dcrat | 86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534.exe
Size

1.3MB
MD5

595b861a59f1f4ad9c4417a1eea96e76
SHA1

9ef62641b18c8f17b493c88e4bdc8f6aff075b2c
SHA256

86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534
SHA512

177d5ab099c946d21f8079074f2bddbf8750b18ef7768fccb8570df30484c9835db65093582ff919d1b22bf2fcab19e0358ea22059311cc4bb1f4fd51ad1547c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1516	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2792	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2792	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000f000000018662-9.dat	dcrat
behavioral1/memory/2632-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/2376-94-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/880-213-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1936-273-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1684-510-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/3056-570-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2464-630-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/1608-690-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2440	powershell.exe
1860	powershell.exe
2304	powershell.exe
2644	powershell.exe
2408	powershell.exe
1800	powershell.exe
708	powershell.exe
2336	powershell.exe
1476	powershell.exe
1684	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2632	DllCommonsvc.exe
2376	csrss.exe
1104	csrss.exe
880	csrss.exe
1936	csrss.exe
1668	csrss.exe
2516	csrss.exe
1800	csrss.exe
1684	csrss.exe
3056	csrss.exe
2464	csrss.exe
1608	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
1528	cmd.exe
1528	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\services.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2396	schtasks.exe
1820	schtasks.exe
1336	schtasks.exe
2832	schtasks.exe
2156	schtasks.exe
2576	schtasks.exe
1644	schtasks.exe
2600	schtasks.exe
2960	schtasks.exe
1532	schtasks.exe
2680	schtasks.exe
2524	schtasks.exe
2564	schtasks.exe
2364	schtasks.exe
1624	schtasks.exe
1652	schtasks.exe
2228	schtasks.exe
1608	schtasks.exe
1428	schtasks.exe
1516	schtasks.exe
1988	schtasks.exe
1712	schtasks.exe
2248	schtasks.exe
3064	schtasks.exe
2828	schtasks.exe
2864	schtasks.exe
2740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
2632	DllCommonsvc.exe
2408	powershell.exe
1800	powershell.exe
1860	powershell.exe
2336	powershell.exe
2304	powershell.exe
708	powershell.exe
1476	powershell.exe
2440	powershell.exe
1684	powershell.exe
2644	powershell.exe
2376	csrss.exe
1104	csrss.exe
880	csrss.exe
1936	csrss.exe
1668	csrss.exe
2516	csrss.exe
1800	csrss.exe
1684	csrss.exe
3056	csrss.exe
2464	csrss.exe
1608	csrss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	DllCommonsvc.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	2304	powershell.exe
Token: SeDebugPrivilege	708	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2644	powershell.exe
Token: SeDebugPrivilege	2376	csrss.exe
Token: SeDebugPrivilege	1104	csrss.exe
Token: SeDebugPrivilege	880	csrss.exe
Token: SeDebugPrivilege	1936	csrss.exe
Token: SeDebugPrivilege	1668	csrss.exe
Token: SeDebugPrivilege	2516	csrss.exe
Token: SeDebugPrivilege	1800	csrss.exe
Token: SeDebugPrivilege	1684	csrss.exe
Token: SeDebugPrivilege	3056	csrss.exe
Token: SeDebugPrivilege	2464	csrss.exe
Token: SeDebugPrivilege	1608	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 2480	2976	JaffaCakes118_86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534.exe	30
PID 2976 wrote to memory of 2480	2976	JaffaCakes118_86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534.exe	30
PID 2976 wrote to memory of 2480	2976	JaffaCakes118_86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534.exe	30
PID 2976 wrote to memory of 2480	2976	JaffaCakes118_86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534.exe	30
PID 2480 wrote to memory of 1528	2480	WScript.exe	31
PID 2480 wrote to memory of 1528	2480	WScript.exe	31
PID 2480 wrote to memory of 1528	2480	WScript.exe	31
PID 2480 wrote to memory of 1528	2480	WScript.exe	31
PID 1528 wrote to memory of 2632	1528	cmd.exe	33
PID 1528 wrote to memory of 2632	1528	cmd.exe	33
PID 1528 wrote to memory of 2632	1528	cmd.exe	33
PID 1528 wrote to memory of 2632	1528	cmd.exe	33
PID 2632 wrote to memory of 2408	2632	DllCommonsvc.exe	62
PID 2632 wrote to memory of 2408	2632	DllCommonsvc.exe	62
PID 2632 wrote to memory of 2408	2632	DllCommonsvc.exe	62
PID 2632 wrote to memory of 1800	2632	DllCommonsvc.exe	63
PID 2632 wrote to memory of 1800	2632	DllCommonsvc.exe	63
PID 2632 wrote to memory of 1800	2632	DllCommonsvc.exe	63
PID 2632 wrote to memory of 2440	2632	DllCommonsvc.exe	65
PID 2632 wrote to memory of 2440	2632	DllCommonsvc.exe	65
PID 2632 wrote to memory of 2440	2632	DllCommonsvc.exe	65
PID 2632 wrote to memory of 708	2632	DllCommonsvc.exe	67
PID 2632 wrote to memory of 708	2632	DllCommonsvc.exe	67
PID 2632 wrote to memory of 708	2632	DllCommonsvc.exe	67
PID 2632 wrote to memory of 1684	2632	DllCommonsvc.exe	68
PID 2632 wrote to memory of 1684	2632	DllCommonsvc.exe	68
PID 2632 wrote to memory of 1684	2632	DllCommonsvc.exe	68
PID 2632 wrote to memory of 1476	2632	DllCommonsvc.exe	69
PID 2632 wrote to memory of 1476	2632	DllCommonsvc.exe	69
PID 2632 wrote to memory of 1476	2632	DllCommonsvc.exe	69
PID 2632 wrote to memory of 2336	2632	DllCommonsvc.exe	70
PID 2632 wrote to memory of 2336	2632	DllCommonsvc.exe	70
PID 2632 wrote to memory of 2336	2632	DllCommonsvc.exe	70
PID 2632 wrote to memory of 1860	2632	DllCommonsvc.exe	72
PID 2632 wrote to memory of 1860	2632	DllCommonsvc.exe	72
PID 2632 wrote to memory of 1860	2632	DllCommonsvc.exe	72
PID 2632 wrote to memory of 2304	2632	DllCommonsvc.exe	74
PID 2632 wrote to memory of 2304	2632	DllCommonsvc.exe	74
PID 2632 wrote to memory of 2304	2632	DllCommonsvc.exe	74
PID 2632 wrote to memory of 2644	2632	DllCommonsvc.exe	75
PID 2632 wrote to memory of 2644	2632	DllCommonsvc.exe	75
PID 2632 wrote to memory of 2644	2632	DllCommonsvc.exe	75
PID 2632 wrote to memory of 1796	2632	DllCommonsvc.exe	82
PID 2632 wrote to memory of 1796	2632	DllCommonsvc.exe	82
PID 2632 wrote to memory of 1796	2632	DllCommonsvc.exe	82
PID 1796 wrote to memory of 3028	1796	cmd.exe	84
PID 1796 wrote to memory of 3028	1796	cmd.exe	84
PID 1796 wrote to memory of 3028	1796	cmd.exe	84
PID 1796 wrote to memory of 2376	1796	cmd.exe	86
PID 1796 wrote to memory of 2376	1796	cmd.exe	86
PID 1796 wrote to memory of 2376	1796	cmd.exe	86
PID 2376 wrote to memory of 908	2376	csrss.exe	87
PID 2376 wrote to memory of 908	2376	csrss.exe	87
PID 2376 wrote to memory of 908	2376	csrss.exe	87
PID 908 wrote to memory of 3020	908	cmd.exe	89
PID 908 wrote to memory of 3020	908	cmd.exe	89
PID 908 wrote to memory of 3020	908	cmd.exe	89
PID 908 wrote to memory of 1104	908	cmd.exe	90
PID 908 wrote to memory of 1104	908	cmd.exe	90
PID 908 wrote to memory of 1104	908	cmd.exe	90
PID 1104 wrote to memory of 2484	1104	csrss.exe	91
PID 1104 wrote to memory of 2484	1104	csrss.exe	91
PID 1104 wrote to memory of 2484	1104	csrss.exe	91
PID 2484 wrote to memory of 900	2484	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86d9eb9e4227aa21b6d324ca443d13f356205cc7cbfd431b29e335b10459a534.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1528
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Saved Games\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U6upKR1Zdn.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1796
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3028
      - C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3020
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:900
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat"
        11⤵
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2304
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        13⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:276
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        15⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2504
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        17⤵
        
        PID:2696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1672
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat"
        19⤵
        
        PID:1620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:560
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat"
        21⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2672
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat"
        23⤵
        
        PID:708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3040
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        25⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2396
        
        C:\Users\Default\Start Menu\csrss.exe
        
        "C:\Users\Default\Start Menu\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Common Files\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Start Menu\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Portable Devices\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Saved Games\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87e1bdf35114ad71125dd9a0646e63cd

SHA1
3490a08455b995c64033b8c11d39e0846e3276bd

SHA256
0deea599b7d57af625d72db4b14f9642a2cdb8e198318eb14473b7ccfcdb318f

SHA512
3714e00efd88477ace99e4d47923cf65e5bd37f6cf13d3e80529d6823b9ec0fe8473e8c08048c3c6534d7108945d46eeed8fe1fba315cd573315505be70523ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
361526f95f97a668351857b98e4844b6

SHA1
6822e074036e63401c66b5e35756cd9d40bae3d2

SHA256
9cd6112a5a788f35963b7139aec0c15553faf484963a0701c2f3e249d88add17

SHA512
893d7a241ed1fa6443a63eadb15bd2c4bcb87b947586e8d22cb3f5acb6a7392c33a18db98193d1f0074915cc3ad556be8bb211c69daacc1201115e1de54d2037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6923abe74d652fddc7831b53d63d75e9

SHA1
85bb1ab49c6b589da5979991738e93911867455c

SHA256
c248bbd85e842db8b4a1ef3a36d1efc7c7cd4648dc7b36ba37217f1d0ad379a3

SHA512
af9ff9f5c56b8416bd2be90240ea7b85bea8caf341acd7a3328d2419c6067ccaafbf4c4aa1d8521a051cd154018c80bda7f1fb61c849169e72d9b9268d36afdf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86900b2c66425fa8f2830f81674759fe

SHA1
a04adc21d23d24f666ef6e77b6e4375ec50518f8

SHA256
9f90029dc0052eb25dd93d59b58f9603d6604e9c044258935c3d8176b65f558b

SHA512
dd374f29b56cb0125883c4254cb3569409f38e0158fe61405395d8c0d9ae7310e4476d06560eba04f2fee128b82670170897bcd143c70b1b9ccd359860c404ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b64acf3ff46c5380f601d0add7c491d

SHA1
f095e200273e2496a0be28a5ccc9f064af48ad96

SHA256
e98b62843ded93860c366c0e68c719fdc9c4d549988d7761659d15a148a61d42

SHA512
1e193ffdec84f7c3997bc35d016de617544a5e7b261bc260d1306076894dc5a249e5bb019646e414f579fd70de7a6be07344057bb92b13638e0657a5568da99b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a127836a07c200f4fe4003e64add2ee8

SHA1
13e8317ff62ad858ff94bd0406a6aaa70e6a8397

SHA256
ed8c59dd1f4512c950bb389c94faff944882dd5de5f432be30e1ae2bd17cbdd3

SHA512
7cc11a9b48a6d302b87bddff3101ed8ba8456ff5d691d501c0c27a8c743cf4536b5c257b8db05a9432974bc4d942e4f63311fc421dcd501270ff959765e54828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
475eb800c4f8c8d5e1d9ee61fecbd75c

SHA1
cf6db8367fc813e406eb4ea9646e84feed03f5bf

SHA256
9113f53dbbb3e309cd11f7b2d7943a4a2a69fcd8c0d05651cd9a7c2f10d6e1fb

SHA512
cb50a784c6db0dfd4f3dd424b5703ad60d6418031f3f0c27dd830b0f730f94e71b2c46aa7faa0f448cc0d1da3998dd9a54d39891ca50f17ae85c69c99f149ae3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e7e15b3d24348d774b521d59e81ff19

SHA1
947be53c407630f54577c5f4dad94b1e4903e94f

SHA256
15010977bcfca509df24f9f5106e0af2903b7353469c75e323ea84b60789484d

SHA512
a175617cecc35dd7431754c7d2d9b1734d235b7c9e680fd0b9e6f490d8279448011eb99394010a8f880101f786e42b2d7f2c93b6a646ba7e311e968e7d1fe8fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bc697a840046f5c3d756c3fdf264f31

SHA1
c12c1fd9c0230c9c991fd255a9ebef5becf18a05

SHA256
60f89935131e1b217986f7e2f94247877a0649204277f1617bf74b3f3a365317

SHA512
9d1b2ef1f6a4776bd58cae4e9c4fe941958a27ebc30c148f2950c15e1e7149079eafdb018874dd51d426e44fc9dfefe153b91142fae3da8cc11723f95b02f9f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1JZ2DT5CuV.bat

Filesize
202B

MD5
6747b4b8a06015996d384f5a44cd1359

SHA1
64e6c3d2d448e68dc0ae64caed7dffa0eb72d8f6

SHA256
41550cd6df0198e105ceffd429050f92ea82a24de343984e553993ca4efeab7c

SHA512
7a0ccfc73829fa9f8eefab15f41a8941e648015b0c3bf493ed8f863ec5e9030afcc28902fafffa8f1a5b77fe706721b4ea3711d15ce5aa834eeea13912089e8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
202B

MD5
aad1c86fb6a3c7c56f5268e4aa4729eb

SHA1
45d35052ca82ef3f44bddd4946a7270764334cfe

SHA256
4df3a4fa313238ed87950ccaf7785563339f0c141653377e07eebb73cd1b5165

SHA512
298adbffe1e089f8cd05a1b611b7d007ab239871e6db5f31b3256d308b36eeb1e1e4a6632470eb528acf98e1006ca0a0e2b03b07a458eff95f68307705f1eada

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab198.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
202B

MD5
bb9bc8c9c817588636548d779e546cbd

SHA1
48b37c7d00962c84855a0f8af5945575d094c53a

SHA256
fdc6c70d9afe2c170241a1ce14dd06809c0f1b78a1d633e51fdf9268c8d53a21

SHA512
76386b70310b50858873d699b9bc6356b4669ea2034396bbfd84ac504b9792845f09b73d79100ce3160a8e3538f8f26d25da9111e7b11bf52be874f2871e2346

Download Submit
C:\Users\Admin\AppData\Local\Temp\OVj8bjUD5N.bat

Filesize
202B

MD5
782f77b31fbdc293fa5836e8ecd6dc6d

SHA1
e011e0b44138521fa1468dddeb4accef773d0999

SHA256
a87fe06fc92a93c5d2288c1d2ce37a13977cd3e35cc2068d9c16c8431b210e32

SHA512
90683490b0f40e5ad655f57f6f9c3cc8bdbd43792b0a89a77c090e534aca8f21c59b37bd05c4a289fb393acf398b9b06eb0c15b99c59221e1955adf26df1fc57

Download Submit
C:\Users\Admin\AppData\Local\Temp\PCaGvPqXNx.bat

Filesize
202B

MD5
4bcf9c7827c450c17f4b8159cdadb485

SHA1
9380a8f5d79e29eac88c30b536821761376ef75d

SHA256
8e32302ace16a849dc18eb7ba80159843db9435bd1b56a2d9606222e65f0d4f7

SHA512
1f11cc284185539e2aed6e1c32a6760b2e6a852e8532a00a6f3c7f1679b79564ae258ac47b34c5cf6a462fa4ee5dfebfc068afbed3c23569cf969e312156f019

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
202B

MD5
d07e40220ac0244d1cfa062a5fcb7ea2

SHA1
0255a6869aaa320c93c157867426efee10b10c6a

SHA256
a728965c9a54843e96f7a01d4498b22eb1653916960ff3226092434570cd1254

SHA512
f4f5f40366ceb4a3b4a97775f96d1a671b46f6d547f298965fecccf9a37ac072e956c263ee5212162bbdc66fbe7ab0edecf4dc7907aa6aec5b3968d468d1eb23

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
202B

MD5
d40c89c8e3ab71b4d9d1b88a32b368cb

SHA1
e256242d6a02076df6daa0854fe821b9a0337111

SHA256
d77d51c0b7f33f0e8541abb27b9e6333cc283e6669769cb77b1737225cc37f9a

SHA512
51e57bfa6c6d27277e820ccef656be31554cad06e0b6620dfba2ac70113550e4ca5b12f75696fc3de4aed8523eb1a43d7cc094059b12c61bc8673c26a9779229

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U6upKR1Zdn.bat

Filesize
202B

MD5
127a5407ac0178bed7a86d5e8619d538

SHA1
1169600ff347cd4c2f2c09f476b3009dd688ebcb

SHA256
71a57dec09108695818450e8729e3868c9b8ea3ca423541e2b202254d07fea71

SHA512
f1f8b4a47f00edd5aa03f80be1f08f43c94e6e4fd77ca2d04e4ab886b016661dae74dd5a9b5eaa8d7e9893d03a14d9c86f6cd8aa8e203220f04aeaf6dc582c23

Download Submit
C:\Users\Admin\AppData\Local\Temp\Urxb3wPgb0.bat

Filesize
202B

MD5
260a6d14374ab6e50717334a8fdf77e2

SHA1
17d083873b541b7cdfaa6378d4224d1c3a51f42f

SHA256
c87811571842c0b5c7390d5d240c6f7e703d56f794bf3f2caf1fddf4917db615

SHA512
3d6cad341441e94223df63e3ede922a5d1e9411ebb06050fb1d77fb7b8f5332a6c40276da8f85eaa0344d3e8f25bd16bca5128875356d88353b0e3e849b96d5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\aJcBxrOCPY.bat

Filesize
202B

MD5
7c16b6a97205a6678dbe43b04e33579e

SHA1
135325455e915e725a58a59280d03103860f7dbb

SHA256
e6f37c99f18da138be65c3976e5a5039693ca614aca61842edb250ef080f44e2

SHA512
71987ad9fb7ed1e68371ed744651458a78cb43876784069a85627b4c3a4b595bd25aadbef354f7f9b1370295849b060fc33868299a1b724cca7b5cad1204a25d

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
202B

MD5
d8041a369bfca36678cded57f216922e

SHA1
c3161c467ad2036c955493af9c2c9ec7f2a8ef37

SHA256
d745b19f9b564cd5df604e77450bfc2d6c576a2188b1321c9124c82eb5c2718a

SHA512
475cda941427ef07891a59f39772af6e88c9290f5c3ae9d840d905f4683315d1d821d21e21727eea591ad4ae30fedf72daf1e3de7aaf08a5fb54fe4844442290

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0f6a61b59dc1c1f1691df5754f8abbf5

SHA1
be9e844fa9d871619d24b6398b5b9bd9099d4c43

SHA256
bdbc3f59e1339fd1327ef769084031353529be2e1e91f558dbaeb02d93ab1ec4

SHA512
ab11b1c51a6ab89b2509ecc3918f6135d9ebca860cc674ff46086cacbb63524411a2f41c1f8530611f2ecb6a7bd7d89dd91ac16484601b0088714943152bf5f5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/880-213-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/1608-691-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1608-690-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/1684-510-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/1800-50-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/1936-273-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/2376-94-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2376-95-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2408-66-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2464-630-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/2632-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2632-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2632-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2632-16-0x0000000000660000-0x000000000066C000-memory.dmp

Filesize
48KB

Download
memory/2632-17-0x0000000000D10000-0x0000000000D1C000-memory.dmp

Filesize
48KB

Download
memory/3056-570-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download