dcrat | d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a

Analysis

max time kernel
144s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 09:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a.exe
Size

1.3MB
MD5

8241afb589889b622ac576fd8ad1f303
SHA1

6fa2f421f79de1ec100516dd85142313903acaaf
SHA256

d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a
SHA512

7d43c9a5eaa1d3ebde9cfac789cee4f10e21f8e12bd4b13ba8284caee7bef66c97d5349e26e894caca84f50b210df329374d536a562e0a702126efabb3bbf20f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2580	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2580	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001686c-9.dat	dcrat
behavioral1/memory/2244-13-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/1180-42-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2448-138-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/2140-257-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/1440-377-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1608-438-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1816-498-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/2408-558-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1308-618-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/3000-678-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1764	powershell.exe
2376	powershell.exe
2200	powershell.exe
2388	powershell.exe
2128	powershell.exe
1312	powershell.exe
2800	powershell.exe
2788	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2244	DllCommonsvc.exe
1180	csrss.exe
2448	csrss.exe
1984	csrss.exe
2140	csrss.exe
1004	csrss.exe
1440	csrss.exe
1608	csrss.exe
1816	csrss.exe
2408	csrss.exe
1308	csrss.exe
3000	csrss.exe
536	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2820	cmd.exe
2820	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
13	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\en-US\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1496	schtasks.exe
1320	schtasks.exe
2080	schtasks.exe
2088	schtasks.exe
1432	schtasks.exe
380	schtasks.exe
320	schtasks.exe
2548	schtasks.exe
2640	schtasks.exe
2668	schtasks.exe
2248	schtasks.exe
2944	schtasks.exe
1148	schtasks.exe
1972	schtasks.exe
1944	schtasks.exe
2692	schtasks.exe
2536	schtasks.exe
2408	schtasks.exe
2056	schtasks.exe
580	schtasks.exe
2016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2788	powershell.exe
2388	powershell.exe
1764	powershell.exe
1312	powershell.exe
2128	powershell.exe
2376	powershell.exe
2200	powershell.exe
2800	powershell.exe
1180	csrss.exe
2448	csrss.exe
1984	csrss.exe
2140	csrss.exe
1004	csrss.exe
1440	csrss.exe
1608	csrss.exe
1816	csrss.exe
2408	csrss.exe
1308	csrss.exe
3000	csrss.exe
536	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	DllCommonsvc.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1180	csrss.exe
Token: SeDebugPrivilege	2448	csrss.exe
Token: SeDebugPrivilege	1984	csrss.exe
Token: SeDebugPrivilege	2140	csrss.exe
Token: SeDebugPrivilege	1004	csrss.exe
Token: SeDebugPrivilege	1440	csrss.exe
Token: SeDebugPrivilege	1608	csrss.exe
Token: SeDebugPrivilege	1816	csrss.exe
Token: SeDebugPrivilege	2408	csrss.exe
Token: SeDebugPrivilege	1308	csrss.exe
Token: SeDebugPrivilege	3000	csrss.exe
Token: SeDebugPrivilege	536	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 2848	2260	JaffaCakes118_d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a.exe	30
PID 2260 wrote to memory of 2848	2260	JaffaCakes118_d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a.exe	30
PID 2260 wrote to memory of 2848	2260	JaffaCakes118_d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a.exe	30
PID 2260 wrote to memory of 2848	2260	JaffaCakes118_d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a.exe	30
PID 2848 wrote to memory of 2820	2848	WScript.exe	31
PID 2848 wrote to memory of 2820	2848	WScript.exe	31
PID 2848 wrote to memory of 2820	2848	WScript.exe	31
PID 2848 wrote to memory of 2820	2848	WScript.exe	31
PID 2820 wrote to memory of 2244	2820	cmd.exe	33
PID 2820 wrote to memory of 2244	2820	cmd.exe	33
PID 2820 wrote to memory of 2244	2820	cmd.exe	33
PID 2820 wrote to memory of 2244	2820	cmd.exe	33
PID 2244 wrote to memory of 2800	2244	DllCommonsvc.exe	56
PID 2244 wrote to memory of 2800	2244	DllCommonsvc.exe	56
PID 2244 wrote to memory of 2800	2244	DllCommonsvc.exe	56
PID 2244 wrote to memory of 2788	2244	DllCommonsvc.exe	57
PID 2244 wrote to memory of 2788	2244	DllCommonsvc.exe	57
PID 2244 wrote to memory of 2788	2244	DllCommonsvc.exe	57
PID 2244 wrote to memory of 1764	2244	DllCommonsvc.exe	58
PID 2244 wrote to memory of 1764	2244	DllCommonsvc.exe	58
PID 2244 wrote to memory of 1764	2244	DllCommonsvc.exe	58
PID 2244 wrote to memory of 2376	2244	DllCommonsvc.exe	59
PID 2244 wrote to memory of 2376	2244	DllCommonsvc.exe	59
PID 2244 wrote to memory of 2376	2244	DllCommonsvc.exe	59
PID 2244 wrote to memory of 2200	2244	DllCommonsvc.exe	60
PID 2244 wrote to memory of 2200	2244	DllCommonsvc.exe	60
PID 2244 wrote to memory of 2200	2244	DllCommonsvc.exe	60
PID 2244 wrote to memory of 2388	2244	DllCommonsvc.exe	61
PID 2244 wrote to memory of 2388	2244	DllCommonsvc.exe	61
PID 2244 wrote to memory of 2388	2244	DllCommonsvc.exe	61
PID 2244 wrote to memory of 2128	2244	DllCommonsvc.exe	62
PID 2244 wrote to memory of 2128	2244	DllCommonsvc.exe	62
PID 2244 wrote to memory of 2128	2244	DllCommonsvc.exe	62
PID 2244 wrote to memory of 1312	2244	DllCommonsvc.exe	63
PID 2244 wrote to memory of 1312	2244	DllCommonsvc.exe	63
PID 2244 wrote to memory of 1312	2244	DllCommonsvc.exe	63
PID 2244 wrote to memory of 1180	2244	DllCommonsvc.exe	72
PID 2244 wrote to memory of 1180	2244	DllCommonsvc.exe	72
PID 2244 wrote to memory of 1180	2244	DllCommonsvc.exe	72
PID 1180 wrote to memory of 2928	1180	csrss.exe	73
PID 1180 wrote to memory of 2928	1180	csrss.exe	73
PID 1180 wrote to memory of 2928	1180	csrss.exe	73
PID 2928 wrote to memory of 2000	2928	cmd.exe	75
PID 2928 wrote to memory of 2000	2928	cmd.exe	75
PID 2928 wrote to memory of 2000	2928	cmd.exe	75
PID 2928 wrote to memory of 2448	2928	cmd.exe	76
PID 2928 wrote to memory of 2448	2928	cmd.exe	76
PID 2928 wrote to memory of 2448	2928	cmd.exe	76
PID 2448 wrote to memory of 2532	2448	csrss.exe	77
PID 2448 wrote to memory of 2532	2448	csrss.exe	77
PID 2448 wrote to memory of 2532	2448	csrss.exe	77
PID 2532 wrote to memory of 2468	2532	cmd.exe	79
PID 2532 wrote to memory of 2468	2532	cmd.exe	79
PID 2532 wrote to memory of 2468	2532	cmd.exe	79
PID 2532 wrote to memory of 1984	2532	cmd.exe	80
PID 2532 wrote to memory of 1984	2532	cmd.exe	80
PID 2532 wrote to memory of 1984	2532	cmd.exe	80
PID 1984 wrote to memory of 3036	1984	csrss.exe	81
PID 1984 wrote to memory of 3036	1984	csrss.exe	81
PID 1984 wrote to memory of 3036	1984	csrss.exe	81
PID 3036 wrote to memory of 2168	3036	cmd.exe	83
PID 3036 wrote to memory of 2168	3036	cmd.exe	83
PID 3036 wrote to memory of 2168	3036	cmd.exe	83
PID 3036 wrote to memory of 2140	3036	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d0bda9be8c80ec78448b5c45401c588d6ea03d1ce809d6ff442e0b1744e9085a.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2848
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2820
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1180
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2000
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2468
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2168
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat"
        12⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2692
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        14⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1624
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat"
        16⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1008
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        18⤵
        
        PID:1628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1748
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        20⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:320
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat"
        22⤵
        
        PID:352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:976
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        24⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2852
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat"
        26⤵
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1664
        
        C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe
        
        "C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\en-US\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fd6505b9330eeeef67cf3ed64d288839

SHA1
2d7163d280970f857d84ba2f06620e41b423612c

SHA256
ff8cc2d26598974fa2ce4be19343e04ca839be282c1c0f9820a7864fcd5c0cff

SHA512
2de98beb948986dd73c4c58ae0678e7c3e4c122b21ce6aab0dc612288d5c59aefb0a1ea7ac797d412d24f24034c0a1075edd0583dce9bf36fa952cd460a3b660

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8641ca3b4ddaf92405d673f794fe15c

SHA1
220951537cad0e518a1cba9f22c791dedea492cf

SHA256
fc5955ce58b59fe4866b93b54d056ccc0d6d4a8d2204b5c44044a9a99715a2d6

SHA512
d0d793859caf85b67831d8e9ccd7f825f95102e9b1c1a228ab5c4844a6c807963ab01374cb56e46d8aa5881133ef447e24b4a3b0892678499355da490aff956f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fadb71869843c7a2219bda61bec0eae6

SHA1
f920e600a2bf9b1bebc0e9a98bb4139bbe1b2876

SHA256
a57599a705ed157986941d70d7d7e6580d213263a7f1f5a094eeadb5eb3cd7f4

SHA512
da127843a64f253f1b95895f5c27c31d1f32a63ccb29d916700df2f60dcb5d917ed60c9fea903320d2d31073c566b4be3f9dadb6e310eba4616d803f4933381a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
858b75a59b7ca13d30e6f86955a9da8d

SHA1
ad3187734fdbc41e45cc625867cc81b1778c3523

SHA256
ce9c33cf21a0d0a1b8d8681cc3bac540413b2a398fa3300e2159265f654480a6

SHA512
c352d30094d88439a67dd8b56550cee4ee4d087424e8b2e72edb94f519294bd7d53950b50bb98d5b9dcad355ed7115848c327a92a380dfbb59938b668c4dbc2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46d99ef2f30f9fc34159123592691ac8

SHA1
bdabf5fe3db5d5394202abc443563e1f93e8ac63

SHA256
2be297493b881daba610a35baacec31f4c7e1f2546d54bed3ea144e7dbd21228

SHA512
398612571229a101dd56e31be1fc0e89bea37b120fa9a4f44763e2ce5acbe2c602247d9d33e313a3cdd72f89dde09ab4d390c4ac1b5a8f48677a0ff20ce185e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a6c892a3c5292f0af1029aae33684db

SHA1
f86542b92ca0883fc4bdb4513d9e54ae868ffb84

SHA256
9a3e5a8f30638999f0dd4db55e438eeed532dd41d6d30adac43da6e62645730a

SHA512
119bce1ecd04619090393d7ac84e873b280705e52a1b766dc8d99eb847db412e9330989574c215949b5a47d6bdd2195040ec07097bead4088dca3cf4f959b47b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ba827eef975626ab0b2043c92525689

SHA1
0fc89c6f8fc33535d08bdaefbfcbd936dcb16eed

SHA256
d650ceaa49b1399345963b867c2a8063656d8a5250867e95cceb904fc9550c67

SHA512
adabaf181edeec067817771a361e0b223629f9eef3982d98cac213006cddc81007151edc81c3ab8fa45f8a2dffb9021c5aa6b1e85e380f2d01aef26b1670a743

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
979bec89f1fb0fbd06b65c4b6439096e

SHA1
1a2db593eda726a14c5fbd1cc59199b5ba1c6062

SHA256
ff361a47026cce259e059e7a88c0ee86bade737889fa4a643a33d1cbeb60f519

SHA512
671d07140b2dfb329b4d732ccd3fa15b8813cec1f61f0673914f845617bc7d62565cee8015b2f0cf877fdaf7a6e2e3a3baa3f37e7fb454154b37ff75e6440f66

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62c75b36d053a15bb1cb37d23ee0a5ff

SHA1
bb7360ec3f4fc30cbab5d6e1037578b48bd91826

SHA256
0a57efde73c34d97370ca718a9c2dc02e7a78b772aa5708a0c379855aa2e7bd1

SHA512
2a342ef2c1023cbdd69927cbe0c9666f0daa470bec9c1b38e4b4af728d3b8d01b2d53978fcfcf0d2e62b9df11e1a2b023e6af11ae18f1e414d76d60a4a53f728

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad4e9a720f4e32ca6992a960dccb5f64

SHA1
19ba1060528f2bb021beb7ea9fb6541bb947f390

SHA256
03bf89f3add8afa7e1951474a602d0811841cbec5f5c5c6ab0a1f140c434348e

SHA512
340493e60d3682992adb4446dce2d851532f8a1da526327c935fe9ac6ab838c7ec239ef9d173f2e1b76994755fc40a5fde115c1de0bee1ab0a0a57bd703f6508

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
230B

MD5
37679fe94fa191e98ed9910ac7da5603

SHA1
83e176127281fe940f8dcfd365a1a6f5721880f2

SHA256
24013f62452d0764b446f04b8dbf66a7586a6894442f912bc968c88c19c9c775

SHA512
3f1115bcb99bf44cdc22e9900aab4ec8b3086c35dc97a98e72051c12aaa3c01caf6a12ae1023dadcf08b84e74e44154a57cb966b7d3f29f3cfef7c2dbd5baf3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
230B

MD5
85d2f7d076d119116970f77dc28ae564

SHA1
52f678c226392a12564998bb459bf3474f66b3d6

SHA256
2c1cfa1ebcb3abf00a01188f2f40ca0fac3078509b6aef35f09f94ef5f928446

SHA512
74c7e12507493f934e429731dc85315c5a4e804b4436054e1cc911abc4fba42407ea0feae30868ffb9cb6cab085d6e3f6685373c174311b468e18904380f4a57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Bf5uratM3O.bat

Filesize
230B

MD5
6773142ebeef1a789057f7826fc19204

SHA1
495a5544fb9cf3a47274c31b4a41fb1e2630f9c2

SHA256
fcdfedec426e326ec1c71473e5231c468a18f9aca5c256e099833d3dd6908848

SHA512
4d0a607a700bfaca37e146e718690f51f5471e8e0e08c5cd5fe9c22e028dcbe82f5fe35d457fd38a971ef6e70c284c04b77771f4d6e603687ba829bfdf0c8895

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab541B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

Filesize
230B

MD5
20da8b56a78ede2ac59b1fa78bc18db8

SHA1
460816340147dab97374a1b6c606a4d6a53e1653

SHA256
a1d1e2e5e11969a3fbcb81bf72c30cd5c16b0da13f64549482325d71f3bd5409

SHA512
42f8a6493b9f551612cd4156f1f58eb05c57ea6a05f635e1a93ae093e9ab156a26650aa39a5a09dac5dae84c7ccfcdf98307194efcf386d9429888bc90468e6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsMShxucCb.bat

Filesize
230B

MD5
8e3e12577a9a65c101833f827219dfe2

SHA1
0418bb4c3efc0eb44c9611cb0666b0f1655cfa05

SHA256
78e214fee51366c3af4a58f666be82d27dfa28730ff28f36ca25ba64c9a9817c

SHA512
7eef3035d4b7a8c8889c85c16cac6dcec74d2ee554f998a655c7f2e2b7eaefcb86b343c04caea1b66ffb686f8af6cff42f0ba052355c63d1b154ba16b2f192d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Or3SRhMf8V.bat

Filesize
230B

MD5
870f49e6a85fd2a925e075e261ef9877

SHA1
108ad374e840b5f986d7edd0f53becef6360f80c

SHA256
4ae21b5b854170caecc805751f8a08339b3f2deced118d0d88c9ff572dd291d7

SHA512
895c3b16e35e03207ff2967f5d6e4a05798b3e9aba01a3c67455331eb56039718b610be2492f2d8e84aa41137cff7735ac0a749e39c7ce87fd3cc4e835ba840b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
230B

MD5
23f18d08c13b1a33edaeec2041daa4c4

SHA1
651712c174d3479d9e1ca7dc1323dac4282915b6

SHA256
24f83775bbacb2dfb3f2caf6744c70c9dbd4418f510c7d40a1b2211478903216

SHA512
7871fd6bd64929b2011ed030a08cc60ffd098fc98cc16b74fd33a37634989efb87f955d6788761d6ce4f36fd3545a6766493716d22f020cdd042715589beaf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat

Filesize
230B

MD5
3a7e94c1c0491d82faac112bffd5fdf5

SHA1
a9402581915b059b6fbdcfe2d86732379c38fb86

SHA256
6a178ee6879c3044a3a6f6d29af0c7e61f7c95e95c5a577ae1201bb71838489d

SHA512
3b2c342e4f48a5a8378b49e6397dc9b8ea7364cee80a94c91623ffc2f15dd20deea8f004854f24d085fc7a182764c70d9fa67ff2d0559fcb46510f4030f9fa63

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar544D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
230B

MD5
b86555cf2d7cdbdbecf914b4476541b8

SHA1
f6b3a13737b717be21e2c3543a7279ace4569c4b

SHA256
6e49377d1d49c83f9aa182f334c4a0f7421c3da37111381287b2d87161f9a8d3

SHA512
9a8763675af1fa3d70b82100497f277cd6d9a944afda313489c36bf68c7a3c128855c505f8d0823a55e856322f54d6e54ff8c43acd4d3ed93c5c4a95af3641b0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iS8tBRk2Vg.bat

Filesize
230B

MD5
5d5e649b062c0ab6f384189b54ff3078

SHA1
438acefbdc13c3277809fb4caa759e5e3f9c3221

SHA256
8912df7c3446582240143d1a077a4869cdefb31061b9550f56975998ecbf4dae

SHA512
8d4b99fdaa5e958cedc7b9643a83f33d56f49f0d38d7fab7f4630d37235d98d21f8014effe6d24899bda0b8c83a31f0d9e3e4f460a1375f48bab2874bcadbe31

Download Submit
C:\Users\Admin\AppData\Local\Temp\nlAvT1Qihc.bat

Filesize
230B

MD5
bc3899d1679ac3f1a8caf5602a496da9

SHA1
b03fd05e16e937a3eb4e94bb08ff69024ec0dab6

SHA256
8d79a3fe3cc86862103a41e1874cde64ecdf99c2abb1a896f7974fa0f68a5059

SHA512
7339dbac57b2331a23b2548eb1a41fa1fc07014c39fdaf9a0f3d916ebf9074ce023d5a5901497a3c8f5e06cbbeb3d8e2d6d83f0c63f95984d881f44ec8b52b2d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0ae345b87fce387240b1cdc097acd12b

SHA1
435142cbda4aaf7c6afcf39cd81822d6d3016763

SHA256
a034582c2525b9afca04eb248ffa0424be2af4766a43ed2e2a4fa6593764bcb0

SHA512
f414ceaa289961c4be47c8298f4b9401161fea9109b0a0decc57ca93042b2839a76e96db8ac4326f4830ca46f22f03987e3a6dcad3035db7612463e17eacd504

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1180-42-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1308-618-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/1440-377-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1440-378-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1608-438-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/1816-498-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2140-258-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2140-257-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2244-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2244-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2244-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2244-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2244-13-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2388-43-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2408-558-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2448-138-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-60-0x0000000002970000-0x0000000002978000-memory.dmp

Filesize
32KB

Download
memory/3000-678-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download