dcrat | b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96.exe
Size

1.3MB
MD5

aaa7591f953631f4399267ee585b3f31
SHA1

d52debcd371446f9d1c6c3a6f619901b58169402
SHA256

b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96
SHA512

6c07e4fd7b6aa7f3b3fb9e482344281eabcd99a0e5c6924f02116eebc3e4cb70dd729865308a2b539e620bba207c5c6fdc934c651a28ec3787723efc5cf22c12
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	324	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2664	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2664	schtasks.exe	32

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000016d1b-12.dat	dcrat
behavioral1/memory/852-13-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2028-101-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2844-161-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/2264-459-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/1208-519-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1816-579-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/2612-639-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
448	powershell.exe
912	powershell.exe
2816	powershell.exe
2152	powershell.exe
2812	powershell.exe
2804	powershell.exe
2356	powershell.exe
1788	powershell.exe
2320	powershell.exe
2808	powershell.exe
2580	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
852	DllCommonsvc.exe
2028	winlogon.exe
2844	winlogon.exe
1740	winlogon.exe
1856	winlogon.exe
2468	winlogon.exe
2420	winlogon.exe
2264	winlogon.exe
1208	winlogon.exe
1816	winlogon.exe
2612	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1240	cmd.exe
1240	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\es-ES\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\es-ES\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\es-ES\088424020bedd6	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\TAPI\services.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe
1948	schtasks.exe
2072	schtasks.exe
1808	schtasks.exe
2532	schtasks.exe
832	schtasks.exe
2272	schtasks.exe
2704	schtasks.exe
2604	schtasks.exe
2032	schtasks.exe
2008	schtasks.exe
1924	schtasks.exe
2768	schtasks.exe
1448	schtasks.exe
2500	schtasks.exe
844	schtasks.exe
1284	schtasks.exe
2832	schtasks.exe
2744	schtasks.exe
2536	schtasks.exe
1776	schtasks.exe
2424	schtasks.exe
1916	schtasks.exe
324	schtasks.exe
2712	schtasks.exe
2020	schtasks.exe
2656	schtasks.exe
1756	schtasks.exe
3020	schtasks.exe
2508	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
852	DllCommonsvc.exe
852	DllCommonsvc.exe
852	DllCommonsvc.exe
2804	powershell.exe
2320	powershell.exe
2808	powershell.exe
912	powershell.exe
2152	powershell.exe
2356	powershell.exe
1788	powershell.exe
2816	powershell.exe
2812	powershell.exe
448	powershell.exe
2580	powershell.exe
2028	winlogon.exe
2844	winlogon.exe
1740	winlogon.exe
1856	winlogon.exe
2468	winlogon.exe
2420	winlogon.exe
2264	winlogon.exe
1208	winlogon.exe
1816	winlogon.exe
2612	winlogon.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	852	DllCommonsvc.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	2320	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	1788	powershell.exe
Token: SeDebugPrivilege	2816	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	2028	winlogon.exe
Token: SeDebugPrivilege	2844	winlogon.exe
Token: SeDebugPrivilege	1740	winlogon.exe
Token: SeDebugPrivilege	1856	winlogon.exe
Token: SeDebugPrivilege	2468	winlogon.exe
Token: SeDebugPrivilege	2420	winlogon.exe
Token: SeDebugPrivilege	2264	winlogon.exe
Token: SeDebugPrivilege	1208	winlogon.exe
Token: SeDebugPrivilege	1816	winlogon.exe
Token: SeDebugPrivilege	2612	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 2120	2288	JaffaCakes118_b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96.exe	28
PID 2288 wrote to memory of 2120	2288	JaffaCakes118_b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96.exe	28
PID 2288 wrote to memory of 2120	2288	JaffaCakes118_b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96.exe	28
PID 2288 wrote to memory of 2120	2288	JaffaCakes118_b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96.exe	28
PID 2120 wrote to memory of 1240	2120	WScript.exe	29
PID 2120 wrote to memory of 1240	2120	WScript.exe	29
PID 2120 wrote to memory of 1240	2120	WScript.exe	29
PID 2120 wrote to memory of 1240	2120	WScript.exe	29
PID 1240 wrote to memory of 852	1240	cmd.exe	31
PID 1240 wrote to memory of 852	1240	cmd.exe	31
PID 1240 wrote to memory of 852	1240	cmd.exe	31
PID 1240 wrote to memory of 852	1240	cmd.exe	31
PID 852 wrote to memory of 2580	852	DllCommonsvc.exe	63
PID 852 wrote to memory of 2580	852	DllCommonsvc.exe	63
PID 852 wrote to memory of 2580	852	DllCommonsvc.exe	63
PID 852 wrote to memory of 2152	852	DllCommonsvc.exe	64
PID 852 wrote to memory of 2152	852	DllCommonsvc.exe	64
PID 852 wrote to memory of 2152	852	DllCommonsvc.exe	64
PID 852 wrote to memory of 2812	852	DllCommonsvc.exe	65
PID 852 wrote to memory of 2812	852	DllCommonsvc.exe	65
PID 852 wrote to memory of 2812	852	DllCommonsvc.exe	65
PID 852 wrote to memory of 2804	852	DllCommonsvc.exe	66
PID 852 wrote to memory of 2804	852	DllCommonsvc.exe	66
PID 852 wrote to memory of 2804	852	DllCommonsvc.exe	66
PID 852 wrote to memory of 2816	852	DllCommonsvc.exe	67
PID 852 wrote to memory of 2816	852	DllCommonsvc.exe	67
PID 852 wrote to memory of 2816	852	DllCommonsvc.exe	67
PID 852 wrote to memory of 2356	852	DllCommonsvc.exe	68
PID 852 wrote to memory of 2356	852	DllCommonsvc.exe	68
PID 852 wrote to memory of 2356	852	DllCommonsvc.exe	68
PID 852 wrote to memory of 1788	852	DllCommonsvc.exe	69
PID 852 wrote to memory of 1788	852	DllCommonsvc.exe	69
PID 852 wrote to memory of 1788	852	DllCommonsvc.exe	69
PID 852 wrote to memory of 2320	852	DllCommonsvc.exe	70
PID 852 wrote to memory of 2320	852	DllCommonsvc.exe	70
PID 852 wrote to memory of 2320	852	DllCommonsvc.exe	70
PID 852 wrote to memory of 2808	852	DllCommonsvc.exe	71
PID 852 wrote to memory of 2808	852	DllCommonsvc.exe	71
PID 852 wrote to memory of 2808	852	DllCommonsvc.exe	71
PID 852 wrote to memory of 912	852	DllCommonsvc.exe	72
PID 852 wrote to memory of 912	852	DllCommonsvc.exe	72
PID 852 wrote to memory of 912	852	DllCommonsvc.exe	72
PID 852 wrote to memory of 448	852	DllCommonsvc.exe	73
PID 852 wrote to memory of 448	852	DllCommonsvc.exe	73
PID 852 wrote to memory of 448	852	DllCommonsvc.exe	73
PID 852 wrote to memory of 2340	852	DllCommonsvc.exe	85
PID 852 wrote to memory of 2340	852	DllCommonsvc.exe	85
PID 852 wrote to memory of 2340	852	DllCommonsvc.exe	85
PID 2340 wrote to memory of 1036	2340	cmd.exe	87
PID 2340 wrote to memory of 1036	2340	cmd.exe	87
PID 2340 wrote to memory of 1036	2340	cmd.exe	87
PID 2340 wrote to memory of 2028	2340	cmd.exe	88
PID 2340 wrote to memory of 2028	2340	cmd.exe	88
PID 2340 wrote to memory of 2028	2340	cmd.exe	88
PID 2028 wrote to memory of 2380	2028	winlogon.exe	89
PID 2028 wrote to memory of 2380	2028	winlogon.exe	89
PID 2028 wrote to memory of 2380	2028	winlogon.exe	89
PID 2380 wrote to memory of 1068	2380	cmd.exe	91
PID 2380 wrote to memory of 1068	2380	cmd.exe	91
PID 2380 wrote to memory of 1068	2380	cmd.exe	91
PID 2380 wrote to memory of 2844	2380	cmd.exe	94
PID 2380 wrote to memory of 2844	2380	cmd.exe	94
PID 2380 wrote to memory of 2844	2380	cmd.exe	94
PID 2844 wrote to memory of 1904	2844	winlogon.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b9b1d46f5ef9a676331d644c13e9ef39343626f65ad7f9de6d6fab72c8e88c96.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\es-ES\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IwuFthHaGX.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2340
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1036
      - C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1068
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        9⤵
        
        PID:1904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat"
        11⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        13⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:756
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
        15⤵
        
        PID:1728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:784
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
        17⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
        19⤵
        
        PID:544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        21⤵
        
        PID:1832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2168
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
        23⤵
        
        PID:1132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe
        
        "C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat"
        25⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\TAPI\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\TAPI\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\AppData\Roaming\Media Center Programs\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\Registration\CRMLog\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df2f9ab4e38775058454de17ffd8c043

SHA1
5c742f0ed7ceefad232ff626c63a1e34e2feef60

SHA256
db9ea6cda89a83b42afc6fd2617347b9adda76027df12ea9b98b556dc7bbe4d7

SHA512
378e25a07aac9f2f017e1a5bbef5bee5f17c7a803c6403e0c8fe0297f78705072f250a09db948ddc5e74b057930a98b8ac88905ae51d120fc60acfc38c9f2147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f5188da38838b6544e5debd0c65aca1

SHA1
a796f70aa9f75023dd2d6440a4ed82c91f8ed4e0

SHA256
7055b40a2149ef0cd76f9fedd328521ba20279fe98c39c9c3010ecb4c93bbd64

SHA512
45a8ee781586860374b5bb7eb7c34d7e22c7a73757cb07ec4f8424c9735447bbb6d3bfe1950b9cdce6f4de49172b5d0fcbc237698c6ac42e1ac215fb54ed803a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4780366d3d211b615761144d77ba1dee

SHA1
ccf8d746ef14c7d1a3e1b3bd0435f85fc9fe150f

SHA256
cfe1ad7354611b6591483a6c1043ba3bcbd4e751862ca31e1ef1c4e2eb9597cd

SHA512
1d4449f3e9d70006859149e61825b2e6199b224f4803d22c10b0c66ae0fb991c662762439dbcf067b30293695bf726798b7162d8f0ea47a5b8d8dafb40c97249

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8869f0f40d7f609ce92967f329e52394

SHA1
6c4af76a61cd91c0de1b83302ae3795f2ef1f3c0

SHA256
2481c02ff7fdbd9e85a7a7997db13d3dff8f021071cd1a87629a7f68837bdb55

SHA512
25a4234675521b32a2d6304c8aeb3b3dca6fb7cde4d02591452b424cd77569d4d6568dbcd25fdc605333dd12f0d41d2ee731f5352c3c355c54f5a27463e2ddee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc24f8f61a4270d320244f100a961b49

SHA1
357820aa1ecdf5998fca36a4e0086e93d3d8dff2

SHA256
72c4658c78ce85dd11b7c5dcce338487620102f10c469e33a6ed15b640ce13bd

SHA512
77ea2d0b436677628dd48248466a2785b621df28973b7630dca30db34385621471f67173c21fb43e5c1d17c41e10cba62beede5096751cf472177cfd4d45973e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f31e9ece365edd859894a32a3d3c6e71

SHA1
a3f829eb43c5df79062de0d98664d4ff14f8eb80

SHA256
7f4d6954c03c786cb28f573a54dfe2e4e2cbfab26797e9758d3b97594c0a5bf2

SHA512
5154bb3943288ebae58bc1f2c075f94feb872df772d791f48f8369161a88523985a6d2329a5c9192a121199da7030f3cfc0f0a17eebccdc42255980107866cd0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ee4f1afb6f8fedaf4553397dacf7554

SHA1
5318e8760b8fffc20767250a39f78bfdcdd0c18f

SHA256
f2a7f2a7798c081632c522cf802945bc23531523dc2aa0d1c59719ff25868302

SHA512
8561dbdfb60edf7d74d4d2604dd77c56a16fafebbcd9e1060caebb9078d75b7eea9e8ad64baff8d6e5b369e621419987938a8aa5291e81df68fed3bbd6ba6b10

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32e47f4585142689b770dce624358aa6

SHA1
5d81586b0ddbae9bb4b44c52e58f48234b232fcc

SHA256
0d533381fef07a2c1802a15b52bab69540cc5ec5036373a8138260cc788445a4

SHA512
dabf24de19efa4cc5076d402fac17b71a01e543618b1c0900eb8b188f2c0f336586708a79df568f8a706f93b017239d6f5a7d1b2c695e56fd78cfbe443242645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3e671428a601016d9d1c43033731e9e1

SHA1
b43ddba6b32a2bf97c44f053543b2474eecf725b

SHA256
2bc98a128a3612c70e99e349ddfdaa4dc36d39c6bca6a3e199ea337f91970e4c

SHA512
782d5c1d92933701b04d1eae6347442b684c8986fd375906f3a6a84d1e18ae18f0bc84a82bd5ec6eb55cbf96b35ff82e541c54a4418f5d05f903a365c2550aa1

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
230B

MD5
a76e257b262e7c1fbdda97db5ffb491d

SHA1
625e45a547f830ed83a895722ca846204beeb0e7

SHA256
eb86efd005d6c0f360b9f8f745876d522bed4b14feb8cb42176231f9770ada94

SHA512
c9c23ca75fa04966b981ee98b76b9513b2bd77cfd0efe41466e802101c95664ab5d3fa2ee85169dec120172e93f5e0695b90046ce4bb37270941348513e3eda4

Download Submit
C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat

Filesize
230B

MD5
9f3f5bef16e1e93e83fdae9366f3c2ce

SHA1
0da734a1ec15d0cc2d7add91b814d2145e24c6d0

SHA256
63b18ee32315c66d447df6de7658b4969607b7ecc88fc3e75fab5f4332d17dee

SHA512
89d0293e10cf48782b6274010240c1f378ea5612238723ad16b3a1e3355addf9ffaeb4370f67ccd397dd05624db35d2363ab72ac70b901817c4ecae9c63c567a

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
230B

MD5
0d8811ed68f93fe05af1114345cf9db2

SHA1
4892efe6a2b1268b5bd49e0d417f005ce7bf31ee

SHA256
af27b44109bb188342573e2d3948977785f63bbd37b9b34c80ddd4baa22445c9

SHA512
67f9741f31632e6c84d0be4dcbf9d7e8e48ef1d37798c6af1f5331ff653a172ff9957002612cfaa4831644261d777a0ffce1eba79d9d03005cbe0b57adf9ba27

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

Filesize
230B

MD5
bd95e4fb6911a01483b96176ba65ffe4

SHA1
20be367345478224db3d56692b3aee43445411be

SHA256
8bcf773469928850fbe175237158204434107a1a4da423a6c36712e9354e429e

SHA512
4abfbf7dabd2d145b1a52c1373ddbf382cc381c9bdd44c54465d1a2bd0e7c07c1200f35d5087debf873625314747814e59c029c28a31829e1705ac0a80edeef2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC332.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IwuFthHaGX.bat

Filesize
230B

MD5
522c554c2e47654b8f840a06326b9d36

SHA1
b02b8fe33c40efda2e9eff83fa5ba8fe8c6523cb

SHA256
58b5a5d15404c93a4aa6b8752816d92786c94df4a230bc1bd026f25ce91c44d5

SHA512
b2013bea42e55d9281c2d27036dc4ea4d4cf4a0493a522689c7803be5f8d24e336094e0c3a0851fd43210abf02d42964b8b40622cc817f0f48de8f360c7bb9c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC344.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U1yQEvZAPO.bat

Filesize
230B

MD5
870439117d426305107e1458d132cd70

SHA1
ea3338a05a44edbc44abcb0d10f81466c9b6dedd

SHA256
0caba4e29f40c128030ea09805fed3bd8ef648a7f8fead7daf416dd9fa83c46b

SHA512
aa4cfad5af54ff2c05ddcb625cab88d1946d7eabdf5873c2eb6f80e676f2cf2f0cab24459422cd0c2e77458cbc5111046706562d2419a90dbacb155e1821fd69

Download Submit
C:\Users\Admin\AppData\Local\Temp\YyUd3mmyLr.bat

Filesize
230B

MD5
8f837f0c2ac368747418f99fe83db906

SHA1
41919870f3b42f5d96b424a346cffaf5d39649aa

SHA256
aade7dce6a965629c9e69df7714aec0c9f9f4b23cbe27c7d83ba433b10c6783e

SHA512
74ab8f814f35de44a850c99d3198ba307df085a8b9bace5bde6b0165f318103db00203564ac99971664ab18ba1b5c7608b24bf85752601d1d9b921a0117b0d98

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

Filesize
230B

MD5
5ca816339a8c31a32b2c1c0f0015a557

SHA1
f7d1a02ac575211bcb9378939484aa890f42847a

SHA256
2d26b3679a4374ca7b736b0eb4e9a0c5f42fc17e5916542ea69c889b8e37ad08

SHA512
e0d309ce179befc5a2d96c544af64a4658d9b31825bd04091392a0e798f3934a3387621e55f39365a07e2b1796dcd13d0fdf325638ef028375b0185498022bb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

Filesize
230B

MD5
b43b2d94814af3dca7ffe4a0fc176c7f

SHA1
fe2868f0f05f0e8a9e2731bb82fe31b111364cc9

SHA256
5786d018fb092aacb4b533bb47bbea5048c7b364b01ee8d117f157a3fabe324c

SHA512
30317589dfafd636727c22b3b1814eff272d78c5c6714e13ecc6020bfe5b3b6f75e5edbf5d4b9c3c68027f27114d882b3853be122d547a4aae2b27d917151d03

Download Submit
C:\Users\Admin\AppData\Local\Temp\y17QM3q8Rw.bat

Filesize
230B

MD5
4f6e4a5f16a3c2f205c53baff69f5bf6

SHA1
f85f9deaea4992f0d31248587371f243a1aafd6d

SHA256
dd6a4b175bfee65045f41032591be5c53ff19df228a6858a98b81daaf335d497

SHA512
753d56251d0cda85c95bdd73b6fed19444d81c89da4b3c4cfd2517bfe24d12e5f896b4aee28f893b6ef017f4776414cc5e85fdbd9b82e5402479e06df8fe1c85

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
230B

MD5
647a21398f19a7d143cd5790470855b1

SHA1
08326f282fbad672b08662dc08218086559c82d6

SHA256
c042f84aaaad2bd4cc1fd8181207ebdaffefd8f37d9631dc0f0f7b6df31891fd

SHA512
65beb248a654bdce67447901091fa8e3b4a1b034519a01ffd784014080a426e6e085cea61ae6c9f475be736049e7362eb92c6f37f52ac97c95d296b68e70dece

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c3bacd69dbe12ded43213084fef81f2c

SHA1
43a43fb4d314fad3dd155d8a85ecbb36b3d72ebb

SHA256
0061c13300f656219f5a598f77c0beb112280faa64e211b4bbc2582b83d6ccc1

SHA512
3236911fb979fb38a7e1e0a685174d8f1065f7fe2d8ef58a46957f3977ab4e95bddaedb16f67e3eb2a5b8a821a952968e8f1124ccd0106c52a3056482295654e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/852-13-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/852-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/852-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/852-16-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/852-17-0x0000000000BB0000-0x0000000000BBC000-memory.dmp

Filesize
48KB

Download
memory/1208-519-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1740-222-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/1816-579-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/2028-102-0x00000000004B0000-0x00000000004C2000-memory.dmp

Filesize
72KB

Download
memory/2028-101-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2264-459-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2320-52-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2612-639-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/2804-53-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2844-162-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2844-161-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download