dcrat | a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe
Size

1.3MB
MD5

7d483df2f3526ad0416976e70659d522
SHA1

192d8434120956f1b0511a186fcfcdf480b4782b
SHA256

a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef
SHA512

3cc2aeb924ec0d303509ebbf440c02582fb9d8150209808ac1e53b7363a05517c88e9461392b4aa87dfb9c3ca6960b06340c590bdd5b3d13b5c491c93e87e4be
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2800	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018687-9.dat	dcrat
behavioral1/memory/604-13-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/1996-40-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/1036-146-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/1780-383-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/316-443-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat
behavioral1/memory/1796-504-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/2456-564-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/796-683-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/688-743-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2376	powershell.exe
2208	powershell.exe
2280	powershell.exe
2200	powershell.exe
840	powershell.exe
2584	powershell.exe
2188	powershell.exe
2444	powershell.exe
1360	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
604	DllCommonsvc.exe
1996	OSPPSVC.exe
1036	OSPPSVC.exe
2280	OSPPSVC.exe
2664	OSPPSVC.exe
1492	OSPPSVC.exe
1780	OSPPSVC.exe
316	OSPPSVC.exe
1796	OSPPSVC.exe
2456	OSPPSVC.exe
2320	OSPPSVC.exe
796	OSPPSVC.exe
688	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2944	cmd.exe
2944	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
43	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2672	schtasks.exe
1092	schtasks.exe
1984	schtasks.exe
2828	schtasks.exe
1720	schtasks.exe
2960	schtasks.exe
2832	schtasks.exe
2652	schtasks.exe
2696	schtasks.exe
2180	schtasks.exe
1960	schtasks.exe
1164	schtasks.exe
1620	schtasks.exe
2756	schtasks.exe
2040	schtasks.exe
2796	schtasks.exe
2008	schtasks.exe
2844	schtasks.exe
2936	schtasks.exe
2628	schtasks.exe
2168	schtasks.exe
2432	schtasks.exe
2440	schtasks.exe
2224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
604	DllCommonsvc.exe
604	DllCommonsvc.exe
604	DllCommonsvc.exe
2376	powershell.exe
2200	powershell.exe
2280	powershell.exe
1996	OSPPSVC.exe
2584	powershell.exe
2188	powershell.exe
2444	powershell.exe
1360	powershell.exe
840	powershell.exe
2208	powershell.exe
1036	OSPPSVC.exe
2280	OSPPSVC.exe
2664	OSPPSVC.exe
1492	OSPPSVC.exe
1780	OSPPSVC.exe
316	OSPPSVC.exe
1796	OSPPSVC.exe
2456	OSPPSVC.exe
2320	OSPPSVC.exe
796	OSPPSVC.exe
688	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	604	DllCommonsvc.exe
Token: SeDebugPrivilege	1996	OSPPSVC.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	1036	OSPPSVC.exe
Token: SeDebugPrivilege	2280	OSPPSVC.exe
Token: SeDebugPrivilege	2664	OSPPSVC.exe
Token: SeDebugPrivilege	1492	OSPPSVC.exe
Token: SeDebugPrivilege	1780	OSPPSVC.exe
Token: SeDebugPrivilege	316	OSPPSVC.exe
Token: SeDebugPrivilege	1796	OSPPSVC.exe
Token: SeDebugPrivilege	2456	OSPPSVC.exe
Token: SeDebugPrivilege	2320	OSPPSVC.exe
Token: SeDebugPrivilege	796	OSPPSVC.exe
Token: SeDebugPrivilege	688	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2380	2072	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe	31
PID 2072 wrote to memory of 2380	2072	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe	31
PID 2072 wrote to memory of 2380	2072	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe	31
PID 2072 wrote to memory of 2380	2072	JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe	31
PID 2380 wrote to memory of 2944	2380	WScript.exe	32
PID 2380 wrote to memory of 2944	2380	WScript.exe	32
PID 2380 wrote to memory of 2944	2380	WScript.exe	32
PID 2380 wrote to memory of 2944	2380	WScript.exe	32
PID 2944 wrote to memory of 604	2944	cmd.exe	34
PID 2944 wrote to memory of 604	2944	cmd.exe	34
PID 2944 wrote to memory of 604	2944	cmd.exe	34
PID 2944 wrote to memory of 604	2944	cmd.exe	34
PID 604 wrote to memory of 2584	604	DllCommonsvc.exe	60
PID 604 wrote to memory of 2584	604	DllCommonsvc.exe	60
PID 604 wrote to memory of 2584	604	DllCommonsvc.exe	60
PID 604 wrote to memory of 2208	604	DllCommonsvc.exe	61
PID 604 wrote to memory of 2208	604	DllCommonsvc.exe	61
PID 604 wrote to memory of 2208	604	DllCommonsvc.exe	61
PID 604 wrote to memory of 2280	604	DllCommonsvc.exe	62
PID 604 wrote to memory of 2280	604	DllCommonsvc.exe	62
PID 604 wrote to memory of 2280	604	DllCommonsvc.exe	62
PID 604 wrote to memory of 2200	604	DllCommonsvc.exe	63
PID 604 wrote to memory of 2200	604	DllCommonsvc.exe	63
PID 604 wrote to memory of 2200	604	DllCommonsvc.exe	63
PID 604 wrote to memory of 2188	604	DllCommonsvc.exe	64
PID 604 wrote to memory of 2188	604	DllCommonsvc.exe	64
PID 604 wrote to memory of 2188	604	DllCommonsvc.exe	64
PID 604 wrote to memory of 840	604	DllCommonsvc.exe	65
PID 604 wrote to memory of 840	604	DllCommonsvc.exe	65
PID 604 wrote to memory of 840	604	DllCommonsvc.exe	65
PID 604 wrote to memory of 2376	604	DllCommonsvc.exe	66
PID 604 wrote to memory of 2376	604	DllCommonsvc.exe	66
PID 604 wrote to memory of 2376	604	DllCommonsvc.exe	66
PID 604 wrote to memory of 2444	604	DllCommonsvc.exe	67
PID 604 wrote to memory of 2444	604	DllCommonsvc.exe	67
PID 604 wrote to memory of 2444	604	DllCommonsvc.exe	67
PID 604 wrote to memory of 1360	604	DllCommonsvc.exe	68
PID 604 wrote to memory of 1360	604	DllCommonsvc.exe	68
PID 604 wrote to memory of 1360	604	DllCommonsvc.exe	68
PID 604 wrote to memory of 1996	604	DllCommonsvc.exe	74
PID 604 wrote to memory of 1996	604	DllCommonsvc.exe	74
PID 604 wrote to memory of 1996	604	DllCommonsvc.exe	74
PID 1996 wrote to memory of 2176	1996	OSPPSVC.exe	79
PID 1996 wrote to memory of 2176	1996	OSPPSVC.exe	79
PID 1996 wrote to memory of 2176	1996	OSPPSVC.exe	79
PID 2176 wrote to memory of 1296	2176	cmd.exe	81
PID 2176 wrote to memory of 1296	2176	cmd.exe	81
PID 2176 wrote to memory of 1296	2176	cmd.exe	81
PID 2176 wrote to memory of 1036	2176	cmd.exe	82
PID 2176 wrote to memory of 1036	2176	cmd.exe	82
PID 2176 wrote to memory of 1036	2176	cmd.exe	82
PID 1036 wrote to memory of 1944	1036	OSPPSVC.exe	83
PID 1036 wrote to memory of 1944	1036	OSPPSVC.exe	83
PID 1036 wrote to memory of 1944	1036	OSPPSVC.exe	83
PID 1944 wrote to memory of 2452	1944	cmd.exe	85
PID 1944 wrote to memory of 2452	1944	cmd.exe	85
PID 1944 wrote to memory of 2452	1944	cmd.exe	85
PID 1944 wrote to memory of 2280	1944	cmd.exe	86
PID 1944 wrote to memory of 2280	1944	cmd.exe	86
PID 1944 wrote to memory of 2280	1944	cmd.exe	86
PID 2280 wrote to memory of 2052	2280	OSPPSVC.exe	87
PID 2280 wrote to memory of 2052	2280	OSPPSVC.exe	87
PID 2280 wrote to memory of 2052	2280	OSPPSVC.exe	87
PID 2052 wrote to memory of 2444	2052	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a1cf22d235f897eb34dd704b2b79532fc96c33e840e5acd550c8db8092788cef.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1996
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1296
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2452
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2444
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat"
        12⤵
        
        PID:1272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2260
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat"
        14⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1572
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"
        16⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2184
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat"
        18⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2660
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat"
        20⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2656
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        22⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1324
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        24⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1656
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
        26⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1648
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
        28⤵
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
901edff7b81025332726ecd89891512f

SHA1
4ca589f7126869bf030de00ab32a7616cf406964

SHA256
9855b28c2958572413efd6291ccb129ced63a66c46da64054c4c30872d035815

SHA512
e5f14f08f04f153031f3d37787ab38b38ed4f405020528ea5207ad69ba59a6dc5d4b2cd9ed55c2809ec36e042464978a193599096e52d2c123f1c8ec27ad1f50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
021a4fa910b498b95437c0c5b4788c1b

SHA1
5120433753c143aa71df576e7ca7fdb677006924

SHA256
274061521b293d78530ca77d014ff32da5ac29768bb4c9aaefe4333875561463

SHA512
40b8065fb44b8eb998327eb4ffb4a6e85279fcd80a662f6b5791e1381fe0634672fa10a8c7b10a8a997cee35391f92218ab48b9d70349d0b63cafc1be8b32ab6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51d0a437a27d85697aa82811b6fc03cf

SHA1
3afa8c08b1d3da43a1cd5ec97ad501ed0d12c952

SHA256
cc02d44aefd54ec070bb44629b8a26334d0c3fad8ef5bcfba45ae3d9dc8fce06

SHA512
55e19292fcd5ccb6c44bacf9e13e500ab94b5f5feca00c5d6f7fee513eaebf0c81efced4c84e0084a5e83923c42fe139207474efc7b0caa094da6d5f3f23fccc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33bcd5185234fdd6577f7e89ec7a7ff9

SHA1
7c84b01265b66d4915cbe92f34ee6b61eccb67bb

SHA256
2a1186182d1511b93747e32ea9dd55870d2aa409d8d25a98856172cec59e3168

SHA512
ea6737c1a0a8f492d2b99dbf7d0be2ac021be684ad044a6cf718800dc81c1e3ae5cbdd8e028446cf23b7846c8004848c5cef38ae41294332a44a4fcecd5473c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0af2c35167a1c1c5cdf098b521f2d1bf

SHA1
095f1b1ab4308e2052af48e05e22e6a82d48daf3

SHA256
3d50506a8d38487511d571a106241dbae03cafb02f71e595ef7750aeac7dc446

SHA512
ee9b644923d13479a5e0ae4cd97a070d8166c81367741e698305356c0f32d62fe91bd274b233ad95fe291a9888a3ded46801da3ee682b094ea5159bfc8e7d50b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c65fe937d821e91fbeeb7311a44e3921

SHA1
9703a25a9b2fe1613729562de98cb066faef7b45

SHA256
bb0daeb800071e75161da25745ead5fc2a8f711ee053878adcc1494c1c37455f

SHA512
6a9a0175fd15653f950062c6f99f91267a1e3e681c2b5d96a6c0649a90284b198ebed743f563b2d5caf38f6978454be9af213d7f95ca57ebddf3dfd076b963f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d11b3f2ad5dd71032797720b72de978

SHA1
032f2159f9961cddacf579fe7770165f825ce0ab

SHA256
26cfee073a3a128b0de9f7f4a95ab4db10f35127e7168a1a5f60f15d0fc1955a

SHA512
01ead9951a2818b4f6f983c0e84e933307be937c6aae2c4f052e835e30a6f4e48d111b75406a16ea70cf31757c5a9fadd814fd97e548f484d6f75700eeb38a1b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56244b206e34dbc6e74d89bfb4746fc4

SHA1
30049dd4fb58e23b8460104ea98f1e4a1e38223f

SHA256
9d9aa35cc9a6ef3da58dc2cde60c1be8640060cc76b1c0acc0b90d846d460d1f

SHA512
4b2496ea2cc033316769180085b2858f0a21941337e8640d3e384073c3e5b588cd804003959da0255f7a193599a800148f6ec198ef3ec58bf5d3b3bd1b8f7637

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df4a26629b9114fd14dc6106a1d1ae0f

SHA1
f4472601c2c7f2158fdbcb40fa4c3bdd364152a0

SHA256
942f678fdfa36e0f5d1b37f99f369afceacb3b35e8afb4193b8884f942979c21

SHA512
0f5fb3605f932512f172bffc5b8cca23ce2bbf163efb476b365272556fe9b517a152c735c1c10276fc51d2a5124dc1fbdb16696bbf7c315ba6a614d85b5e8678

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd6784cc415617e2a095fa794122efcc

SHA1
4a13a878ce9dbda6104c3965bdfb908accf0b590

SHA256
d0f7f88a1b9a476241d46f895d9ecafe41f013f1f00aae57a54f89808e2be4b0

SHA512
68484a821b0f84a5ea41c6b3ad29c69cc027e9785d32e2be830318b723b07b28ab370ef57242ea105fc716f2b2187518d8420e639442a8ba13442bb992a8b2a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
133ee9d2b291e2c9e180e490f75472fa

SHA1
6478b57a7fef71ad7f4689062ab47bf0dfbb2c04

SHA256
ed6f6f069ec4f98954bffe4ccbf241bfc98073a1d61d8f09a9cde29a8b38776d

SHA512
aaa5c552007064a84e65cc537f94ef31688b6ffa80380a2f81a19fe8c78b89168e1316a665fe9ba49545940ad0dbf7e5e6ab4a4a623db7a1f24c7dd9291194fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\00vfQAbtTV.bat

Filesize
250B

MD5
a6b56f930b4148416b36fa7913faa351

SHA1
74f52feea969168a3ae47f343bebfd6435e80237

SHA256
8463dffc7834be4127c2e3fec93f90b4de736bb3133741d761516c3a0e5a046a

SHA512
a656b5bcbb4087f1c5a8aa865743f8dec49acc9bbc3cc2737fd49c96e5564b04109b19499e6b86b074a6ad56c6362d2dc4d66295817e56eb45f7b311cd4ba3c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

Filesize
250B

MD5
f3b91f720e5c1813b635666e89451404

SHA1
f581b1ae4031f31cdce2336c6b5a100bef025b6e

SHA256
bb9f1ee0180bfffcc3be528d5a867b55bd5ffda563ca2c7098f11e9dffede004

SHA512
2cf7dc6840fc1cda27a2abc11011e158c69a086f039e246dd16e3f88732dd65763ba72b580f0f8ae4cf5440765334036f1db3b860c44ca85b3ff96daac6733b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
250B

MD5
7c10548a0c5f98f7564deead308bf4d1

SHA1
7c1ed1585e04f42bdf63c248bda2a424d56b1f1f

SHA256
349bb0688938a80fbd5074bd54479835dd758b58a4874b1c7bdf1b544d8325e1

SHA512
135955428762d54515bf4377d11328a0d6e5fa5c6fecb4eef61a6d35bd6f5ede6367509e10e253048f44e237a6a42a256c55a3211a5d3bf557cd216e2c040758

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
250B

MD5
05c4072e732ee460af614561a7b35844

SHA1
dc12ca216c42c9fb81bfea2854e455f10edd45ad

SHA256
8939d472510ab10c5da1ef1a48cc8f326bb2d8fb7e7c736360a20bf2a741225f

SHA512
fe84903ab867d249979018d4a1a39f7c3830949d70305ee85bda837a4511a334f81c1d8db695322e3987e01be586963adbbcfc1cad6e334f2d564537285bd7f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab782.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
250B

MD5
9c8015fab15195f1382a1cc4e3eb3951

SHA1
d89b757d631e64f4c2ada2fcf6b2e570db630503

SHA256
17fefa4f20111840dffb30f9e3ced767ef262f37dd8eb1c619b8526525c03304

SHA512
5bc4941b7d9e901f06d168005113004c071b4a0717399863251366cb07bc0c4047f165c669bcd93bf17f806fb4e4ad60bf4f87713569af19e77998719cfda654

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
250B

MD5
e5028c63b93246b935303b8e203c0319

SHA1
da001d9aafbd0d2231ea8dc27d6bc5b1e707cfd5

SHA256
2349ce7e6b11dd67515912f95683df0f6fd52390332f7c293dc66b21feaae02c

SHA512
77f0f93f56681717b16d3344b0875fa8241ac618dfd7f36ed210871d87a80f840c46171ecf99bd9a68cb445beace748f6fd49dda090176cf6b2027b0fc8b35a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7A4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

Filesize
250B

MD5
84d1e503946e366bfa668f9c473ff59a

SHA1
444a80fe5aa920c94e39cc561d06f5c7be618eb0

SHA256
282cbddebc9e1aef250b8a7fa3d35720cff3da9c0f495e0caba2a9c1f0507e72

SHA512
ac8f775699f367f78dea38ca77e53666fac02e8f00cd544d30506fb32f72b038d8467012527af9aedd81a8de226381c4280eb70db6f0c0f3da5de59d40140295

Download Submit
C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat

Filesize
250B

MD5
ebe23350ea3ad5ba0777b4ca1d7ee7f1

SHA1
ef3e27c3966e8cdd8873c20cc0ca28df9bac360a

SHA256
b96e99b6bf7bad8e3f6eaf183a1f7da8b809db6fd67e2673f76904c3de2f34b1

SHA512
e1c0b999133faa9ee7629d334adef006ab9a07591fa31ccb080826ce3a4b1f8a50b4e9654099223caaae7b189a1a2acbe5f795a34b7fb8e37959deb73431dc2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\cSLzsZ1i8q.bat

Filesize
250B

MD5
1824e18ab5e98658628783d4c125ec58

SHA1
b0a4fdbd6cc9f2536543883b2fdf1beab644baeb

SHA256
b90e77b8253f8a1e388f71c309a2b53b5670ce4b65db4522eb295421b8e7014b

SHA512
fdd7f08b4c658808a36a4a32cd39e90b40f18270de382df29b1a02e426ffbc9c8dfa26755b8851de4eb5f62fbdeb77a52b41881a4cab629f120370237e4eef6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
250B

MD5
f7f009d762361a6f5d7ed3484ead459e

SHA1
235a913e3d569b057263f5287fa8d2476df2960b

SHA256
a11b6ebe45693c8f5ef4d3983a1f2790ff5fbbdf268283c93516729224f5b8bc

SHA512
6018721f4880a8820e6f895249899a2f4ed67ad8c5d54aff4d90870914e71e1cdadac7f598bb4d55cc231b2d123731d81bf1605e8a68b2a685bf5f88f2fb69e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kKaF7FiTK0.bat

Filesize
250B

MD5
5135680867c5414558ac474e086a0fb5

SHA1
851c46da126ceaa4bd117ccfa15ef8af564373cf

SHA256
c08627c9454d56ef1df61c7a7c07bd8f6bf40ecd8b0a8d785ee4d5493a1ec25e

SHA512
f2ce85b511d35b36f7ec9191b7747dc4774b6da2c94b962a59b8950e2850379fc4f738a627f2ee50f8db111db6bbdb2dfc92786504576181f3f874bab1cc80f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\uLZJId2lFR.bat

Filesize
250B

MD5
ed603a9480c7d85c7fa1af1accac1275

SHA1
82c49c6505a8a1cfcfd6bd6c31251967482f96f6

SHA256
92ca73b7455918f571758b1f5f453cb7088149f66a7444faa33f59a731fc6920

SHA512
628beaddb5b8ea0e4ccf94468e6c060d46e62e6d9cdae9b39435ea6b69c626c56fc1fb7f5a0d49d8d13656f3d71098c79d5bdd793d7739005cd44da60975d161

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7LKVWENTIXA0EDVRZ1E9.temp

Filesize
7KB

MD5
5178e475fe28a74470f1cb694d0eab6d

SHA1
383cabfed9cb2ba3a7273b8eb3d9627647ddb279

SHA256
00305e6e66b0a282f9d69bcce621cec99eaa3ff3f00cc52c637044136c39f486

SHA512
c3c30025c7ffee7eb6883e0dec5ee41a95dee5d3e2b1b3601d1e670e0bdc34ead9a048999deb3a732c8f584814061a0f72ec215fc85fb7b94f08a20e60b419d6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/316-444-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/316-443-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/604-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/604-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/604-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/604-17-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/604-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/688-743-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/796-683-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/1036-146-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/1780-383-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/1796-504-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/1996-40-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/1996-46-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2280-56-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/2376-57-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2456-564-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download