dcrat | b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a.exe
Size

1.3MB
MD5

4c2913f7656f775d1eaa9770083fc4ac
SHA1

b908d87be414a2b41428867f6694222a2da0bf84
SHA256

b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a
SHA512

79457ccbe161a8c4bcd9aea4a271bffb2922d353389a3cb1f3d8491cd3b77ea0ffc04e5189da774759044c40fe507bbc034f36974a0cf98030e5ce75dded9ead
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2828	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2828	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d7f-11.dat	dcrat
behavioral1/memory/2256-13-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/2752-86-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/2344-145-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1136-323-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/276-383-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/1872-502-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2072	powershell.exe
2196	powershell.exe
2232	powershell.exe
1508	powershell.exe
640	powershell.exe
2216	powershell.exe
2168	powershell.exe
948	powershell.exe
836	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2256	DllCommonsvc.exe
2752	conhost.exe
2344	conhost.exe
1744	conhost.exe
2076	conhost.exe
1136	conhost.exe
276	conhost.exe
2572	conhost.exe
1872	conhost.exe
3020	conhost.exe
2360	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2184	cmd.exe
2184	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\meta_engine\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2924	schtasks.exe
1308	schtasks.exe
1960	schtasks.exe
3028	schtasks.exe
1972	schtasks.exe
2456	schtasks.exe
2624	schtasks.exe
1808	schtasks.exe
340	schtasks.exe
1936	schtasks.exe
1504	schtasks.exe
2108	schtasks.exe
2604	schtasks.exe
2632	schtasks.exe
1640	schtasks.exe
2952	schtasks.exe
2576	schtasks.exe
2016	schtasks.exe
2948	schtasks.exe
2664	schtasks.exe
2928	schtasks.exe
2996	schtasks.exe
2332	schtasks.exe
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
1508	powershell.exe
640	powershell.exe
2232	powershell.exe
2216	powershell.exe
836	powershell.exe
2072	powershell.exe
2196	powershell.exe
2168	powershell.exe
948	powershell.exe
2752	conhost.exe
2344	conhost.exe
1744	conhost.exe
2076	conhost.exe
1136	conhost.exe
276	conhost.exe
2572	conhost.exe
1872	conhost.exe
3020	conhost.exe
2360	conhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	DllCommonsvc.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	640	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	2752	conhost.exe
Token: SeDebugPrivilege	2344	conhost.exe
Token: SeDebugPrivilege	1744	conhost.exe
Token: SeDebugPrivilege	2076	conhost.exe
Token: SeDebugPrivilege	1136	conhost.exe
Token: SeDebugPrivilege	276	conhost.exe
Token: SeDebugPrivilege	2572	conhost.exe
Token: SeDebugPrivilege	1872	conhost.exe
Token: SeDebugPrivilege	3020	conhost.exe
Token: SeDebugPrivilege	2360	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2092	2504	JaffaCakes118_b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a.exe	30
PID 2504 wrote to memory of 2092	2504	JaffaCakes118_b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a.exe	30
PID 2504 wrote to memory of 2092	2504	JaffaCakes118_b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a.exe	30
PID 2504 wrote to memory of 2092	2504	JaffaCakes118_b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a.exe	30
PID 2092 wrote to memory of 2184	2092	WScript.exe	31
PID 2092 wrote to memory of 2184	2092	WScript.exe	31
PID 2092 wrote to memory of 2184	2092	WScript.exe	31
PID 2092 wrote to memory of 2184	2092	WScript.exe	31
PID 2184 wrote to memory of 2256	2184	cmd.exe	33
PID 2184 wrote to memory of 2256	2184	cmd.exe	33
PID 2184 wrote to memory of 2256	2184	cmd.exe	33
PID 2184 wrote to memory of 2256	2184	cmd.exe	33
PID 2256 wrote to memory of 2072	2256	DllCommonsvc.exe	59
PID 2256 wrote to memory of 2072	2256	DllCommonsvc.exe	59
PID 2256 wrote to memory of 2072	2256	DllCommonsvc.exe	59
PID 2256 wrote to memory of 2196	2256	DllCommonsvc.exe	60
PID 2256 wrote to memory of 2196	2256	DllCommonsvc.exe	60
PID 2256 wrote to memory of 2196	2256	DllCommonsvc.exe	60
PID 2256 wrote to memory of 2232	2256	DllCommonsvc.exe	61
PID 2256 wrote to memory of 2232	2256	DllCommonsvc.exe	61
PID 2256 wrote to memory of 2232	2256	DllCommonsvc.exe	61
PID 2256 wrote to memory of 2216	2256	DllCommonsvc.exe	62
PID 2256 wrote to memory of 2216	2256	DllCommonsvc.exe	62
PID 2256 wrote to memory of 2216	2256	DllCommonsvc.exe	62
PID 2256 wrote to memory of 1508	2256	DllCommonsvc.exe	63
PID 2256 wrote to memory of 1508	2256	DllCommonsvc.exe	63
PID 2256 wrote to memory of 1508	2256	DllCommonsvc.exe	63
PID 2256 wrote to memory of 836	2256	DllCommonsvc.exe	64
PID 2256 wrote to memory of 836	2256	DllCommonsvc.exe	64
PID 2256 wrote to memory of 836	2256	DllCommonsvc.exe	64
PID 2256 wrote to memory of 640	2256	DllCommonsvc.exe	65
PID 2256 wrote to memory of 640	2256	DllCommonsvc.exe	65
PID 2256 wrote to memory of 640	2256	DllCommonsvc.exe	65
PID 2256 wrote to memory of 2168	2256	DllCommonsvc.exe	66
PID 2256 wrote to memory of 2168	2256	DllCommonsvc.exe	66
PID 2256 wrote to memory of 2168	2256	DllCommonsvc.exe	66
PID 2256 wrote to memory of 948	2256	DllCommonsvc.exe	67
PID 2256 wrote to memory of 948	2256	DllCommonsvc.exe	67
PID 2256 wrote to memory of 948	2256	DllCommonsvc.exe	67
PID 2256 wrote to memory of 2116	2256	DllCommonsvc.exe	77
PID 2256 wrote to memory of 2116	2256	DllCommonsvc.exe	77
PID 2256 wrote to memory of 2116	2256	DllCommonsvc.exe	77
PID 2116 wrote to memory of 1892	2116	cmd.exe	79
PID 2116 wrote to memory of 1892	2116	cmd.exe	79
PID 2116 wrote to memory of 1892	2116	cmd.exe	79
PID 2116 wrote to memory of 2752	2116	cmd.exe	81
PID 2116 wrote to memory of 2752	2116	cmd.exe	81
PID 2116 wrote to memory of 2752	2116	cmd.exe	81
PID 2752 wrote to memory of 2332	2752	conhost.exe	82
PID 2752 wrote to memory of 2332	2752	conhost.exe	82
PID 2752 wrote to memory of 2332	2752	conhost.exe	82
PID 2332 wrote to memory of 1528	2332	cmd.exe	84
PID 2332 wrote to memory of 1528	2332	cmd.exe	84
PID 2332 wrote to memory of 1528	2332	cmd.exe	84
PID 2332 wrote to memory of 2344	2332	cmd.exe	85
PID 2332 wrote to memory of 2344	2332	cmd.exe	85
PID 2332 wrote to memory of 2344	2332	cmd.exe	85
PID 2344 wrote to memory of 1336	2344	conhost.exe	86
PID 2344 wrote to memory of 1336	2344	conhost.exe	86
PID 2344 wrote to memory of 1336	2344	conhost.exe	86
PID 1336 wrote to memory of 2040	1336	cmd.exe	88
PID 1336 wrote to memory of 2040	1336	cmd.exe	88
PID 1336 wrote to memory of 2040	1336	cmd.exe	88
PID 1336 wrote to memory of 1744	1336	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b3cb52bec6cadce2eb0069786957f26673aa7bc95bf9fea85454edf40aba265a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2092
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2184
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Documents\My Videos\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\meta_engine\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1zevOREOUW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2116
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1892
      - C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1528
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2040
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        11⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2460
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat"
        13⤵
        
        PID:612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1144
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        15⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:696
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat"
        17⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2712
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        19⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2632
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"
        21⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2012
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        23⤵
        
        PID:1876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2616
        
        C:\Users\Default\conhost.exe
        
        "C:\Users\Default\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
        25⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Documents\My Videos\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Documents\My Videos\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Default\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Windows\Temp\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Temp\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Temp\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Program Files\VideoLAN\VLC\plugins\meta_engine\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\meta_engine\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\meta_engine\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Mozilla Firefox\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b022221780891c2c8aef9a81d3b5af4

SHA1
2ed6dd428db31abc0a5c8136aee0c7e10b527432

SHA256
bc1195a531b61f062068b65c3ad0699642d3cedea184282bfcc15e7bf081e0e6

SHA512
f6a922fdea6b65e929fca806538af2a023236e50ae81fb857c1998319008a1a322820ffb183318169fea2b02109d36f92151046319c6b35c6e0661995a4880c3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bff44fcd5ed4825158367130759bf25a

SHA1
d4b92701e58bebd39b910235a5ccffa457bada03

SHA256
8fa4b44a79758309f8abbdd4976db760261da584e7f36ac80d332ed2c2f4b21c

SHA512
208c356d00fa376f0d9be83aaaaabc7480650d1294bd2cda6d79881f9ce6b2eba3411273e40e0ac8611ae089a8ca748d911de6cf2e1bea88addd8be5d7996ab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79a5deb9faee7dcc1e4b15b1601dbf54

SHA1
1fa55b5e7d62862991e9ba1998f1ec497a3ea873

SHA256
d5efd375d3a129735f1d511ed49308991e83d8cac8bcdbaa20a7e69eacc2e23f

SHA512
1001fe17a27bc0f8240a27c0cf5b772675d6d3cd654d701ca41a6ce5e2b54ee2a1e0183d78b02c52ad4c8c2fe4c7db80ce89d9a41fb40a91283e4af69233fc8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c93fa8349dc0ff1cc6ba0af2e70108

SHA1
3deb2ce458867719614b24e988463cc219e3a006

SHA256
0755e426adc7143fb61df082b612dbc27ab4423a8257ba7b1ec31f1e9e1e858c

SHA512
5bb400719aee6e09095bda343f5473a1520bcf2061f73f17462c87c8d7e3fda5cbdc44361ec9764f380e80798899e4fcdc35bd467135722c560a5849a1faf62f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d16b464a7aa070963642ebebb4bf2af

SHA1
5fceaeff37e6294e1b0965985d3d055af8ed261d

SHA256
c2a55515e475dc781eda6c08d84f0adb77bfd9865017b2fd0a5a913ac7914533

SHA512
54427a943c6965f23020045f59babe8d4762013288e73c0da17a0ab7d55c070bc8bde3af3251294bc834d9cadb52d6cfa847aa63719871eb836e90933a7607ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e607c0b5e7055cfa81bae54398084e07

SHA1
caa21127469dad54bbac8002e1bd7c368777fb08

SHA256
ae48860899ce8cdc238a8e03ca95c914368383538d00067615531df27c261832

SHA512
35a1fb971dbc8b3eb578d23434540f556dd9b82c5c2fd632b764e3374753a55fd750cf87aef379a2eff18a7041d3930ab6f22d14fd5f2d904f82cb9c1f66af43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
266d66f894b0583e2b7d8e04ad21438b

SHA1
7a71ae81839b15fc845554e9f3f4e28414b413d9

SHA256
d12bb51f4db82a511249d77253997deac75510f87eb5057d2504e9af853b4ade

SHA512
2dc31845171abfd74e84ac05e148fe09429f15e0e94f63e81cb279002ebe909825560b96337276b3d9d24e05333317099cdf98348be1d3858df34e5bf791808b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6939fb090694979a04889d08a4b77031

SHA1
6d2c8c607f3155b18024eaeaca3d4e57f1d444ae

SHA256
872d2341e064cd76efd0b0e2ff2e1c72b3fb20d0f1f94593cd2555dfab9ff808

SHA512
4fc7c5d8c341cafe5cb43ef2dd6bc28d3a8c0cc8fd72c8755db3972465c93507ad5445c0a853c6e7d8554e3288712c49b01d56657a4019318386da8e936943a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45633903eb2ae45326fa6b0656ac64cb

SHA1
e7f6ec648fff7ff139a83552d7c126bca8a9a8cc

SHA256
7e8ca21df1c889e0281d3d17172362e9403218d346a91843198f63481e7631de

SHA512
9ad75d2f1a7433ae83f79803efebde289a0752665941c1d85bfce4dcf8389e8a9de246f0f3866894684ea65f29008468605cb656c3918267d31fddee1474eb6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

Filesize
193B

MD5
44cca02fc2b9d0580197d823eec68dbc

SHA1
36b7d4527c20e4025b484e3736ae45adfdda9a9a

SHA256
41eb51c04ed1c4cb7e4a73226d99cbf422d6b9b585dbd5501732129de5b57157

SHA512
57dcd73e135904dbcea70bd49af931f514d8e99b09f32e14526d24b46a3c90edd6db32dde89ebada333df9af7e8c6ac946e8bfac292d398b194d0382518b27d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1zevOREOUW.bat

Filesize
193B

MD5
8fc39d3a265f1f37aab1710b84a3f0e9

SHA1
d2576e2d4f332ecd25dc8d49aafbea8c51553773

SHA256
ece082fe2954ad9281a9132820e22aa14e077a648044fd825014b915bc3bb2fb

SHA512
4eb6baa13e64bed0f6e2e0c88e7ebb46cff1f8a7734c828e452f40ca35434d2e98bc387a48de5b0028d97087616780b3aec869032bb6563ba327f91ee79aaa6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\4yKdveU0JJ.bat

Filesize
193B

MD5
9bada18c73e093ca6f4ba333c0237e1e

SHA1
0c0c13b146fe25b6d3270b8fe436b4608cb20fc4

SHA256
269eeb6b120d3936d6e9f7d12eccf9f360993b60c464eca7e8c941d0626700f5

SHA512
598746572dc8a75e8a34af55f5583e21ee79eaa0bdf18e0ff71886fb949a5bcbc91d154d4f0c37e69608890a388827c9937e07f4f0f2fdaf6d1c51bb569acc4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcPyovVCSH.bat

Filesize
193B

MD5
988bb829f74b1a585d2e683c801d294a

SHA1
c4594e06002e2aa126ac86453d489055d0a0fdab

SHA256
0c8a5aa916db8d2c8400760226463a3b6b189bb92945106a05c13772924d9397

SHA512
7d809d5266fddd2d78f91411abcb70e0ba041dd6531eb74cc9e45974ffc421b19c847579e802486b153bf61d1722d3f413c028b96c9c54fdbec906fdf45a222e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab12.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat

Filesize
193B

MD5
03607c0a0915da4cfe77146a1db00ef1

SHA1
1ba27654e339d9bfc2491c9e9762dd4fc0e82844

SHA256
bd9d380d4e2b9efcebc2b1427be9dcc6a2a5e208be6a9b9d9e599d804dbcaf6f

SHA512
0d8ec53b2a50339a66f8184bc12fb0498631757af15a7df65feded23fd69881b6bb71ae4cbf2ed567d5e21b727132f410609b94f2125f470516d9e07e991727a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar25.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
193B

MD5
4d43bf47d4e96cb917d7d208d0d3a3bd

SHA1
7b1e6a7e07b8a0a0eb1720ae778adfb7f4b8ffb0

SHA256
ca3fede31e91bb359e93c84170e329285b226c6420463842920dcece857ed79c

SHA512
a391e8b0d6eb1ee91dbd3c3787cc20bae22d89fa68dfc2b2e763daaf12b78ed4b049ec5ccfd0efb9cf99b72c332d0a60a4acc9f09462a8205e306103c6c9d1ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
193B

MD5
ba834a82f061339634642e6193e7b354

SHA1
3ee909bd068eafe566dab60aa8795cb6ee0ede29

SHA256
21b924246f3762c78ebf430b41e5e7fdc3e4b5a5b76d0360e9cff5e3b00efbd2

SHA512
f3a2e036dfdf7b30e6c0ef6b1164de6bb4b4c50ddb733e748d0521fc92ca49bd3665c320c5d334a1c473fdd37a8c3f0aca3d6b6638667af5b6e6d8626e988450

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
193B

MD5
c241b8a4f5e8b1c859f7d27c5cdc2e0f

SHA1
97b05babe7ba58e2aaf3c1ad8a58e6927ab0f0e7

SHA256
be24cbcb3ff6ef8564d40b9e11c143c31aadb0e2f5e294d8b270af92b43aa2ad

SHA512
9e00fed4b26158f42231f36f648331e07ec65a7725c2ecbb2c3a53e9299d96f34d7a95e6c8827bc63e1f9cd25b7a524c5976593b8587c42bd008f5dfc924a234

Download Submit
C:\Users\Admin\AppData\Local\Temp\iIDKKqsGny.bat

Filesize
193B

MD5
9d0b760704c2c6da6c1487d049c5ada0

SHA1
4a1aa98f2ce83e4ad58b324b8657298f90e8f4b9

SHA256
0682c18e43cd30befc698ec3bb742e85414c2b1871d909e2a9785c6490da1658

SHA512
a1f6fa73074e50063efae7194aa4a65a8a5ce8da923ee483274edd94f3e379f2539c9da639674a2ea2da6ad0f1e70b0267d31a8ae1bb8460ae0cabcfa0873108

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
193B

MD5
a9f70c00ecb1b85db964ef680c2110b5

SHA1
1f03394917c6382da256cafb6d0f00410477b571

SHA256
92c7de43cd8cc8ffd8f1c25549cb48ee18d10578f36b703a9ee2969877f03ec3

SHA512
fe7df83f926b984ea402f0a274afd75d6cd9f181d9f931cf9582255b6a83a82d33bab2fcddb2866d30aa4f7238876c7e7232ae54a91ceeb9dc30defab5b71720

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
193B

MD5
ed936e25502744cbad176897cb4fc2ef

SHA1
ac571e42c7121eb8091986c84623abfafd19fa8c

SHA256
da99e2c7546c57187951f67b7ebc88a681306ae6c46b9ac902154be4cc1e07f0

SHA512
528bff4e84e493d5abc824bd411e8a0abd152de5eb4de93caefb879e04b486b8ea31a448093c6d95e8d9198ea1486b890bf260c578146117b3542f2f5fadd58f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bd72188f79c38a1e652f8c6ca0cf45ec

SHA1
bd994e7dc5649659f7b8d2e07ef81c8291e795b0

SHA256
4fe15f492dcb6bcc683169833cc482b8ec21d96efacb5b1a187d2da49012ffeb

SHA512
f373628063a9e025a3b0d03a64c3753dd9054b30246961ba79abd7514218a43b7457d4a7c60c286297c69d1d3a2edb43ce346a256f43c313a058891e433950da

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/276-383-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/1136-323-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/1508-82-0x0000000001C90000-0x0000000001C98000-memory.dmp

Filesize
32KB

Download
memory/1508-81-0x000000001B7C0000-0x000000001BAA2000-memory.dmp

Filesize
2.9MB

Download
memory/1872-502-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2256-15-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2256-16-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/2256-17-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2256-14-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2256-13-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download
memory/2344-145-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2360-622-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2752-86-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/3020-562-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download