dcrat | 9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed.exe
Size

1.3MB
MD5

36582a4979101409c174ce13fa15d9e1
SHA1

97f68e30fb7233c1690d3c74b26d6c16d9b55030
SHA256

9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed
SHA512

ba7f0b884de35302340027f27873f2666dbc06512cce61c5551c6505bbc9121fa450e0e653a2aafd51f0649833f5a3eeb0a7043cd3d3a08e6eec3030d7fa78a5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	608	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2480	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2480	schtasks.exe	32

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d0e-10.dat	dcrat
behavioral1/memory/2572-13-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/2780-94-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2528-154-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1900-214-0x0000000000E90000-0x0000000000FA0000-memory.dmp	dcrat
behavioral1/memory/2308-275-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/1112-335-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/2628-396-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2848-457-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/760-517-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/884-636-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1056	powershell.exe
1768	powershell.exe
2164	powershell.exe
1412	powershell.exe
2292	powershell.exe
936	powershell.exe
1088	powershell.exe
920	powershell.exe
1652	powershell.exe
2912	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2572	DllCommonsvc.exe
2780	wininit.exe
2528	wininit.exe
1900	wininit.exe
2308	wininit.exe
1112	wininit.exe
2628	wininit.exe
2848	wininit.exe
760	wininit.exe
2676	wininit.exe
884	wininit.exe
2172	wininit.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	cmd.exe
2184	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\101b941d020240	DllCommonsvc.exe
File opened for modification	C:\Program Files\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\es-ES\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\es-ES\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\es-ES\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\assembly\GAC_64\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
608	schtasks.exe
2808	schtasks.exe
2800	schtasks.exe
2472	schtasks.exe
2616	schtasks.exe
1280	schtasks.exe
2740	schtasks.exe
2692	schtasks.exe
1364	schtasks.exe
1664	schtasks.exe
2500	schtasks.exe
1624	schtasks.exe
2416	schtasks.exe
3020	schtasks.exe
2432	schtasks.exe
1604	schtasks.exe
2260	schtasks.exe
1420	schtasks.exe
2276	schtasks.exe
2252	schtasks.exe
1992	schtasks.exe
2944	schtasks.exe
2832	schtasks.exe
2516	schtasks.exe
1236	schtasks.exe
1828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2572	DllCommonsvc.exe
2572	DllCommonsvc.exe
2572	DllCommonsvc.exe
936	powershell.exe
2292	powershell.exe
1412	powershell.exe
2912	powershell.exe
1768	powershell.exe
1652	powershell.exe
2164	powershell.exe
1088	powershell.exe
920	powershell.exe
1056	powershell.exe
2780	wininit.exe
2528	wininit.exe
1900	wininit.exe
2308	wininit.exe
1112	wininit.exe
2628	wininit.exe
2848	wininit.exe
760	wininit.exe
2676	wininit.exe
884	wininit.exe
2172	wininit.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	DllCommonsvc.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	920	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2780	wininit.exe
Token: SeDebugPrivilege	2528	wininit.exe
Token: SeDebugPrivilege	1900	wininit.exe
Token: SeDebugPrivilege	2308	wininit.exe
Token: SeDebugPrivilege	1112	wininit.exe
Token: SeDebugPrivilege	2628	wininit.exe
Token: SeDebugPrivilege	2848	wininit.exe
Token: SeDebugPrivilege	760	wininit.exe
Token: SeDebugPrivilege	2676	wininit.exe
Token: SeDebugPrivilege	884	wininit.exe
Token: SeDebugPrivilege	2172	wininit.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 2204	1876	JaffaCakes118_9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed.exe	28
PID 1876 wrote to memory of 2204	1876	JaffaCakes118_9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed.exe	28
PID 1876 wrote to memory of 2204	1876	JaffaCakes118_9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed.exe	28
PID 1876 wrote to memory of 2204	1876	JaffaCakes118_9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed.exe	28
PID 2204 wrote to memory of 2184	2204	WScript.exe	29
PID 2204 wrote to memory of 2184	2204	WScript.exe	29
PID 2204 wrote to memory of 2184	2204	WScript.exe	29
PID 2204 wrote to memory of 2184	2204	WScript.exe	29
PID 2184 wrote to memory of 2572	2184	cmd.exe	31
PID 2184 wrote to memory of 2572	2184	cmd.exe	31
PID 2184 wrote to memory of 2572	2184	cmd.exe	31
PID 2184 wrote to memory of 2572	2184	cmd.exe	31
PID 2572 wrote to memory of 1412	2572	DllCommonsvc.exe	60
PID 2572 wrote to memory of 1412	2572	DllCommonsvc.exe	60
PID 2572 wrote to memory of 1412	2572	DllCommonsvc.exe	60
PID 2572 wrote to memory of 2292	2572	DllCommonsvc.exe	61
PID 2572 wrote to memory of 2292	2572	DllCommonsvc.exe	61
PID 2572 wrote to memory of 2292	2572	DllCommonsvc.exe	61
PID 2572 wrote to memory of 1056	2572	DllCommonsvc.exe	62
PID 2572 wrote to memory of 1056	2572	DllCommonsvc.exe	62
PID 2572 wrote to memory of 1056	2572	DllCommonsvc.exe	62
PID 2572 wrote to memory of 1768	2572	DllCommonsvc.exe	64
PID 2572 wrote to memory of 1768	2572	DllCommonsvc.exe	64
PID 2572 wrote to memory of 1768	2572	DllCommonsvc.exe	64
PID 2572 wrote to memory of 936	2572	DllCommonsvc.exe	68
PID 2572 wrote to memory of 936	2572	DllCommonsvc.exe	68
PID 2572 wrote to memory of 936	2572	DllCommonsvc.exe	68
PID 2572 wrote to memory of 1088	2572	DllCommonsvc.exe	69
PID 2572 wrote to memory of 1088	2572	DllCommonsvc.exe	69
PID 2572 wrote to memory of 1088	2572	DllCommonsvc.exe	69
PID 2572 wrote to memory of 2912	2572	DllCommonsvc.exe	71
PID 2572 wrote to memory of 2912	2572	DllCommonsvc.exe	71
PID 2572 wrote to memory of 2912	2572	DllCommonsvc.exe	71
PID 2572 wrote to memory of 2164	2572	DllCommonsvc.exe	72
PID 2572 wrote to memory of 2164	2572	DllCommonsvc.exe	72
PID 2572 wrote to memory of 2164	2572	DllCommonsvc.exe	72
PID 2572 wrote to memory of 1652	2572	DllCommonsvc.exe	73
PID 2572 wrote to memory of 1652	2572	DllCommonsvc.exe	73
PID 2572 wrote to memory of 1652	2572	DllCommonsvc.exe	73
PID 2572 wrote to memory of 920	2572	DllCommonsvc.exe	74
PID 2572 wrote to memory of 920	2572	DllCommonsvc.exe	74
PID 2572 wrote to memory of 920	2572	DllCommonsvc.exe	74
PID 2572 wrote to memory of 1468	2572	DllCommonsvc.exe	80
PID 2572 wrote to memory of 1468	2572	DllCommonsvc.exe	80
PID 2572 wrote to memory of 1468	2572	DllCommonsvc.exe	80
PID 1468 wrote to memory of 2312	1468	cmd.exe	82
PID 1468 wrote to memory of 2312	1468	cmd.exe	82
PID 1468 wrote to memory of 2312	1468	cmd.exe	82
PID 1468 wrote to memory of 2780	1468	cmd.exe	83
PID 1468 wrote to memory of 2780	1468	cmd.exe	83
PID 1468 wrote to memory of 2780	1468	cmd.exe	83
PID 2780 wrote to memory of 952	2780	wininit.exe	84
PID 2780 wrote to memory of 952	2780	wininit.exe	84
PID 2780 wrote to memory of 952	2780	wininit.exe	84
PID 952 wrote to memory of 2104	952	cmd.exe	86
PID 952 wrote to memory of 2104	952	cmd.exe	86
PID 952 wrote to memory of 2104	952	cmd.exe	86
PID 952 wrote to memory of 2528	952	cmd.exe	89
PID 952 wrote to memory of 2528	952	cmd.exe	89
PID 952 wrote to memory of 2528	952	cmd.exe	89
PID 2528 wrote to memory of 1816	2528	wininit.exe	90
PID 2528 wrote to memory of 1816	2528	wininit.exe	90
PID 2528 wrote to memory of 1816	2528	wininit.exe	90
PID 1816 wrote to memory of 1448	1816	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9c439ae43d2dca91ac80deff51448ff1a13929cf65022adcc40e4ddabb5978ed.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1876
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2204
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\assembly\GAC_64\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\es-ES\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\es-ES\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:920
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QzqepdNQ02.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1468
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2312
      - C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2104
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2528
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1448
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        11⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2772
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        13⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1176
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        15⤵
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2560
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        17⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2936
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        19⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2572
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        21⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2976
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat"
        23⤵
        
        PID:320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1448
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
        25⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2408
        
        C:\providercommon\wininit.exe
        
        "C:\providercommon\wininit.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\assembly\GAC_64\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\SendTo\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\Resources\Themes\Aero\es-ES\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\Resources\Themes\Aero\es-ES\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46c4b7c80fe58cb95cb787228dc9ab91

SHA1
524138ae02189079f9215803d603e7aba65c0d4a

SHA256
6d4d69a494ea5ec5fd8a7a3e68d0c54b2fa76f51e067389026ddfbf9f7f64f72

SHA512
27e14eda3041f56a2235f408e42600d953f1b54892e6b76a293ff1642f720289bafae1b23958670e8aab18e69d05757729dc388e0a131b2094d43c7dce2f847a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f02d84eee2712ec61da571f9b62b9bd8

SHA1
3bf93c0abb7100301dea568271ae576ec83d7de7

SHA256
4026b607398b2bfad7f34aefbc5952c25a958276a72b3b0d9fe25632c8fa05b4

SHA512
edee9916688d42b80ebbdb07205904dc47f35f5e65b9cb9326da349c2301202faec06b73705ae609a7b5c607c3b11ee58bddce23b86c88022bf82ca37a5c7092

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a843e95cbd4abdd9b5b10f32ec961575

SHA1
868c4342e811a95af60d2e48b8905d99aabd7f88

SHA256
0690e287f06ced29cedb97013d526d9e3af28f4102a705ef7377992bb612501d

SHA512
01764a5db6da743ab2dc79bed33a76ae1f263e9139fe6ca1c16cb05ec4d4ce626a01718691e7af3f9ac4438616d915c6ac09bfa2b1b68e1b55c8cd27072317ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c677c02bea52b087169e887fc359d797

SHA1
d29f29b7f1875e30b2679cc978d4f1e725f563ed

SHA256
fdc47a7ba5bef1a15dc089254efe4d0e6648de85bfb54189e73425c09fec3373

SHA512
f34cce0c0ea1128da89fdccb90c0ec037946a1c385d260ded4b31b4e3072b34942b2e21d146dccd517d851535177c5fba53a2b9e28dbc0d21272208331004fee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
764ac4ce33ab094db9507836a151d7de

SHA1
2bd7192c55a1404ec824cd58768aad76de5fd440

SHA256
14bef9081075c3595aa98859679f51ae20e907c8d8f8ccd4ede345c8bb5310f5

SHA512
b82cc36650fc9422a2d9470f2e60e7592725c7710d4ed1b33e29fd91f0bd957341d50c740e13f0034dfba1cb5f6763fdf19f3631cf0364ab34e12290f44a6830

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73e96c7258adac4de7074cdcfecbff52

SHA1
1867b5ef8bf435451f21f90ff91a9c71980bd434

SHA256
b4beec4835c526529b4273c784da4ad2fb700c90fefd48e81f1e5cdb9da86b95

SHA512
ba505c93e6a5b667d8b3e522ca6be28b45bb6d6bdf0a8c9b522478a90fab21ad6e53f20be0901b6448a41b131480d837fd57a58dd3112c90880c194e6fd30abd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7fd484eaa1801209705ac830ccb77096

SHA1
15df92e8fce8d3e8f8554a55516d437f80bbcaeb

SHA256
267b78ee8c30030ea6f1101c8f2a735f5751f892f1c677c3bee78b9296ae4e95

SHA512
02265e514d984964b97054dd934006d69e6cd887cbd09bf0b921a0e8103694fe8912fd851010c7f04c5cb8b582641a97f57a193dd945871ae5d93a0d1382a2f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ef6d06d24d5d8c6ce4d88cf322c421a

SHA1
90786ebf590a4e8cc912a7cb2245fab1a3061e21

SHA256
483ad14da7b0a124b4db09fc6a17e780c980b93569521f7108271d1cbfaca7b8

SHA512
4bf3e89946c3c9f32ff25818e34ded208baa7dd053d37b4b87279fce0d09180762e904b69068087f7a0b34d632cf472d1027e46472a131ccff5110fe5fe2741c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cf4380eacc1b0e8d63f96886056d048

SHA1
a7523547315755b9527f88b0312ff8d2d9cac784

SHA256
9befd3a9be869a55eead8f5bde8c3af85add4749166708afe882ae4f3551fc3d

SHA512
a3e680a172f3d2e577875e36ba5319f5ab1a62cfd781a59e0deb113c02a9b060ae715cca545595bd518a5be6dcbb5239e03f3ea103a49a63a5e54495bda7757a

Download Submit
C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

Filesize
194B

MD5
f1139406c0571e635e0bea181d97f03b

SHA1
8b09584f7c49fb0eca6be24a566b6e1eb4ff26e1

SHA256
0806625fd024a88d47dd822dfe399049cbbcaeecd50199cfe2c1339114543dae

SHA512
e6465f69b32730925c672d59a22d2378f5631b19ae9bb547c080b9262bd5f21fc9fd6dbc283bd584bd804bca42975e6b302a5ecf76624e17c66e309f6ac1ab11

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBB75.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMiKQlKjHz.bat

Filesize
194B

MD5
f81c3c28b21834fed89667df466f34f6

SHA1
a67028b2d76566b72afa62554747195b6bed36fe

SHA256
d43008e17cb3e6b5b43ea4493963a75db7f188399cc2cb6eb4dacb2bbcede9f8

SHA512
87a97d79b01ae67f69f9ca50cbdf5997c6ab47b0a4be55010c6160a4a84cc074abcc101be28e566a6d03be10fa5cfef7544212833b46d9f8cffab5ce0ff56d34

Download Submit
C:\Users\Admin\AppData\Local\Temp\QzqepdNQ02.bat

Filesize
194B

MD5
30f6357027342ce302ae9e34f12c7c0f

SHA1
d70509e302ca1a73c81a562c4f6f6b2adc87a6e0

SHA256
70d7b9ca08e28fa44071e6d2fc9041f401e1ec1b51e7e88097fdbac95c26bb0d

SHA512
2950a5b6c74657409e5cc260f6d86d57ddbe7d9d7b322bfc5dda24aa6df19b321cae13f6217230be16326d0564269ec2c0b6b0a0d9a706204bfe32a7cbef5ec5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBB87.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
194B

MD5
1c4df36ef4c47c2c542ccec84fa25ee6

SHA1
b1194dccb2313883853bc47f8eee1b2f7acf1e21

SHA256
21723634f70ea02617c73b284f0677df50a08d4bdf20d3651d9090a0fd846261

SHA512
42afb89d592f77329c4575f250ca675268948fe80d4f9502c4ea2129114e0b2c6759263966d6b107e59917a2c771e38d20b4ac6a7d1aeb48028e54058db0a333

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
194B

MD5
4a2352b421faf52f9b36f7209abcfa3e

SHA1
7af459d3e292fcc5101c5456f433ac12d8588532

SHA256
b8e1bd00d279a5824515f4ea9cb0905cdbc2242a22bdd653e54ecc9f0391e321

SHA512
36f0425166d11f18d1a1be5a1327f5330e6d11dbfead9360c510b87bbfdf7102f1ce80dea5140302713ee7cf2c91e0c230dd5d44aa0d5dcd73c14732c6600166

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
194B

MD5
970d932e843f9808de833fee46717870

SHA1
9490b506b97d7fe3f436834614bb793f09abd4d3

SHA256
e3854331e543548db3f1e6c6c29e42d1dd4cb7baf21d437502be927c80274284

SHA512
310490800db55d5422a454596b71464f6d1753d35202a26fcc266338ab116a899dfff2fff1c14e052f8e6335d2721519101d3124b212e7462a32fe3af28d776b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

Filesize
194B

MD5
0ff9c652b483a2cc256d6f163327ee3b

SHA1
0f1b19b8893867924c9091300476b41753f8a5e7

SHA256
d24e62ed4de2e2afa9c4ea6df63b6b016282b0824ceb19ca20286f55b05ccbca

SHA512
0dc3e0b8764615db1b1d3f45d97aa86a03bf05d9109ffb5f78c5318dd7f3bbd7534bebc17de03a1c6eb8332e9df21dba8fbb4be151ad82f2d1f17b20f24833b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
194B

MD5
9162c920f43d7b3f68a7f73ac0046c8d

SHA1
072a0ef59d0566056fe7832a524263d94a1a9bcc

SHA256
a64dff0802b1e4cd5bf80fc2003846b19ddbe6575e3eacd9515711f16d2eb17c

SHA512
cbf8ca299571deba24556bd0f1a9fb1a893a9bfb19a9e827976566a085cfa8362388957412e3576c6f9b26c4c9ea05a34b991d8fc22120c268004ee654eef460

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
194B

MD5
2f2217f8e2016217ef4ac792a503caaa

SHA1
c3849f7f3f8d9cbed150947bb64f56fe474daac1

SHA256
490f22dfd2e963c32736341f87ceb289c91d947ca8a1ee404c35090d2d418b6f

SHA512
23a7383c0f7c693af9f6b2a6e4dcabaf23e79a5ebffcd96667c8903d3fe7ddc5d365b1f6a733925b7b610a3ad27c96537e755d1f6ffec353c130183657f30d28

Download Submit
C:\Users\Admin\AppData\Local\Temp\sT6xLp4JQ8.bat

Filesize
194B

MD5
496ea3492c0e54e983204c12501a9452

SHA1
f0f9d3ab46d652cdfb5317abb5fe6ef1ce85c000

SHA256
ee5fc9f635af871758274516e443b9b5d29a70c2e298d47e3d90e419f3436b15

SHA512
9708c3fcf1539bcf1c3fa541fcfe8044ad80a5b803cb1eb61e50feb676e5acb6d2687552a368edf78763bfd2dc6100784c09ec92e5481a5891666a5716bf8ff2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
194B

MD5
a46d6e649f546b98453915c0606d8aaa

SHA1
d4749e3d382d73abb05a883743ba1e5024ef1930

SHA256
928e130883813fcd298327dcb55c98a998af87fde53d18220022f0b4dbc0e83b

SHA512
8368c9ee9747697c9ac529a4d3f87dd797769f6332194269275a6404f91b911667e8460fbb553e311e8bb95f6c51cd7d5bfdc4840e1e47e477e989065038fd47

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ff2ef5e4f31ceffb5aa2366c1f129562

SHA1
a4eb540aa69ca7d53bb6cc298b9211755187fad0

SHA256
8284e5d275097103fa74fb316f48bea0b720a71fe1afa6ffbdc68155cfc8e5e3

SHA512
f465426dd06255e51604ee3a659c6fb7d18023092f4056eee3bb0a1ec9cfe5468d28a44db8c66ef7458b1e0804deac320a3a47eb3d6698b03e94d9b36676e0e3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/760-517-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/884-636-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/884-637-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/936-54-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/936-56-0x0000000001CC0000-0x0000000001CC8000-memory.dmp

Filesize
32KB

Download
memory/1112-336-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1112-335-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/1900-215-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1900-214-0x0000000000E90000-0x0000000000FA0000-memory.dmp

Filesize
1.1MB

Download
memory/2172-697-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2308-275-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2528-154-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2572-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2572-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2572-15-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2572-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2572-13-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/2628-397-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2628-396-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2780-95-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2780-94-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2848-457-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download