dcrat | 9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1

Analysis

max time kernel
143s
max time network
141s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1.exe
Size

1.3MB
MD5

6b50582f1165d929449cc943236c1abb
SHA1

1fa1e8d681ac525bec3ef2c0916844ad8ce611fa
SHA256

9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1
SHA512

ebcc3286846b2549b588ae5c03f8dd17826dff9bb048dedf31e31a6a0ffafb34e717d61bafe6e3bee15d78de8a3818a4a85b55c9951310f7950c313a4ec15ac8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2796	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2796	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d2c-9.dat	dcrat
behavioral1/memory/2760-13-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/3020-105-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2456-223-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2952-284-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/2228-344-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2856-522-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2748-583-0x0000000000B10000-0x0000000000C20000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
296	powershell.exe
1964	powershell.exe
560	powershell.exe
2152	powershell.exe
1356	powershell.exe
1536	powershell.exe
1772	powershell.exe
2556	powershell.exe
948	powershell.exe
2416	powershell.exe
1932	powershell.exe
2300	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2760	DllCommonsvc.exe
3020	taskhost.exe
884	taskhost.exe
2456	taskhost.exe
2952	taskhost.exe
2228	taskhost.exe
2264	taskhost.exe
1980	taskhost.exe
2856	taskhost.exe
2748	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2880	cmd.exe
2880	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\DESIGNER\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2144	schtasks.exe
1984	schtasks.exe
1980	schtasks.exe
588	schtasks.exe
3020	schtasks.exe
1348	schtasks.exe
2268	schtasks.exe
1776	schtasks.exe
2592	schtasks.exe
2368	schtasks.exe
1428	schtasks.exe
524	schtasks.exe
2272	schtasks.exe
2792	schtasks.exe
1696	schtasks.exe
568	schtasks.exe
2224	schtasks.exe
2236	schtasks.exe
2616	schtasks.exe
2644	schtasks.exe
1056	schtasks.exe
2524	schtasks.exe
1168	schtasks.exe
1616	schtasks.exe
2872	schtasks.exe
2432	schtasks.exe
1864	schtasks.exe
912	schtasks.exe
1028	schtasks.exe
2732	schtasks.exe
1612	schtasks.exe
1912	schtasks.exe
436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2760	DllCommonsvc.exe
2556	powershell.exe
1932	powershell.exe
1536	powershell.exe
1772	powershell.exe
296	powershell.exe
948	powershell.exe
1356	powershell.exe
2152	powershell.exe
2416	powershell.exe
2300	powershell.exe
560	powershell.exe
1964	powershell.exe
3020	taskhost.exe
884	taskhost.exe
2456	taskhost.exe
2952	taskhost.exe
2228	taskhost.exe
2264	taskhost.exe
1980	taskhost.exe
2856	taskhost.exe
2748	taskhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1772	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1356	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	560	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	3020	taskhost.exe
Token: SeDebugPrivilege	884	taskhost.exe
Token: SeDebugPrivilege	2456	taskhost.exe
Token: SeDebugPrivilege	2952	taskhost.exe
Token: SeDebugPrivilege	2228	taskhost.exe
Token: SeDebugPrivilege	2264	taskhost.exe
Token: SeDebugPrivilege	1980	taskhost.exe
Token: SeDebugPrivilege	2856	taskhost.exe
Token: SeDebugPrivilege	2748	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1.exe	30
PID 3044 wrote to memory of 2420	3044	JaffaCakes118_9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1.exe	30
PID 2420 wrote to memory of 2880	2420	WScript.exe	31
PID 2420 wrote to memory of 2880	2420	WScript.exe	31
PID 2420 wrote to memory of 2880	2420	WScript.exe	31
PID 2420 wrote to memory of 2880	2420	WScript.exe	31
PID 2880 wrote to memory of 2760	2880	cmd.exe	33
PID 2880 wrote to memory of 2760	2880	cmd.exe	33
PID 2880 wrote to memory of 2760	2880	cmd.exe	33
PID 2880 wrote to memory of 2760	2880	cmd.exe	33
PID 2760 wrote to memory of 1356	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 1356	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 1356	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 1536	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 1536	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 1536	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 1772	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 1772	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 1772	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 2556	2760	DllCommonsvc.exe	71
PID 2760 wrote to memory of 2556	2760	DllCommonsvc.exe	71
PID 2760 wrote to memory of 2556	2760	DllCommonsvc.exe	71
PID 2760 wrote to memory of 296	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 296	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 296	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 948	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 948	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 948	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 2152	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 2152	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 2152	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 2416	2760	DllCommonsvc.exe	78
PID 2760 wrote to memory of 2416	2760	DllCommonsvc.exe	78
PID 2760 wrote to memory of 2416	2760	DllCommonsvc.exe	78
PID 2760 wrote to memory of 560	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 560	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 560	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 1964	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 1964	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 1964	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 2300	2760	DllCommonsvc.exe	86
PID 2760 wrote to memory of 2300	2760	DllCommonsvc.exe	86
PID 2760 wrote to memory of 2300	2760	DllCommonsvc.exe	86
PID 2760 wrote to memory of 1932	2760	DllCommonsvc.exe	89
PID 2760 wrote to memory of 1932	2760	DllCommonsvc.exe	89
PID 2760 wrote to memory of 1932	2760	DllCommonsvc.exe	89
PID 2760 wrote to memory of 2200	2760	DllCommonsvc.exe	92
PID 2760 wrote to memory of 2200	2760	DllCommonsvc.exe	92
PID 2760 wrote to memory of 2200	2760	DllCommonsvc.exe	92
PID 2200 wrote to memory of 2080	2200	cmd.exe	94
PID 2200 wrote to memory of 2080	2200	cmd.exe	94
PID 2200 wrote to memory of 2080	2200	cmd.exe	94
PID 2200 wrote to memory of 3020	2200	cmd.exe	95
PID 2200 wrote to memory of 3020	2200	cmd.exe	95
PID 2200 wrote to memory of 3020	2200	cmd.exe	95
PID 3020 wrote to memory of 332	3020	taskhost.exe	96
PID 3020 wrote to memory of 332	3020	taskhost.exe	96
PID 3020 wrote to memory of 332	3020	taskhost.exe	96
PID 332 wrote to memory of 264	332	cmd.exe	98
PID 332 wrote to memory of 264	332	cmd.exe	98
PID 332 wrote to memory of 264	332	cmd.exe	98
PID 332 wrote to memory of 884	332	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9bfa2e7ae1dad43c8307a184775bf021cb125fdb77c99951c9caebcc6ec974d1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2420
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2880
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\SetupMetrics\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IC0nCLiUnp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2200
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2080
      - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:264
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat"
        9⤵
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1020
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"
        11⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1372
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat"
        13⤵
        
        PID:1812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1664
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        15⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1020
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat"
        17⤵
        
        PID:976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1716
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        19⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1248
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        21⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1808
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\DESIGNER\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Windows\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\SetupMetrics\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2eac8d0e2d1ee751e4e55f210d52f6b

SHA1
e13858e1fca8ebc78bbcf3bd8b589c2cabd105b7

SHA256
7722e021daa3d8891ff431765dff0a6786fa2dabb3c35e82114393ef3734fb4f

SHA512
a8dd85e0fdd2cdb77b55f0bf27b2514b0c2a7ab0f590c7be58a6825e40ec8ab366be373ebcfdc5cef313de92b7ba291e5989d215f8698cc339fde0b5782bb120

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a27cc10ead1e4dcf08ac2c2eb0619e5d

SHA1
ebc28f8889b979becb249c08b899eeb55f453968

SHA256
fd67264335afb7664b0e087bfd1541d1a42cbd012bfc19f80cf82d8cb0ff4f1b

SHA512
1f3bdd05c6e84bd2aea277b644b35e75225c38428e35d29bdb22a4c8c2a3fbb35a98277e3aef6349b93cc7996e67771c451bf0d267163a2ac0656d49ed50bf3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d6690746a86ee1d40497f56d42e824f

SHA1
6761940fa80e5ffb4d0f7ea1d097bbfb4d01a977

SHA256
bedff6b71771e53bfd9547742a2ee9624e2a8b741bd13cd3205fab2e58dc4fcd

SHA512
753294b8a8c857d4146e565c2eb331460aea0b7e27aaec9794e9b13654221d1d7b6bed705cb62e9461a027b8460f0d7722fc08a6747685fc051fc703ff5e1b9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dba5be7ba7629d478dda53ca16b7e19e

SHA1
281d19d0ec293fc75491b0e32605cf1aed1fc999

SHA256
7ec2095b41d74f9fe495076d778459e30f23a2bffee7f26f64417b56a9f73103

SHA512
99d646482ad7a53eb7da1312cc1bf7ef131635ab1e51f205505fe7e4517b7bd2df5f5b51d08ed1fb5e3a43e4ad64874ca87dfb614ee6583ae7986f485ed3ff93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cee2ed7e3cfaa52d16372084da18f739

SHA1
1685a5c5b9b18a29989ef7211aa019fb7e654fe8

SHA256
7ad12e6a0a6e24d27e880d56a8f7ece813008118a2ed228bdc771ee650181f42

SHA512
da66acf03ded39718283caf180c6ea93f29da497ed5269a7bc5782b3cad298948ce2027912c01e7fc0896bf007d69f90e6387260c673839892693a978f690fb7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
15f0928e8b65156e97edbcc72523fea5

SHA1
dac8aa057c1c64b1400b2ddcfddb4b306cbad6fa

SHA256
3df291d2bc70bd673cd752f34e22c27f2665164d07ad1b06da31d3efb91a81e1

SHA512
f1b6b5a002d95da4500633e96caa8f15c6aa147a3186c66b494336c509c06d7c578cb08402cea0970fbc8adbf1c8a68d24300ae4c0743fabaf504124c520495e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b3d1af99bd139a40995b7735f16a9a07

SHA1
e092881f64067eefaaa477944692f1a7daad3845

SHA256
5f0c93543a3a45e4c73cf7d401258f25a19ec23a936578f8b5a8514e862d4b04

SHA512
ec1982aa437724594ef4bc1032023444e7a53f6424671b6470f98a8a18d0364d89041de846bbf4ebf72a165d6079a46f90abf431c2a6433f5f043ac224f15c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
240B

MD5
a6507af48de2a2fe35eebc4acba83406

SHA1
324562a148ffe999ac78f52c8cb30084d2fd1929

SHA256
86e586915c47f89faf54366b962bf301e145d50c2111e3785b4e31b4bf4e8d50

SHA512
27d29db241526b61c6b42607145dc1849b54c409137e27b83e8479ed136d788f1d4331bc1b22a1c34a5de74d0dec7a64c7139614d5a12632bfcfff56da22347b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
240B

MD5
033a621c686159a8041e079b9bac7010

SHA1
b7222e16c60d13b45771a639a2f85b7e847c8783

SHA256
488a1bf6e66e6e498ea02d44a16e59a924842892ba3a534d95f4a79b295abf02

SHA512
2b231a4e812b5b40b45dc14bb301aca0c9c48f01409bd2de95b793e1397e093a55167ef936bab81a7b3f89c446543a35c1974f26acb730a981b63d0fd654b5c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\B7rL9EqqPR.bat

Filesize
240B

MD5
ed0e90e70f1df0ddab18cef060e164fa

SHA1
02561ba2331ae21fdc9763ffe8e9e009790dadbd

SHA256
c494395937cb96cc3ac1f366b1f7984861c1673f903573800395c994292a2cc5

SHA512
ac761da18229b17da5f5fa8675066ac605c8d30d4aa6ee0f52a62f48169877bf4585bbf3458f22070662c92f873a86c66dede25765d6b7518363efca1f2eee83

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A1F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IC0nCLiUnp.bat

Filesize
240B

MD5
2189104a0dbff47adcab2f15fd04c554

SHA1
06483710cc96962b0b75bd5a3905700797447091

SHA256
d411f322e98dfc0a61dbc311e42b4789f4bba637f81d8ed1ee72b09de6ff9973

SHA512
357e5ff2ce78e8f78438e19aebedc114701459ec1cfe774f30867db17ea20d267d85dd4839617f16ab376eaf4de8fe564a015637c6217006c6ef9afc5d33c977

Download Submit
C:\Users\Admin\AppData\Local\Temp\PoOVO2yVWN.bat

Filesize
240B

MD5
2b459659e7bea9f64c4602e91746a806

SHA1
b02489ce1611cea3d94e84b6bdc4d9db21863c86

SHA256
510e9a5c4cee884e3ef279af0d106bcc7aff5dc90f1b8cb9588551295b0ab54a

SHA512
b10340b06f4f0cbc5af83bafb0985eabddc77fd20dfeab47b6266942816b714129e97cc1f58e53a4dd31b7f8a4b02167411db802e7d1386ef36527ae3a99b96d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RnBkS9jGYw.bat

Filesize
240B

MD5
96d50156759cb3856e094e1d43b58e11

SHA1
ed6e2311abc27c3de0bf49c874d69d6b0fbe970a

SHA256
4ee846ee8738f1a499879363bec2e92467ee8ac529b701913f7ba44d10fd8528

SHA512
4d711c6902d48eb2d8974c742008552fd868319035038ab93169b1b9efc56325ead8cb7fab1c3bf3e5263c3b48a19e4189f1f0ff5beae16e94162d8d1f84dbbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat

Filesize
240B

MD5
d4943bb2d0aee7a98a2496a50ea899c4

SHA1
4f80e12ad9d71d1eda9badfdcb2655ae2bdf3bae

SHA256
dbd64854bd00ef72eadc788923fb50ae4c96a6ab267a93330fb6fc714d60db6b

SHA512
de4ed28b898924cbe8ab8291dcd47ef17b4f9ed9cdcdb5f349384e99fb181d321c69026eb85656fdf2b2563e4536e2d9f2b8e3ea01e0e77aff481bc3e7df8366

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A90.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
240B

MD5
ce080df2e091fd60147819c71b0a17a3

SHA1
dfd9f98bae25004034bf66529b7d53fe645a3cbf

SHA256
d1f0d80b9323b237e6a71035d2c401130eeab9ab159210cbb3aec258212960c2

SHA512
d4bc541bcbec20855dc7c1aa7265a714818cfa5a2c646fda8aad57b027ac92dd480e3e46eae4c607bff8c4ad99f7e4c1d5b715e2ad9525d04c6cfb77846f1093

Download Submit
C:\Users\Admin\AppData\Local\Temp\zKs2Tjd9zb.bat

Filesize
240B

MD5
374feb95379adc228c89d718b143868d

SHA1
2a076992265c89b01e573a438a11be93011be624

SHA256
b830003cfe743e25b95b57db397cec529cb8778692b749b457491b1721a08ae5

SHA512
a5a19ad692c2a69077d8ac1f17c8d80aecefb7ffe8587c63c90c097676fa2c8ce2a7ffa9049802f532c44ad74ee7ab5858f749d27102d5f40477f6c8bfc9c978

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cb63d986b16ac36ab23eba5cabb1dca5

SHA1
521df7b9e2f4376fd413d1f2815adda84df811db

SHA256
d4df18903a95d4e35300ee7f6fb4ef0bf85ffe08d954400b95f3930ddfaa5a07

SHA512
0fbbf14d65bb5fa8fcf0129177bc3d045a1fb67d4dac6ecc06ee328df59434d9d3665f1ab7f829843229db81834aaba1fa1de9113d011cf81605109bbbeea808

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/2228-344-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2456-223-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2456-224-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2556-47-0x000000001B300000-0x000000001B5E2000-memory.dmp

Filesize
2.9MB

Download
memory/2556-49-0x0000000002460000-0x0000000002468000-memory.dmp

Filesize
32KB

Download
memory/2748-584-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2748-583-0x0000000000B10000-0x0000000000C20000-memory.dmp

Filesize
1.1MB

Download
memory/2760-17-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2760-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2760-13-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2760-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2760-16-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2856-522-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2856-523-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2952-284-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/3020-105-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download