dcrat | 8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1

Analysis

max time kernel
149s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe
Size

1.3MB
MD5

5215c3073c25e7e712f5bfef9ab74fa4
SHA1

502676b05b9933ade6ea183e2d09eefaf2a45cd3
SHA256

8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1
SHA512

5e9f5e9ef7149bc8bb5016830645a86fe57614bcf131becac9d1ef773ab3663188aa7eeb3011646c18f81447cf424cd3a3fba00530527ed553a7a44075f3b3f7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	792	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2720	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000173f6-12.dat	dcrat
behavioral1/memory/2108-13-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/1364-94-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1460-154-0x0000000001140000-0x0000000001250000-memory.dmp	dcrat
behavioral1/memory/1056-215-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/2724-513-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
912	powershell.exe
1748	powershell.exe
1680	powershell.exe
964	powershell.exe
1688	powershell.exe
816	powershell.exe
112	powershell.exe
1640	powershell.exe
1312	powershell.exe
1588	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2108	DllCommonsvc.exe
1364	winlogon.exe
1460	winlogon.exe
1056	winlogon.exe
1556	winlogon.exe
2332	winlogon.exe
2376	winlogon.exe
1512	winlogon.exe
2724	winlogon.exe
2708	winlogon.exe
2700	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
1900	cmd.exe
1900	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
12	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Uninstall Information\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Registration\CRMLog\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Registration\CRMLog\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2576	schtasks.exe
1144	schtasks.exe
704	schtasks.exe
2112	schtasks.exe
2452	schtasks.exe
3068	schtasks.exe
3036	schtasks.exe
1592	schtasks.exe
2800	schtasks.exe
840	schtasks.exe
1160	schtasks.exe
1448	schtasks.exe
2616	schtasks.exe
2928	schtasks.exe
1800	schtasks.exe
2384	schtasks.exe
600	schtasks.exe
484	schtasks.exe
2180	schtasks.exe
792	schtasks.exe
2780	schtasks.exe
2924	schtasks.exe
1036	schtasks.exe
2396	schtasks.exe
2760	schtasks.exe
1988	schtasks.exe
2636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2108	DllCommonsvc.exe
2108	DllCommonsvc.exe
2108	DllCommonsvc.exe
964	powershell.exe
1748	powershell.exe
1680	powershell.exe
1640	powershell.exe
1688	powershell.exe
1588	powershell.exe
816	powershell.exe
112	powershell.exe
912	powershell.exe
1312	powershell.exe
1364	winlogon.exe
1460	winlogon.exe
1056	winlogon.exe
1556	winlogon.exe
2332	winlogon.exe
2376	winlogon.exe
1512	winlogon.exe
2724	winlogon.exe
2708	winlogon.exe
2700	winlogon.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2108	DllCommonsvc.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	816	powershell.exe
Token: SeDebugPrivilege	112	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	1364	winlogon.exe
Token: SeDebugPrivilege	1460	winlogon.exe
Token: SeDebugPrivilege	1056	winlogon.exe
Token: SeDebugPrivilege	1556	winlogon.exe
Token: SeDebugPrivilege	2332	winlogon.exe
Token: SeDebugPrivilege	2376	winlogon.exe
Token: SeDebugPrivilege	1512	winlogon.exe
Token: SeDebugPrivilege	2724	winlogon.exe
Token: SeDebugPrivilege	2708	winlogon.exe
Token: SeDebugPrivilege	2700	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 880	1224	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe	31
PID 1224 wrote to memory of 880	1224	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe	31
PID 1224 wrote to memory of 880	1224	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe	31
PID 1224 wrote to memory of 880	1224	JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe	31
PID 880 wrote to memory of 1900	880	WScript.exe	32
PID 880 wrote to memory of 1900	880	WScript.exe	32
PID 880 wrote to memory of 1900	880	WScript.exe	32
PID 880 wrote to memory of 1900	880	WScript.exe	32
PID 1900 wrote to memory of 2108	1900	cmd.exe	34
PID 1900 wrote to memory of 2108	1900	cmd.exe	34
PID 1900 wrote to memory of 2108	1900	cmd.exe	34
PID 1900 wrote to memory of 2108	1900	cmd.exe	34
PID 2108 wrote to memory of 964	2108	DllCommonsvc.exe	63
PID 2108 wrote to memory of 964	2108	DllCommonsvc.exe	63
PID 2108 wrote to memory of 964	2108	DllCommonsvc.exe	63
PID 2108 wrote to memory of 1312	2108	DllCommonsvc.exe	64
PID 2108 wrote to memory of 1312	2108	DllCommonsvc.exe	64
PID 2108 wrote to memory of 1312	2108	DllCommonsvc.exe	64
PID 2108 wrote to memory of 1588	2108	DllCommonsvc.exe	66
PID 2108 wrote to memory of 1588	2108	DllCommonsvc.exe	66
PID 2108 wrote to memory of 1588	2108	DllCommonsvc.exe	66
PID 2108 wrote to memory of 1640	2108	DllCommonsvc.exe	68
PID 2108 wrote to memory of 1640	2108	DllCommonsvc.exe	68
PID 2108 wrote to memory of 1640	2108	DllCommonsvc.exe	68
PID 2108 wrote to memory of 1680	2108	DllCommonsvc.exe	69
PID 2108 wrote to memory of 1680	2108	DllCommonsvc.exe	69
PID 2108 wrote to memory of 1680	2108	DllCommonsvc.exe	69
PID 2108 wrote to memory of 1748	2108	DllCommonsvc.exe	71
PID 2108 wrote to memory of 1748	2108	DllCommonsvc.exe	71
PID 2108 wrote to memory of 1748	2108	DllCommonsvc.exe	71
PID 2108 wrote to memory of 816	2108	DllCommonsvc.exe	72
PID 2108 wrote to memory of 816	2108	DllCommonsvc.exe	72
PID 2108 wrote to memory of 816	2108	DllCommonsvc.exe	72
PID 2108 wrote to memory of 1688	2108	DllCommonsvc.exe	73
PID 2108 wrote to memory of 1688	2108	DllCommonsvc.exe	73
PID 2108 wrote to memory of 1688	2108	DllCommonsvc.exe	73
PID 2108 wrote to memory of 112	2108	DllCommonsvc.exe	74
PID 2108 wrote to memory of 112	2108	DllCommonsvc.exe	74
PID 2108 wrote to memory of 112	2108	DllCommonsvc.exe	74
PID 2108 wrote to memory of 912	2108	DllCommonsvc.exe	76
PID 2108 wrote to memory of 912	2108	DllCommonsvc.exe	76
PID 2108 wrote to memory of 912	2108	DllCommonsvc.exe	76
PID 2108 wrote to memory of 2132	2108	DllCommonsvc.exe	83
PID 2108 wrote to memory of 2132	2108	DllCommonsvc.exe	83
PID 2108 wrote to memory of 2132	2108	DllCommonsvc.exe	83
PID 2132 wrote to memory of 2724	2132	cmd.exe	85
PID 2132 wrote to memory of 2724	2132	cmd.exe	85
PID 2132 wrote to memory of 2724	2132	cmd.exe	85
PID 2132 wrote to memory of 1364	2132	cmd.exe	86
PID 2132 wrote to memory of 1364	2132	cmd.exe	86
PID 2132 wrote to memory of 1364	2132	cmd.exe	86
PID 1364 wrote to memory of 2356	1364	winlogon.exe	87
PID 1364 wrote to memory of 2356	1364	winlogon.exe	87
PID 1364 wrote to memory of 2356	1364	winlogon.exe	87
PID 2356 wrote to memory of 1504	2356	cmd.exe	89
PID 2356 wrote to memory of 1504	2356	cmd.exe	89
PID 2356 wrote to memory of 1504	2356	cmd.exe	89
PID 2356 wrote to memory of 1460	2356	cmd.exe	90
PID 2356 wrote to memory of 1460	2356	cmd.exe	90
PID 2356 wrote to memory of 1460	2356	cmd.exe	90
PID 1460 wrote to memory of 2220	1460	winlogon.exe	91
PID 1460 wrote to memory of 2220	1460	winlogon.exe	91
PID 1460 wrote to memory of 2220	1460	winlogon.exe	91
PID 2220 wrote to memory of 2376	2220	cmd.exe	93

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c7977155d7a631edef8428304b22f5d5a5a760bff9cecd70e07d3e0f4c804f1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:880
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1900
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Registration\CRMLog\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXBS2ciche.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2132
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2724
      - C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1504
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2376
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        11⤵
        
        PID:2656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:704
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        13⤵
        
        PID:844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2456
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat"
        15⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:604
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat"
        17⤵
        
        PID:1408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1424
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"
        19⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2056
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat"
        21⤵
        
        PID:112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2884
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat"
        23⤵
        
        PID:1216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2328
        
        C:\Users\Admin\Recent\winlogon.exe
        
        "C:\Users\Admin\Recent\winlogon.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Searches\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\Replicate\Security\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files\Microsoft Games\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Admin\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Recent\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Registration\CRMLog\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e9bd7ea79a58de1a8631e75927d8681

SHA1
dd574b59d14e968d4a8bae81734285981069d263

SHA256
da9b1df887f8018509b4e4b64e58ce8f020f9b171a8cf449de2c080cb67a6f25

SHA512
2a30b9a0b7a8530836837848f281d14b62f3f5a73a513d3785e5f9d993f81dadd782a870914197f5c44c29ddd116c0401ca1667de995df5a29ee609623dc8895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d642a25b1ca1076c936d1e7a1c932468

SHA1
22fec6d8b2b7523d8504a971a67d108fd1f27026

SHA256
a82617a859b8603440e658094116a6de9d71f54a3a3c4480bad3a7eb91d6aafa

SHA512
6f1809f212a3a3db44ab4d4fb79d24d769986b3a7a5c294aad8e4d7bae1392ec28bd0cd1d906d61ae9c4e243a3f24a4616884c0559f5a4e011ea576f1279d62e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2b6428946a7b15ac198d9981c36d2e6

SHA1
3d65bea1021875faefceb760be8482917df1b543

SHA256
28d1bfa9f8f52cb55a6283648c70c7810cffb602df124aba92e2159bb103aae0

SHA512
9b468262f83fb78202ac94b3eaf84282f037b21695472fcd6529e872551b1f0afe59719e8ca7f8081ff1168a7df299e1e00414bee36635b266da7dac7c30d763

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deb59425056d776170f9184e127bfaec

SHA1
8cc207bf28183aec9e40b4a6eed63ddc3ac485cf

SHA256
2ee53ca8b0e7772dd6ff2eac2695ab599a6541b4b309bb416da31e4f0c659030

SHA512
785363ed08cebaec9ac6dd71f68951f2dcb6e097cfd471fe1ceb5d02abaf62faf6c3ca303fa92638f17c2a88532abe51047b57cf23b5b33c3bc8d6ae55307a53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a7f3a32bcb5e5944f4e9b86c1c12017

SHA1
43ce96666beaeed1b5b10515eb16757285033cb9

SHA256
abde5ea625690e3d9234cd14fd48543b2eff37ac0cdec2193efd9721590266de

SHA512
a6438f7dfb19968250b7dd0622fac34832c6438e5a557841a452b998bd2767d45ef344a79f37b43148a00ffcc31543a0688c7f91e97b9b5f55b288dd328d970f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b4257227a1a5a936515308374a06e98

SHA1
b79c59cefbea2783af98bed11b0846c1d1e86ea1

SHA256
6314cf70cee14abb07194bac4f437068dbabed4c6ca47c58dc5a48af8633ec0d

SHA512
dce01fbe38d90c908e3d9c7200cb32b04929b6d51dd4ad4a69f42a04fbb9e82e7d4ea4f906948991103267b88f779baf418bb1fca006456cdba3ab0a842fe96e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f0d0ac0c14b552cf3d415acc336f594

SHA1
bc1bf5bc318e7f31965bef87aab28ffca965bb7b

SHA256
2a2b15107c0d33615e7c9460bf0fd7194afc62af94f5008050988012021e1084

SHA512
d9310297e3eebc1112dffa85861d1aad3fc5d039eba3b81ffc9922ec67338838b4dc0c02392a4fb231c4528cff628c0297628b53f417065afd2e44582037cef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b2588b64a02e1f08ea9cbb803ddfb49

SHA1
7209c82cf809491c9a859a76ccc5785cbc2a5ce6

SHA256
1a4eb103ad6685c22537e3927eb4320ecf47e8007129214fcff7f050006705b2

SHA512
0e379bcdbad402c8c1e268f7756e06e0dcc84aacfd662bb7e88a95f7d49de7e0b84eb316231c00890d811010b5d5874d33af98cf71c4a5e7aa54b61db0afad0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\6VAw4LgrmW.bat

Filesize
199B

MD5
e2ad41277eba872a39acd953b9f72fd7

SHA1
d38853e548f79e54b6312c4205e97a9381c014a6

SHA256
580b7563b5b7f80db4a968a7d969c36ca39551ed5240ce3455e7cefaf6c2256b

SHA512
482e5696926fc4cd312df487b599cff137b97a240b4e8aa559e758b408cc0b10977103d147a624babb442264fc070350aaa254a8b273956f884eb17e62973cec

Download Submit
C:\Users\Admin\AppData\Local\Temp\CTHuJZ10YE.bat

Filesize
199B

MD5
bb495709841a1b4a724ccc7a6883d591

SHA1
b464f98e6e8550b80aa35082ee0f92198a868b91

SHA256
a7ba1efbe9c77455558ae8e4f78c98c5be463557506a5ee317b06a4493630609

SHA512
14f56ea94491107915d8533cb5c9c9a2a9a42e19a338b809e352292c9d7db666026cda922b61b510e1e7437d5cc01eb39879889d38ba81649ea932c99634388e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab35E1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
199B

MD5
574625dce4403432601213e5f161e66f

SHA1
228e02adedbba8d20b07d52f4f9e961cc35bb076

SHA256
f42dfd9a6e8451bdc1a4d44653f4c0e57c43eec9b766c5b7d1090ae0af283599

SHA512
0e81e556c90810e14f552bfe67347e776942fb3bad9c28f16720f90e662d64ff48b85aa4a248f6c63623fb8d3096086eee62eca5846dfb18d40ff22788103863

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
199B

MD5
f9e4ffd1d72b4c577416f68b70784b9e

SHA1
7458f601e17e08085e5a147a61702d0ccdc6a577

SHA256
71f00b587760cce963cd3e538a3d36bec212e175b06240a7c55acf5ba97751c4

SHA512
e3baebb742b9492cd9e9296c01a8748147348212733e160fd5ef7e4245b6060a493505d19620a177e1df6d21fc5829d57acc5f75a7200e5e90f230ff42f3b338

Download Submit
C:\Users\Admin\AppData\Local\Temp\TZCyxGcg3L.bat

Filesize
199B

MD5
e18a5e417ee554d87561478c01197b44

SHA1
95c4b9da1547ca81a6aaf349bc375a60aa4c3af3

SHA256
84a00165d97757dda18fb5c7b0832a786facd92dca20417c6a771b41868a1ba5

SHA512
74f622cbefccab011f542cffbf3c01ac62fa979a406248625a9aec45aeb18080a1298bb35cf08f8aa66468afa0d5fdb7741c9f38e74d9c3d50a63cd4c7ae7cf8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar35F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat

Filesize
199B

MD5
86fe9ef0b9bb9616ed702b77877178f9

SHA1
b7d9329796b5ee2adbf1901a3ba03b44c6040304

SHA256
9d70fb65e13e9bbca985e6092dbb709c6dae66a808a31cfa00e359a6a91ea66a

SHA512
706ad8cd8e716e2d6ea82d7226392b57c796396efe99cf003aa126ae6e1b4c7270b3e10aac6deff208e75713ec0f9b9223fd0e331a65755efd526a6bb7e620b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
199B

MD5
b12952a583b66d07265f143853634f4a

SHA1
bc31533ef4029c8ebad466ad4d0ccbacb9f532ac

SHA256
848b01920e256ae45072635db09c1d61e105ff2e3cf9af62fc0ca4b68d758ac7

SHA512
6ef99c7866787b13351e1714a73da584818d17b65b63446ff524cbf397501565205057b43a6beaa61b9b49c55d9ab6eda22a78ce90facb372dc3c6dcbb07d33c

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
199B

MD5
9f8745b5d0a405f0666498dd2d02fe4e

SHA1
3386600e869decea99787c3f6a7fdadcaa292d55

SHA256
620b4433bd1615762e4d9a39db4d492a00aa9aedc604f75bc1b344bd3a260182

SHA512
1be5b34e296ca2a2676a8b954b8ce72f17d5f63c63effba5a6efe3192b846b93ff1e622bd9a7cd9f8c2e161e5f24ed20ead3a85ee65af4ac98ff261bc1bb5ccb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tGPC7CVf0d.bat

Filesize
199B

MD5
88f0271ec0c4e9b4621c1a4a3cf4bce9

SHA1
16c52b988654022747d3a3a6fe9ab1e9721edd71

SHA256
7770ba966fddecec6e6a809409608f5740d66b35218fdf644aedaaa63185bff2

SHA512
99832c7b49fbab7e5b92dc4e82591d1f2844b6923aa4290b040624ca4582dcabb30f944c49d64c1a2fb388f6bf420476fb7ed9945bc1f2e173a007586dce9a71

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXBS2ciche.bat

Filesize
199B

MD5
ed5002b3b60e9e69be6d59a5a3655f07

SHA1
ca3a4122ff08e3edb5d7c87f379f5a7dc213c726

SHA256
a6bc22da9289748653683192e70716933c27fd223a5d8d22bb326d3aa184e313

SHA512
94ead9ea73f75a920d352a36a4b863f01bf593089effe4ba9cb083358f168105d458baa83b3b5758d028a7eee753f4ab84fbe7eec9043d27141ae757453fd031

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b79a5e89cdff51ef0f4a4f13c92bebe9

SHA1
f54f3893c21b1cd3e4f07e510821b2b7b4c9157e

SHA256
23059f38c56b152042178c5c372d29485e0f6b0f518174e33e084d39657bd68e

SHA512
e851071fb5939366d5d88e5368d495adb5349b0fb6a41fd57d6c35e7d1e73b820740105a671d39207d128dd1d977ea74e1a8adc23c7a7c381317fb51d58950d4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1056-215-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/1056-216-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1364-95-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/1364-94-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/1460-155-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/1460-154-0x0000000001140000-0x0000000001250000-memory.dmp

Filesize
1.1MB

Download
memory/1680-80-0x0000000002A70000-0x0000000002A78000-memory.dmp

Filesize
32KB

Download
memory/1688-74-0x000000001B770000-0x000000001BA52000-memory.dmp

Filesize
2.9MB

Download
memory/2108-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2108-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2108-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2108-13-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2108-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2376-394-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2708-574-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2724-513-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2724-514-0x0000000000190000-0x00000000001A2000-memory.dmp

Filesize
72KB

Download