dcrat | f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe
Size

1.3MB
MD5

4b758200e4c704472c229db414552fb6
SHA1

42f0a674fab415c3e1b93bf9e4798d7fdda7a741
SHA256

f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259
SHA512

6f87113b56100f89426a2a5c5207eafc8e663b21d09a2850cacbf5673d022fb4e97a627decae92eb318a3f542769a1019889dd61d18a46180bce4d36f55e9b57
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1108	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2868	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001925c-9.dat	dcrat
behavioral1/memory/2256-13-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2328-101-0x0000000000970000-0x0000000000A80000-memory.dmp	dcrat
behavioral1/memory/1340-160-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/848-220-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/1840-280-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/3024-400-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2936-461-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/844-522-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/3020-582-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/2576-642-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2652-702-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1148	powershell.exe
2792	powershell.exe
1612	powershell.exe
1408	powershell.exe
948	powershell.exe
1860	powershell.exe
1368	powershell.exe
276	powershell.exe
1032	powershell.exe
1288	powershell.exe
2168	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2256	DllCommonsvc.exe
2328	lsass.exe
1340	lsass.exe
848	lsass.exe
1840	lsass.exe
2328	lsass.exe
3024	lsass.exe
2936	lsass.exe
844	lsass.exe
3020	lsass.exe
2576	lsass.exe
2652	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2884	cmd.exe
2884	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\it-IT\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Internet Explorer\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\ja-JP\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1180	schtasks.exe
2144	schtasks.exe
2172	schtasks.exe
2888	schtasks.exe
2788	schtasks.exe
2436	schtasks.exe
1852	schtasks.exe
3012	schtasks.exe
2780	schtasks.exe
1136	schtasks.exe
1604	schtasks.exe
3004	schtasks.exe
2880	schtasks.exe
2776	schtasks.exe
3068	schtasks.exe
2080	schtasks.exe
1340	schtasks.exe
300	schtasks.exe
1120	schtasks.exe
2636	schtasks.exe
2916	schtasks.exe
1108	schtasks.exe
1624	schtasks.exe
1044	schtasks.exe
2672	schtasks.exe
2184	schtasks.exe
704	schtasks.exe
2932	schtasks.exe
832	schtasks.exe
2020	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
2256	DllCommonsvc.exe
948	powershell.exe
1368	powershell.exe
1148	powershell.exe
2168	powershell.exe
1032	powershell.exe
2792	powershell.exe
1288	powershell.exe
1408	powershell.exe
1612	powershell.exe
1860	powershell.exe
276	powershell.exe
2328	lsass.exe
1340	lsass.exe
848	lsass.exe
1840	lsass.exe
2328	lsass.exe
3024	lsass.exe
2936	lsass.exe
844	lsass.exe
3020	lsass.exe
2576	lsass.exe
2652	lsass.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2256	DllCommonsvc.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2792	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1408	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2328	lsass.exe
Token: SeDebugPrivilege	1340	lsass.exe
Token: SeDebugPrivilege	848	lsass.exe
Token: SeDebugPrivilege	1840	lsass.exe
Token: SeDebugPrivilege	2328	lsass.exe
Token: SeDebugPrivilege	3024	lsass.exe
Token: SeDebugPrivilege	2936	lsass.exe
Token: SeDebugPrivilege	844	lsass.exe
Token: SeDebugPrivilege	3020	lsass.exe
Token: SeDebugPrivilege	2576	lsass.exe
Token: SeDebugPrivilege	2652	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2556 wrote to memory of 2388	2556	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe	30
PID 2556 wrote to memory of 2388	2556	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe	30
PID 2556 wrote to memory of 2388	2556	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe	30
PID 2556 wrote to memory of 2388	2556	JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe	30
PID 2388 wrote to memory of 2884	2388	WScript.exe	31
PID 2388 wrote to memory of 2884	2388	WScript.exe	31
PID 2388 wrote to memory of 2884	2388	WScript.exe	31
PID 2388 wrote to memory of 2884	2388	WScript.exe	31
PID 2884 wrote to memory of 2256	2884	cmd.exe	33
PID 2884 wrote to memory of 2256	2884	cmd.exe	33
PID 2884 wrote to memory of 2256	2884	cmd.exe	33
PID 2884 wrote to memory of 2256	2884	cmd.exe	33
PID 2256 wrote to memory of 948	2256	DllCommonsvc.exe	65
PID 2256 wrote to memory of 948	2256	DllCommonsvc.exe	65
PID 2256 wrote to memory of 948	2256	DllCommonsvc.exe	65
PID 2256 wrote to memory of 1368	2256	DllCommonsvc.exe	66
PID 2256 wrote to memory of 1368	2256	DllCommonsvc.exe	66
PID 2256 wrote to memory of 1368	2256	DllCommonsvc.exe	66
PID 2256 wrote to memory of 1148	2256	DllCommonsvc.exe	67
PID 2256 wrote to memory of 1148	2256	DllCommonsvc.exe	67
PID 2256 wrote to memory of 1148	2256	DllCommonsvc.exe	67
PID 2256 wrote to memory of 1860	2256	DllCommonsvc.exe	69
PID 2256 wrote to memory of 1860	2256	DllCommonsvc.exe	69
PID 2256 wrote to memory of 1860	2256	DllCommonsvc.exe	69
PID 2256 wrote to memory of 1408	2256	DllCommonsvc.exe	70
PID 2256 wrote to memory of 1408	2256	DllCommonsvc.exe	70
PID 2256 wrote to memory of 1408	2256	DllCommonsvc.exe	70
PID 2256 wrote to memory of 2168	2256	DllCommonsvc.exe	72
PID 2256 wrote to memory of 2168	2256	DllCommonsvc.exe	72
PID 2256 wrote to memory of 2168	2256	DllCommonsvc.exe	72
PID 2256 wrote to memory of 1612	2256	DllCommonsvc.exe	73
PID 2256 wrote to memory of 1612	2256	DllCommonsvc.exe	73
PID 2256 wrote to memory of 1612	2256	DllCommonsvc.exe	73
PID 2256 wrote to memory of 2792	2256	DllCommonsvc.exe	74
PID 2256 wrote to memory of 2792	2256	DllCommonsvc.exe	74
PID 2256 wrote to memory of 2792	2256	DllCommonsvc.exe	74
PID 2256 wrote to memory of 276	2256	DllCommonsvc.exe	75
PID 2256 wrote to memory of 276	2256	DllCommonsvc.exe	75
PID 2256 wrote to memory of 276	2256	DllCommonsvc.exe	75
PID 2256 wrote to memory of 1288	2256	DllCommonsvc.exe	76
PID 2256 wrote to memory of 1288	2256	DllCommonsvc.exe	76
PID 2256 wrote to memory of 1288	2256	DllCommonsvc.exe	76
PID 2256 wrote to memory of 1032	2256	DllCommonsvc.exe	77
PID 2256 wrote to memory of 1032	2256	DllCommonsvc.exe	77
PID 2256 wrote to memory of 1032	2256	DllCommonsvc.exe	77
PID 2256 wrote to memory of 1864	2256	DllCommonsvc.exe	87
PID 2256 wrote to memory of 1864	2256	DllCommonsvc.exe	87
PID 2256 wrote to memory of 1864	2256	DllCommonsvc.exe	87
PID 1864 wrote to memory of 2796	1864	cmd.exe	89
PID 1864 wrote to memory of 2796	1864	cmd.exe	89
PID 1864 wrote to memory of 2796	1864	cmd.exe	89
PID 1864 wrote to memory of 2328	1864	cmd.exe	91
PID 1864 wrote to memory of 2328	1864	cmd.exe	91
PID 1864 wrote to memory of 2328	1864	cmd.exe	91
PID 2328 wrote to memory of 2700	2328	lsass.exe	92
PID 2328 wrote to memory of 2700	2328	lsass.exe	92
PID 2328 wrote to memory of 2700	2328	lsass.exe	92
PID 2700 wrote to memory of 2268	2700	cmd.exe	94
PID 2700 wrote to memory of 2268	2700	cmd.exe	94
PID 2700 wrote to memory of 2268	2700	cmd.exe	94
PID 2700 wrote to memory of 1340	2700	cmd.exe	95
PID 2700 wrote to memory of 1340	2700	cmd.exe	95
PID 2700 wrote to memory of 1340	2700	cmd.exe	95
PID 1340 wrote to memory of 1984	1340	lsass.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_f3c99ae5f461d58f39621d15dcaf101af3b823175ffc0e79d9aa5fdcc40e0259.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2556
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2884
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\ja-JP\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C4Ej9FXU2r.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1864
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2796
      - C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2268
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat"
        9⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1992
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat"
        11⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2796
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat"
        13⤵
        
        PID:876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1912
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        15⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2592
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat"
        17⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1624
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        19⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2940
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
        21⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2912
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        23⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2124
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
        25⤵
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1948
        
        C:\Program Files (x86)\Google\lsass.exe
        
        "C:\Program Files (x86)\Google\lsass.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\it-IT\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1850b21f34c4ce4226715e7d3d6de931

SHA1
a2888db87a3637bcad265eeceedac32c84d31da9

SHA256
0f05b6f6ad771f06baeecd346ec0c30a45c564e2032691ceab91270da0bf3d18

SHA512
0f1876a5203f5ebe521cf4cfe2ef72fa383ec2d310622aa5deb8904b5ad98de167f9816f612b6421a2513e0fbc8a85121218f90e3cc45e99b6dfaf2e010b8d94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6ccf03bd131d0cdb3f29460acd7ccc5

SHA1
0933f3c9271ba0868b28953340c8762633b2ca5a

SHA256
d742d3ba38abf0872f43d54c49bc06fc5d750a48ba45f54ccac25c5fcf00dc67

SHA512
ca35adba0164b1ca607767731b72cd0cb984f79b0a41b53ee32bf757b0aa82f88f2ed9962be7b2ffcc8baf551d6f9ca9fac2823d935178beef236604ae2cb3e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22864a89df5ab4ff0aef402da1e069ac

SHA1
806dc88a292d826031597c278e74bde70d74b247

SHA256
d40de1f510acd0f8ee4daabde8bdbe707c82dd2f118c8b79f02e67b438243374

SHA512
50fcf2ee8069dca18c8af6f77dd64f56cb306b2c16ba71cd6d5c1f5cd08b8f8b1f203bbc4e63d3dca95aee0fd6cd6687748985414255b4d38107200125114a26

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6d4bce8c95c11155fb8f091e24e434c

SHA1
3df3d27e36b8b6210fec86bcb0d39a6724959b18

SHA256
b511ca0e3156bd3279f3a5a584e1cfb2624a512ee6878ca2ec07f77ad8cf948f

SHA512
4245ada8822ed9aa9508d5232facdfa6b7fc3f88d02a7fb3fd82c0a36e880d8a4d8aa715b89f1cd6db080e77522d24d1d7956f6c90447ef0a7cb1d0aa340270b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35b5a94d56f79c4257a2d7d8bc261f7f

SHA1
a05a37d88d0ba598d0464335ab59f44e23c01078

SHA256
d0a7e485e193ac5fa7b579ce5451c214de8b009360f1d0cc4cea2b3a7cd678fb

SHA512
0a41919d3eda018f166ed812639f370b7ee2fc1fd8b1280acec89d3cfa0188f2c3c85f76b0818c8506ef82c9f43225f5f7a90ba0c9cd9855a106f9c45a6f289e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1125a5dbc62c9d45629c31b1c5fce57e

SHA1
1c06b1f5bc1ebbe16534bc946c01dcaee258e776

SHA256
ec9ef0bdf6823cef1f5590a2421dc4a0d11c227f94a36c218aba84be450260cc

SHA512
bb769d4b71b31ca4ad249146f79fe5a3d5b08aaae568a7e23bb0b0d9ae927bd8df5ccb4d3fcdc1106c2ad474d4c76e8321709ceac1398cbb5e718f6ecef1d826

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9598c76be2fa435481b811479a8294ad

SHA1
be8f3b033d8d8efe456b26eb1a811b7ed42fc72a

SHA256
34a5955a8d015eadbca51e4b11b8cf6ad82c056f8efcf2942f48e132edfb9995

SHA512
4f35d6b1576ca844401fe7789b0ffae7938c520c10c4bff1960c971fd349ac736e1e041cda6de70e4a24a8e93fe36ba1c04d775e3d858d35cac435ee895687dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b3f4c7029282b70d63e52932fe59606

SHA1
7dca56c78dd201f5d48ad40ee215be36cf5b368f

SHA256
91b0c791b287eaf0540f5b6ae40849c1ef5ee19e9b390803370e440679536e4c

SHA512
77c9d2f565b36f43c074173fe629050e9c1189aa8b3c644a8b64da696b0dee85522c120affc3c2a146044972870b97fd515cfce4c95f58ff8e5f2257ec26f35f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9869d7d35b39a2feff5f4e5cc662380

SHA1
6611ec259bae8ec8b5915c3be8d56f025f453c6b

SHA256
10a20e929a48d44ca3b8404b8d505aa6c20e0e91243c26116cee376c75f20ecc

SHA512
0caa8090f96094df621e9a9e6e92b40da54a38e0529645f80c408e218cb86dbc7133ad3b6ca143183371fbec6819250659764a6428724ec75cac7cf47ddc1921

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
204B

MD5
a68f46f5b72256ffe955bf0e05f16840

SHA1
029aefb52ba824a7f59cf7f252edf24133470984

SHA256
4888b94b593946a89045f3502cb81d1eba1a16656fae889f64cc600974d491cb

SHA512
a37c8bcc13943231cd1b2231dcaba5f48905b2430b2c12e27601a51774a6944c58b905e3dc68a543e072a31c46043bc75d2bd8d23e3533a22093a41de52d3cd5

Download Submit
C:\Users\Admin\AppData\Local\Temp\53OVnhiNRT.bat

Filesize
204B

MD5
9c2cc9ef49202f6aeb4b29d031a457d7

SHA1
940703064e129aaedcb07784df3a80467f63cdea

SHA256
a5ac3031fb0d4ba5117a778980af3455108c069a32375e3f1ecc2acc83ecec14

SHA512
debb7ba56a6968fe9f272a756b391b6667843b275eabd64a7dc26cfdb00b99e250c579a13c727f644e999ac6e349d6bf83c1d4a8daa49d1894108e049dc0a2a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\C4Ej9FXU2r.bat

Filesize
204B

MD5
ae63c22d8464481b44b60e1e5d6b66ea

SHA1
848929e6e9ec8bba67746a302156f445f8d4347b

SHA256
25686a9724147f4ab09bb29e8ee716b9527fc0c0e0c1c661007105235c5a5e87

SHA512
25ba33b2832c5d231621dace2e30220ed5e3aa5f49406fb5df355d4a6ad3d8e2a905a24c9169c0c3b52ec87c71eb76515f7b47aa97b32780206f16ab57e5c33b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB04.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
204B

MD5
34e1637683b86db623803a3dfb18c040

SHA1
8410eb7e4571d0e59c6f33b8cb5ce6384aef2f49

SHA256
ae58c395364facb282611143b0291c63fc0e7ff4c0168be45415ccaa12d1ba83

SHA512
382320dca7628ba01771dd5f4c50ac98bdef064a7c62992ca23a78906aa6fd819ec5500cc53cd163bdb79c0da68022f178cdd61be1dbaec1ba5c40ed334ff002

Download Submit
C:\Users\Admin\AppData\Local\Temp\Jk1vLt9ke4.bat

Filesize
204B

MD5
e38080726f659c99e26fccd77e713f7a

SHA1
945fae43fc6addc54ab9cd142ad59782f22d999b

SHA256
4c34ea0f62acbc74c7688c0a23f406329f847aec38d86cbec87b3c611e6c3a76

SHA512
788a1d1497ebaaf2622adaa0f6ce71af03fdb9377730fd9e7dd4ef2543a9ce55ca9d775f758c5ba2867ea3df1db45900374231a85d7398ec03f19fb31a026bba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

Filesize
204B

MD5
83d7e501b8a6776e3e428158788bc51d

SHA1
a6877da5dd0550049c822c88ed24eab8383362c7

SHA256
22ecc5d3c9a8baadb437d02742be2a028124b4d5f4e81eb232e9879b91acfbf4

SHA512
2e689391171ab542c0558023ed563d0488db98982630928557a2a94f8c17368dd0555ba5bcfb3ca015bf809dee6f0e3e4bfe123f2ede9feb05398a11e546723b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

Filesize
204B

MD5
6d63d324e4ee212746823694c158075d

SHA1
02752bfc0e348040501135f710caab8e7e553a23

SHA256
e8056e2f2eed7df8d044eb76633c1f132cb8be65cbe68cd61a42fdad8c2e8ece

SHA512
be7b60e701fda713ba3a1df587c3040a73c1cf2db516542b28899065bf9df6ef1e66f1072c27dfa817db786aa792147a4196cf4d4e2a8c0d7f61e7a914e32e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
204B

MD5
f1e2c513a4877719e26035fcde71a585

SHA1
a079e9245893297e1c63f457dd01766b469f8cfe

SHA256
6aa863a8f6c3fbecb10e527d35fe6bd7fa5f399493125501af65a9f1a85a125c

SHA512
4bfbf8d4d50ca44cc658a5a94178ddb013d3bee1d1a8ad2029f727c0f334e5e11069e6141a856497b06464d916087c1db628d248a555a5d863e8ea7d73db7cee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFB26.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y29a6RA8xz.bat

Filesize
204B

MD5
6fd1a10caf2a0fe79a959e6179272210

SHA1
1385ad484f5c96ad378fef060860221408e6333a

SHA256
93edd029025008386329614461bb0d6c169dd1b8b603b32c1fb382d0814b0591

SHA512
5698336d99652c315d795640469c686cbceadc8f0061aaeaaa0a5f8cf111bafdeb2e93f263cdcafa6814d018c516187feb3ae6cf199310b50cd01c235acd4212

Download Submit
C:\Users\Admin\AppData\Local\Temp\hiVaTihpWK.bat

Filesize
204B

MD5
f3d31e3d6a88557318637ff389bbcac0

SHA1
efd5a3fa90820d40b39872b47a45da848201aa2f

SHA256
cbffa78776f5183e094d15557da8a86a22414563d6a7dec648d361444e173423

SHA512
b91722e51decf0852de5df4ef2709c7e030d53480b57eff340e1fbc75746c8cee0a963921cdfee04cc49bef74c339d83aa5cac9518871d82241d0d99c178ccc2

Download Submit
C:\Users\Admin\AppData\Local\Temp\zGIMjSYhT8.bat

Filesize
204B

MD5
46245d5fbc7d1fd11b6ad306545e778b

SHA1
7c409c40662c3adb139f5f7a74b6325cc0d1fdbc

SHA256
9c3331cb23b2aeadc248aaac8168eb38ba2f44c97e32b91034f2665d85beb9ae

SHA512
10b0dfb40e8072051db144a71cd5624c8e680df2dd6226e07f67cecc3df9b326b40ffe70af6ea04c6c0e38a0d9f09fcbaef36d60c0c36b499077a4c6ae2311dd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bc39affc6d37207d127aeded2ea6ce06

SHA1
912189bfb4cd4b696bc057347fe0c7da922aafce

SHA256
20e32ce434bb62412da029c31a0d48d94f4fcdc80ea09965e24009efc811f5a2

SHA512
d139f07c9c4893008bac940a23413b74ba15a3a56b768c82a946562a9df26cb110988fedb45ce18aa7e604de22a0e59ae59e5545ad68a239ca6725ad289b94b6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/844-522-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/848-220-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/948-56-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1340-160-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/1368-58-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1840-280-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/2256-15-0x00000000007E0000-0x00000000007EC000-memory.dmp

Filesize
48KB

Download
memory/2256-16-0x0000000000800000-0x000000000080C000-memory.dmp

Filesize
48KB

Download
memory/2256-14-0x00000000007D0000-0x00000000007E2000-memory.dmp

Filesize
72KB

Download
memory/2256-13-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2256-17-0x0000000000810000-0x000000000081C000-memory.dmp

Filesize
48KB

Download
memory/2328-340-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/2328-101-0x0000000000970000-0x0000000000A80000-memory.dmp

Filesize
1.1MB

Download
memory/2576-642-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2652-702-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2936-462-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2936-461-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/3020-582-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/3024-400-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/3024-401-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download