dcrat | 0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8.exe
Size

1.3MB
MD5

4e815b08c0238c3b587b5d1dcc5a9549
SHA1

3abd36730dd28d0a25a94350efec2a7d14a2cdee
SHA256

0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8
SHA512

38f867bc7f500720d1e7911122ea5a0b6bc42db4b6f9de82e92b89b95074eb36ba9ae481f11a362a6e84f13026e955f3b6bdee22ac7f69c6a1ff7c04e9d13d6c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1412	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2624	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2624	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c73-9.dat	dcrat
behavioral1/memory/2832-13-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/884-40-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/2640-146-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/2136-206-0x00000000009D0000-0x0000000000AE0000-memory.dmp	dcrat
behavioral1/memory/2352-266-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2196-385-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/1724-563-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1484-623-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/2652-743-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
1732	powershell.exe
352	powershell.exe
1988	powershell.exe
2404	powershell.exe
2360	powershell.exe
2996	powershell.exe
2108	powershell.exe
2392	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2832	DllCommonsvc.exe
884	cmd.exe
2640	cmd.exe
2136	cmd.exe
2352	cmd.exe
2204	cmd.exe
2196	cmd.exe
900	cmd.exe
2532	cmd.exe
1724	cmd.exe
1484	cmd.exe
2852	cmd.exe
2652	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2120	cmd.exe
2120	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
41	raw.githubusercontent.com
27	raw.githubusercontent.com
44	raw.githubusercontent.com
15	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\5940a34987c991	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\AppPatch\Custom\Custom64\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\AppPatch\Custom\Custom64\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\Speech\Common\de-DE\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2788	schtasks.exe
2792	schtasks.exe
1824	schtasks.exe
2960	schtasks.exe
2136	schtasks.exe
2064	schtasks.exe
2068	schtasks.exe
2128	schtasks.exe
1412	schtasks.exe
3036	schtasks.exe
1360	schtasks.exe
2924	schtasks.exe
1196	schtasks.exe
1792	schtasks.exe
864	schtasks.exe
1496	schtasks.exe
2728	schtasks.exe
1944	schtasks.exe
2376	schtasks.exe
2396	schtasks.exe
1712	schtasks.exe
1604	schtasks.exe
752	schtasks.exe
2264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2832	DllCommonsvc.exe
2392	powershell.exe
2404	powershell.exe
352	powershell.exe
2108	powershell.exe
2996	powershell.exe
1440	powershell.exe
1988	powershell.exe
2360	powershell.exe
1732	powershell.exe
884	cmd.exe
2640	cmd.exe
2136	cmd.exe
2352	cmd.exe
2204	cmd.exe
2196	cmd.exe
900	cmd.exe
2532	cmd.exe
1724	cmd.exe
1484	cmd.exe
2852	cmd.exe
2652	cmd.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2832	DllCommonsvc.exe
Token: SeDebugPrivilege	884	cmd.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	2996	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2640	cmd.exe
Token: SeDebugPrivilege	2136	cmd.exe
Token: SeDebugPrivilege	2352	cmd.exe
Token: SeDebugPrivilege	2204	cmd.exe
Token: SeDebugPrivilege	2196	cmd.exe
Token: SeDebugPrivilege	900	cmd.exe
Token: SeDebugPrivilege	2532	cmd.exe
Token: SeDebugPrivilege	1724	cmd.exe
Token: SeDebugPrivilege	1484	cmd.exe
Token: SeDebugPrivilege	2852	cmd.exe
Token: SeDebugPrivilege	2652	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2804	2644	JaffaCakes118_0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8.exe	30
PID 2644 wrote to memory of 2804	2644	JaffaCakes118_0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8.exe	30
PID 2644 wrote to memory of 2804	2644	JaffaCakes118_0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8.exe	30
PID 2644 wrote to memory of 2804	2644	JaffaCakes118_0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8.exe	30
PID 2804 wrote to memory of 2120	2804	WScript.exe	31
PID 2804 wrote to memory of 2120	2804	WScript.exe	31
PID 2804 wrote to memory of 2120	2804	WScript.exe	31
PID 2804 wrote to memory of 2120	2804	WScript.exe	31
PID 2120 wrote to memory of 2832	2120	cmd.exe	33
PID 2120 wrote to memory of 2832	2120	cmd.exe	33
PID 2120 wrote to memory of 2832	2120	cmd.exe	33
PID 2120 wrote to memory of 2832	2120	cmd.exe	33
PID 2832 wrote to memory of 2108	2832	DllCommonsvc.exe	59
PID 2832 wrote to memory of 2108	2832	DllCommonsvc.exe	59
PID 2832 wrote to memory of 2108	2832	DllCommonsvc.exe	59
PID 2832 wrote to memory of 2392	2832	DllCommonsvc.exe	60
PID 2832 wrote to memory of 2392	2832	DllCommonsvc.exe	60
PID 2832 wrote to memory of 2392	2832	DllCommonsvc.exe	60
PID 2832 wrote to memory of 2404	2832	DllCommonsvc.exe	61
PID 2832 wrote to memory of 2404	2832	DllCommonsvc.exe	61
PID 2832 wrote to memory of 2404	2832	DllCommonsvc.exe	61
PID 2832 wrote to memory of 2360	2832	DllCommonsvc.exe	62
PID 2832 wrote to memory of 2360	2832	DllCommonsvc.exe	62
PID 2832 wrote to memory of 2360	2832	DllCommonsvc.exe	62
PID 2832 wrote to memory of 352	2832	DllCommonsvc.exe	64
PID 2832 wrote to memory of 352	2832	DllCommonsvc.exe	64
PID 2832 wrote to memory of 352	2832	DllCommonsvc.exe	64
PID 2832 wrote to memory of 1988	2832	DllCommonsvc.exe	65
PID 2832 wrote to memory of 1988	2832	DllCommonsvc.exe	65
PID 2832 wrote to memory of 1988	2832	DllCommonsvc.exe	65
PID 2832 wrote to memory of 2996	2832	DllCommonsvc.exe	66
PID 2832 wrote to memory of 2996	2832	DllCommonsvc.exe	66
PID 2832 wrote to memory of 2996	2832	DllCommonsvc.exe	66
PID 2832 wrote to memory of 1440	2832	DllCommonsvc.exe	67
PID 2832 wrote to memory of 1440	2832	DllCommonsvc.exe	67
PID 2832 wrote to memory of 1440	2832	DllCommonsvc.exe	67
PID 2832 wrote to memory of 1732	2832	DllCommonsvc.exe	68
PID 2832 wrote to memory of 1732	2832	DllCommonsvc.exe	68
PID 2832 wrote to memory of 1732	2832	DllCommonsvc.exe	68
PID 2832 wrote to memory of 884	2832	DllCommonsvc.exe	77
PID 2832 wrote to memory of 884	2832	DllCommonsvc.exe	77
PID 2832 wrote to memory of 884	2832	DllCommonsvc.exe	77
PID 884 wrote to memory of 2176	884	cmd.exe	78
PID 884 wrote to memory of 2176	884	cmd.exe	78
PID 884 wrote to memory of 2176	884	cmd.exe	78
PID 2176 wrote to memory of 1284	2176	cmd.exe	80
PID 2176 wrote to memory of 1284	2176	cmd.exe	80
PID 2176 wrote to memory of 1284	2176	cmd.exe	80
PID 2176 wrote to memory of 2640	2176	cmd.exe	81
PID 2176 wrote to memory of 2640	2176	cmd.exe	81
PID 2176 wrote to memory of 2640	2176	cmd.exe	81
PID 2640 wrote to memory of 2724	2640	cmd.exe	82
PID 2640 wrote to memory of 2724	2640	cmd.exe	82
PID 2640 wrote to memory of 2724	2640	cmd.exe	82
PID 2724 wrote to memory of 2248	2724	cmd.exe	84
PID 2724 wrote to memory of 2248	2724	cmd.exe	84
PID 2724 wrote to memory of 2248	2724	cmd.exe	84
PID 2724 wrote to memory of 2136	2724	cmd.exe	85
PID 2724 wrote to memory of 2136	2724	cmd.exe	85
PID 2724 wrote to memory of 2136	2724	cmd.exe	85
PID 2136 wrote to memory of 2824	2136	cmd.exe	86
PID 2136 wrote to memory of 2824	2136	cmd.exe	86
PID 2136 wrote to memory of 2824	2136	cmd.exe	86
PID 2824 wrote to memory of 2552	2824	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0243809765763179e9826fd6889677dd2e1d45cb44bd1e644344f06f1fc078b8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2120
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppPatch\Custom\Custom64\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:884
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1284
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2248
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2552
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
        12⤵
        
        PID:1508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2968
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat"
        14⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1512
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat"
        16⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1440
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat"
        18⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2832
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat"
        20⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2420
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat"
        22⤵
        
        PID:976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2192
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat"
        24⤵
        
        PID:572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1944
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
        26⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2864
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        28⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\AppPatch\Custom\Custom64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\AppPatch\Custom\Custom64\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\debug\WIA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Windows\debug\WIA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Sidebar\Shared Gadgets\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d110eb26183803b5a44282d6ad5befb

SHA1
76d070e6655ebad8a2ed82fd77e60a8b59906447

SHA256
5fbd47e13621db38a9f44f805cae21cb90d9f7854590472b553569c8eefe6702

SHA512
d32018d96601f9ac96a756664e67281044da22f095753d893b6abc172cfa2adea5b2af32a5018a1d5942c86a12f122f46a7530950bdf0abece9ce0d4bc6569eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cb32582d5f1730706328e82d6061360

SHA1
ff2417ccd540bf16329ab36ec0dc4d67679487f9

SHA256
4e5a9f09bcefdde4e7072b95cdd092f822d3091d472ea6fce0758a2df3665abb

SHA512
8c2475593f955c8eedc4dc4e75c471d43a62ecdfc810ee366d0b8ad686e08bc1217576b29fe1f42ce4ffcf5d1bc28f94e9b3f17287e0f63cc770bd3a69d6b1c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6b7a43f2a77b8a861b5522fd352a0c6

SHA1
084dc4c435ba740d8308f040aafa630fd2de4430

SHA256
c19e803e89049bb8cc8a5cdc4455679221cfe395d20056a89936fd85e06eb424

SHA512
b680e8e46dd024814808220364abe958a078b948e6e06ba381fff5ebaddf57c510361a7cbef2a7ee25c97ad42a5003a098ae7dbebba90aa7a24511621e70cf4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc14984ec51abf28c9b2673ed43051a1

SHA1
a68b158d485d095b62875415c5670edb9b582315

SHA256
f77f5550848602e43a3b8739017dad7e97e461febb6aceb275796c1835ae7329

SHA512
8e2f1ff3b27b0f1d4c3bfac91599386f13410e673809d480a2644147b6871609949aad80e52c2619294fc1a6cab3dfe104998c51500bb2e214db53f43398b525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8846099f3524a43719b2bcabe991e854

SHA1
406895f614f2292df2165925d091648bc4f4c8b0

SHA256
2572870f347c026faac8fd1c7eade782880e7795b4d86abeff63592d121e9f12

SHA512
c706c724d3cf805a7df23d603709e780c0c76e3bf66f271a67d3561b3198bd4f7f39eb4f63b37e7fe3ec37cd1e37ba752802fa31e1d4ad703946d168a4345615

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e541801728918149ff7c1b73f4c1e939

SHA1
25d552cbdcbbd2202b14f6343be54fdf9eeaea62

SHA256
c57dd67cdaabd76af047307c5f4349d5c5b0bc6e622d31ae8280ca8e3521ba13

SHA512
5c44fe1c05a63345fce7e931c222ec7d2cf40ce21d586892f884b8eaa97f20e9ce4a4e6b68e3a6044e7ff326bdb65d03fcc098e01e1ecf9f730c590477d88997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78b2e6737daa65a8d295d2630f3e7817

SHA1
3bd40911a4bf40a7cb14bf7fb92e09be55ef7613

SHA256
7f9b0d0ddd79b77ef7a33924c8c4bc22f6dc899b3f7bb29f6c741e78bdaaf536

SHA512
7672c5730154d86061be8b77543bf423730338a54807301222d365595601f57d524697bf1d73114a623c8103c62c7052101140f76656ae4d3e30d1fa46cde02d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3178feb03047116c832ef0a606db721d

SHA1
b15ad8882b6ab3de5f1a00dc1094bd17a173dc9e

SHA256
483fe7e0bb956f6ae17893aef31d4387c4acc5ed31f576f9d34a75c4d45873d5

SHA512
3d7c02de8ee6a3642cd6f7c08e096fb363828e4ca3beafdcd58dff63fdbc03c87db198be8526529add685e0209e2175825f44ffab5a7ea57082c38e568f1fc45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a964b855e736dd14036a144d92a763d2

SHA1
e3e3a76c79f8236bb0b116cc9e6002a5894099af

SHA256
a22045bea224acd9dcdca7955a84354b17ddeac5b91bb259c0ad8b148d72cd70

SHA512
a9cfa99f4d60d07063becec7d91f95648846baa1c42614669b832cf71dc57293b79f30156280442d537a0a21767783ef9fcd929d2bc6b9b52c414d99766387f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a3e4f7b8e7975e05b743a6675975354

SHA1
189b049f58ff81fd9479f7b6ee2bbc16fb32bca2

SHA256
eb5cbf62a7896b12ef28d59c652e6179ae935c4af7d373ee02c646e666e10c5e

SHA512
bc2995629f771c39bb9b0d8f19d3e2b33ffaa4ad900e01c6c068ed4605089bb21f0ed5f3964c6dbefbe0c734fd56d164cc58f20bf961eeb4459b6615950b7c64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ef0ce04daa544b8aef5388e6789eed1

SHA1
b668ef42b1212d1fb3956d44dd25129af5d27f83

SHA256
7271de2dc790f74940a8cfc5b0ae171bb54cda08654e4f932812c40d08193878

SHA512
46cf2a5c287276d249b0a006124ca19c44d4132fed10d40150f401c2e33b733ce075fabbf3a292166c3c669e5a8c50e6527b5cf4a1bfd82a0db005cde5942393

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

Filesize
221B

MD5
38f14206723c83f8f0886cd1a79b4a7b

SHA1
57f2cbbfef9a5f2927e974ece6142df4697cbb75

SHA256
2b5e432dfb7167f4a07b3fc77d432171947308e909bd06e91c7dc5eb98481cc8

SHA512
e74d7e6b568198e1629562318bd55be581a70c8a122c5bc524ec13e874f87bb28683564a6375e228fbb9f0fad60cc2f4508c51b2878219adaec741d3922d8da8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
221B

MD5
0c4acdf589813e7726f14e98c60087da

SHA1
eec8a7971f51832cbafddcaa6e1618bf7372246a

SHA256
066097f4bbae209aad742408827cda9f0089a4a46a68dcec3cda18b4c9edae3f

SHA512
24970c6ca5a5422112de6d0bc9bb9ccef8401738543c88ff151b4ffedf00a39f55384c5eee2ff6a39b16bbbfdc40691f411c3ec01de3cdeeea460df51a1b3317

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab39B8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FBcCl1WGSV.bat

Filesize
221B

MD5
1e5915b9636523b14725162c8fc29694

SHA1
4bc44c89b60ada40d5559b4326d9f400709a36b4

SHA256
d6040dd8083d5e2ecb238a1c9fbfb277b94d3c23d90497893c873235c4a45d16

SHA512
ab110bb1406964e7deea291c014927b499d6235607192822d6ebae9887c9c7702c70d42d21a31ea52f769f64a66b3ad979659da610ce0cfaf3919d6c43aa0905

Download Submit
C:\Users\Admin\AppData\Local\Temp\KwQfKFARzT.bat

Filesize
221B

MD5
b3e771e02416aa7b03d48101d3961d91

SHA1
31ba26502fc21714088fcae03031606dc8a6dcbd

SHA256
21c395ea16b725408d9265693844ab76f23cec84be572b81721207bba852e1f9

SHA512
beb39bb5dd037fa0d1842d4f98452981cdd404ca38db47d0029d1256052b5f62cdf7e5a2f0491e0d4f0dd147b6a4f21e1b7d1c7b47dc5e36f3a7a774304a3821

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
221B

MD5
b229a7b20f0f22d5103ea619f2022203

SHA1
0b292ef7bb272122436283e21688f2bc006288b0

SHA256
28592622b1d2a443fe18c73e3b6cb61c901d132622a345875aa063ca733d1e25

SHA512
ec518e2b4f38c542dff71edcd0d3a7de9b7f046a247132880ae228e07f8cf04acd8518bb18eaf33a8b6cee3a372bf4009489aff7f29017acb206f1056a2a024e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar39CB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

Filesize
221B

MD5
b9c58d6796b5f36fb893d54aa5bf0fbd

SHA1
c98b0716964096d12a07d15e7bdf7b54238a04c2

SHA256
6c6c79959331664c2074e3d457a2903850b1b7ca381981c775f90411eb4f5ea6

SHA512
cae4ac9043b63e6308f94e5da1b265a03ee2e4429d6acffafea6d45525dce439bde2fe668c06a0056370dd8969702973e172fecb1f3b2467b9047f145ab1470a

Download Submit
C:\Users\Admin\AppData\Local\Temp\gW6qUMg8Bu.bat

Filesize
221B

MD5
0e79a9e7b7c78d677e2d126c12e41c16

SHA1
1c5e6d718cfa13f6435b5e4d732bfdb6ff4d1ca2

SHA256
a9f83aa2143330fbf5f40dc38072f6de8a5f865281b8f2c4cb1ca1a00677cec8

SHA512
762cfb39efed4059e0a19dbe94caf764792b3a01534c980c427371524bb8cdadf14c3f67139ef6cbc8a33d203663c425ceced846d5bc390d98bad94e746575e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\uP802u8Cku.bat

Filesize
221B

MD5
40c06724da8d3f67cb7c3c4b4f698745

SHA1
ca4c4f61d83428c871d6d422b5c7809e0c1205b1

SHA256
e6bf131216e6b63514b47fc5bb03b42beb97ef9ec81b027e8e0569b86b2359c9

SHA512
ccb15cb06221c21d73b5d2275850097280541ca3c30114f4be21f24b87bfb63717189a5e401134f5cb9d910b6383f8e46cf244e2d42ab55086a3bf6fdb993c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

Filesize
221B

MD5
1e9ef9784e91dbf2db2fbb5fdd8ac3aa

SHA1
c40c05b5e952b2028536dd28447af0982b7769d5

SHA256
7597d5307522e67149eb05a77eb156e5f54995105e0fbfd0148b9da1b01b00db

SHA512
ad23ac9f39bfe8c5e32f64f00ec0c715f6bdc815cd557a843692028d41a02a6f948ae6d29270a34c247a5edf6cf79020ba379df2842789636fbe7178b7e3ae73

Download Submit
C:\Users\Admin\AppData\Local\Temp\wNwF62sylT.bat

Filesize
221B

MD5
ee2bd1aaa20029d85ac54bfd275af049

SHA1
a4f1f806a28f9a956576116b3f26df5a55c0e798

SHA256
c3c007317e1a13eb3220f0e42e719cf222f38c083b25ed8a935df63ed54eb338

SHA512
d2228928c271dc283e7062048286f6fc258a4448e1520b1277f1c19c93f55d1663f9163ce00ccfdbf2872fff5620c9f94bbea5497c4af82fc5a32bfa6b379cae

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRWwqJyPGw.bat

Filesize
221B

MD5
c0c35b4c52865331d826cffcc70c5bbd

SHA1
ff1e6607399242b8cfc1581a403c9693518b9530

SHA256
92625ec184c1ef0cd8fef784627bd5a08f702c70811833121f08d35996887baa

SHA512
136a959036965e354b8f197a15ea63a0a4ff92ac0db9fda1597c73022d683938b203d9916bfd8d13131d511f7da211cab8287d85ac0c54c5370696de1fcfd505

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

Filesize
221B

MD5
61156b20aa8bdf39787bf5a5d3304eca

SHA1
ffa0791d7336a52cf5a5a7e71ef0a7401eb780d7

SHA256
0a7362082fe1a01c5d43e023e47fe4665f244d75bcdae40fbe0e59daaff0a899

SHA512
41662a29caf088fcb5b057eb7c0477c557e627e928c94db02f95c2b4e8d9572a7824a48b37b05771184b0432e02efb8265897321f4372dcfcdda2f1d19f5b8e2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8f11effe8f21d75f244fae03c3ed1e6c

SHA1
fc5dec0909aa55a2135fde3f997ca7adb2fd7db8

SHA256
889c0039f082aff747993d8f63c1a87f5fb373799eb7a15f919e307e8bdbdeac

SHA512
638a3cbea4c8326def48c24d03696788225a195280f73d58fcac35c90b77002a41123debffeeaa69e6feeff0991e963565e6e9b38faf5c23c49d7ce6bf8d98cd

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/884-40-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/884-87-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/1484-623-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download
memory/1724-563-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/2136-206-0x00000000009D0000-0x0000000000AE0000-memory.dmp

Filesize
1.1MB

Download
memory/2196-385-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/2352-266-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2392-50-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2392-49-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2640-146-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/2652-743-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2832-17-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2832-16-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/2832-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2832-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2832-13-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2852-683-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download