84ad51f95f7a2f8b947373d4addc35e3795f6405a89be5d07c98e20fc200d940257fd0f718309d1a68e212614c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\im3mRbeZZ1.bat

Filesize
238B

MD5
83c7869c96cb8b6e4528d0b312f3adc9

SHA1
879a05b628efb288bf073e0f0da4821de424e7bf

SHA256
98263ad999cc6285b37ed502247c212f43f1444e1b8dcf4f7032775849fa6abe

SHA512
d9b73e2656d858607a511bbe47a5133496e1c0c4f31aac2c9eb904ef8b335ade09799c833e392bf8ad79eef864ebc9ea14c0b3f2018af1fa288faeca7434cb11

Download Submit
C:\Users\Admin\AppData\Local\Temp\j8BV8simza.bat

Filesize
238B

MD5
92af195c99a7bee5875820927a1b1194

SHA1
909ebe5f7781342b2d448e7d4325ca377bdd0513

SHA256
5a90b08944cd1e74cc5f827bff5b126efb7511292daacc192c2d6a40782a218e

SHA512
d4272a0e5c11369fabb2f51f7c570e3aba2eece757477ce90dfbe5a2b83631c236fe530b9a85ae4d6b05f6469d0c0125e0ba7dced015cc81856a259aeadde6f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat

Filesize
238B

MD5
f0fae20a583f7e75db641d6c9df41cab

SHA1
c5c29ac824631f44ec74e94e16ef88681a228dfe

SHA256
54849ff0ddc238b401433411bfbb378b0b569bc2d6ae4d750ac6e47f30f5fe8f

SHA512
95b29ff397c7c2b51ce00ff69aeb6c10355058d144c911496c4081164f11830ea25339c82a8d8be3cc868bcc4b4d1b9c18def51766b391310ea634d9719dc832

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
238B

MD5
8a289c53850d3453a1d80b75067d03f7

SHA1
7f7a423683dce3118165f550332bfd9b247ed25d

SHA256
cd6770dfc02957d26c7911c4c125932526190b0c210947f9fbd40ac1eb619d78

SHA512
a4cf9c629fad4d85a4b804f2cfe2b3b8df1e3b645054365a7626d69e4c6c4720136f0bae11413f3a4b5936213298423e81bb7ba8857e8f487a7cfe87f76be1f3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fec0abb4ddfbf28a039b0c07899f6fdf

SHA1
11d875f6bb0448c1eb859b00a8940d5537d2bfb2

SHA256
e1aa13ab5105a736ef100c4217b23c40ae8f98268331dec4254016d1e433d766

SHA512
aa63427d84375d8e148ec1877e2df575182287fe7e8be5e2b2575dcd07bcdd7fc3ed3edd22359a17d9d8733d83d23c3cc7a10d12ed2728796e3dde96cba641a0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1376-615-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1728-80-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/1796-55-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/1960-139-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2096-77-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2216-318-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2548-199-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/2788-378-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2800-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2800-13-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2800-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2800-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2800-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download