dcrat | dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79.exe
Size

1.3MB
MD5

0ed778c9007ebb542fcbf0e36a6ca674
SHA1

904555ddf5aa96f924e20ae68b53b7a0144e0bfb
SHA256

dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79
SHA512

a3d2cebebb49b8a413b2a3ecfd8b06e0a57722fc29e21529af9b58ac1cb4d9d0858759348727864b55172e0635e080b9cf4a3d4486c2c4c872eba62f63eb23b7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2272	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2720	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1388	2720	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186c8-9.dat	dcrat
behavioral1/memory/2236-13-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/2504-80-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2896-259-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2776-319-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/1792-379-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/1812-499-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1776	powershell.exe
2160	powershell.exe
2176	powershell.exe
2884	powershell.exe
1760	powershell.exe
2788	powershell.exe
2880	powershell.exe
2556	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2236	DllCommonsvc.exe
2504	WmiPrvSE.exe
1956	WmiPrvSE.exe
856	WmiPrvSE.exe
2896	WmiPrvSE.exe
2776	WmiPrvSE.exe
1792	WmiPrvSE.exe
1132	WmiPrvSE.exe
1812	WmiPrvSE.exe
2796	WmiPrvSE.exe
1684	WmiPrvSE.exe
2044	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2480	cmd.exe
2480	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
21	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft.NET\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2592	schtasks.exe
2736	schtasks.exe
2612	schtasks.exe
2292	schtasks.exe
672	schtasks.exe
1784	schtasks.exe
1156	schtasks.exe
2568	schtasks.exe
2976	schtasks.exe
2312	schtasks.exe
2272	schtasks.exe
1388	schtasks.exe
2148	schtasks.exe
1672	schtasks.exe
1728	schtasks.exe
692	schtasks.exe
2020	schtasks.exe
1340	schtasks.exe
2860	schtasks.exe
2792	schtasks.exe
1724	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2236	DllCommonsvc.exe
2556	powershell.exe
2880	powershell.exe
2884	powershell.exe
1760	powershell.exe
2788	powershell.exe
2160	powershell.exe
1776	powershell.exe
2176	powershell.exe
2504	WmiPrvSE.exe
1956	WmiPrvSE.exe
856	WmiPrvSE.exe
2896	WmiPrvSE.exe
2776	WmiPrvSE.exe
1792	WmiPrvSE.exe
1132	WmiPrvSE.exe
1812	WmiPrvSE.exe
2796	WmiPrvSE.exe
1684	WmiPrvSE.exe
2044	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2236	DllCommonsvc.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2880	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2176	powershell.exe
Token: SeDebugPrivilege	2504	WmiPrvSE.exe
Token: SeDebugPrivilege	1956	WmiPrvSE.exe
Token: SeDebugPrivilege	856	WmiPrvSE.exe
Token: SeDebugPrivilege	2896	WmiPrvSE.exe
Token: SeDebugPrivilege	2776	WmiPrvSE.exe
Token: SeDebugPrivilege	1792	WmiPrvSE.exe
Token: SeDebugPrivilege	1132	WmiPrvSE.exe
Token: SeDebugPrivilege	1812	WmiPrvSE.exe
Token: SeDebugPrivilege	2796	WmiPrvSE.exe
Token: SeDebugPrivilege	1684	WmiPrvSE.exe
Token: SeDebugPrivilege	2044	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1976 wrote to memory of 2328	1976	JaffaCakes118_dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79.exe	30
PID 1976 wrote to memory of 2328	1976	JaffaCakes118_dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79.exe	30
PID 1976 wrote to memory of 2328	1976	JaffaCakes118_dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79.exe	30
PID 1976 wrote to memory of 2328	1976	JaffaCakes118_dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79.exe	30
PID 2328 wrote to memory of 2480	2328	WScript.exe	31
PID 2328 wrote to memory of 2480	2328	WScript.exe	31
PID 2328 wrote to memory of 2480	2328	WScript.exe	31
PID 2328 wrote to memory of 2480	2328	WScript.exe	31
PID 2480 wrote to memory of 2236	2480	cmd.exe	33
PID 2480 wrote to memory of 2236	2480	cmd.exe	33
PID 2480 wrote to memory of 2236	2480	cmd.exe	33
PID 2480 wrote to memory of 2236	2480	cmd.exe	33
PID 2236 wrote to memory of 1760	2236	DllCommonsvc.exe	56
PID 2236 wrote to memory of 1760	2236	DllCommonsvc.exe	56
PID 2236 wrote to memory of 1760	2236	DllCommonsvc.exe	56
PID 2236 wrote to memory of 2788	2236	DllCommonsvc.exe	57
PID 2236 wrote to memory of 2788	2236	DllCommonsvc.exe	57
PID 2236 wrote to memory of 2788	2236	DllCommonsvc.exe	57
PID 2236 wrote to memory of 2880	2236	DllCommonsvc.exe	58
PID 2236 wrote to memory of 2880	2236	DllCommonsvc.exe	58
PID 2236 wrote to memory of 2880	2236	DllCommonsvc.exe	58
PID 2236 wrote to memory of 2556	2236	DllCommonsvc.exe	60
PID 2236 wrote to memory of 2556	2236	DllCommonsvc.exe	60
PID 2236 wrote to memory of 2556	2236	DllCommonsvc.exe	60
PID 2236 wrote to memory of 2884	2236	DllCommonsvc.exe	62
PID 2236 wrote to memory of 2884	2236	DllCommonsvc.exe	62
PID 2236 wrote to memory of 2884	2236	DllCommonsvc.exe	62
PID 2236 wrote to memory of 1776	2236	DllCommonsvc.exe	65
PID 2236 wrote to memory of 1776	2236	DllCommonsvc.exe	65
PID 2236 wrote to memory of 1776	2236	DllCommonsvc.exe	65
PID 2236 wrote to memory of 2176	2236	DllCommonsvc.exe	68
PID 2236 wrote to memory of 2176	2236	DllCommonsvc.exe	68
PID 2236 wrote to memory of 2176	2236	DllCommonsvc.exe	68
PID 2236 wrote to memory of 2160	2236	DllCommonsvc.exe	69
PID 2236 wrote to memory of 2160	2236	DllCommonsvc.exe	69
PID 2236 wrote to memory of 2160	2236	DllCommonsvc.exe	69
PID 2236 wrote to memory of 1236	2236	DllCommonsvc.exe	72
PID 2236 wrote to memory of 1236	2236	DllCommonsvc.exe	72
PID 2236 wrote to memory of 1236	2236	DllCommonsvc.exe	72
PID 1236 wrote to memory of 2100	1236	cmd.exe	74
PID 1236 wrote to memory of 2100	1236	cmd.exe	74
PID 1236 wrote to memory of 2100	1236	cmd.exe	74
PID 1236 wrote to memory of 2504	1236	cmd.exe	76
PID 1236 wrote to memory of 2504	1236	cmd.exe	76
PID 1236 wrote to memory of 2504	1236	cmd.exe	76
PID 2504 wrote to memory of 332	2504	WmiPrvSE.exe	77
PID 2504 wrote to memory of 332	2504	WmiPrvSE.exe	77
PID 2504 wrote to memory of 332	2504	WmiPrvSE.exe	77
PID 332 wrote to memory of 1348	332	cmd.exe	79
PID 332 wrote to memory of 1348	332	cmd.exe	79
PID 332 wrote to memory of 1348	332	cmd.exe	79
PID 332 wrote to memory of 1956	332	cmd.exe	80
PID 332 wrote to memory of 1956	332	cmd.exe	80
PID 332 wrote to memory of 1956	332	cmd.exe	80
PID 1956 wrote to memory of 2852	1956	WmiPrvSE.exe	81
PID 1956 wrote to memory of 2852	1956	WmiPrvSE.exe	81
PID 1956 wrote to memory of 2852	1956	WmiPrvSE.exe	81
PID 2852 wrote to memory of 356	2852	cmd.exe	83
PID 2852 wrote to memory of 356	2852	cmd.exe	83
PID 2852 wrote to memory of 356	2852	cmd.exe	83
PID 2852 wrote to memory of 856	2852	cmd.exe	84
PID 2852 wrote to memory of 856	2852	cmd.exe	84
PID 2852 wrote to memory of 856	2852	cmd.exe	84
PID 856 wrote to memory of 1144	856	WmiPrvSE.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dbe2d9a35a91302f8839b6241d9db09a4c5fa421a0dad5edd789bf608b5f9a79.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1976
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2480
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Cookies\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4ufk0Q6MZw.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2100
      - C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1348
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:356
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
        11⤵
        
        PID:1144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1644
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
        13⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2328
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
        15⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1340
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        17⤵
        
        PID:552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1376
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
        19⤵
        
        PID:2460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2284
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat"
        21⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2504
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        23⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:3044
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat"
        25⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2844
        
        C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        27⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\Primary Interop Assemblies\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Cookies\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19fb37cb540d5ddd300f1240c49e0d13

SHA1
9b59cc262df64a8b6028636f94471405936eb2e8

SHA256
71638fb85c114227ed075eb273aef3c27f154192c46edf60aac65fefc3c6a7b7

SHA512
c46f1b57c6d227a32d0e00e9f7a7c2a7a2da364eff59fa675cbe4dbd45a8efd478f75f3cc1b3f00987922e02a68b3d19b1848dde11583f72f298398502a07be8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ab160ebe091040139f237d11b625376

SHA1
60434f1edd9c1fc74c4bd9cf59ea2865945d1335

SHA256
a153ad8fa2d4fe762c4ed82af19f450989fbb8d7a2ee2b7cf383635737483ba7

SHA512
6660767ae462a404b3e9257841a6235fa9b87ee8e26dfbc5a342bfe302e47c7a791f9aed70ce5de6f9d8207631c2046f5c83f5decabaa4c3bffe463859f31c4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57613f288aed6aa55bde2d3fa1eacf85

SHA1
fa8e75c5645314eb3e8029168f58ef82e5daf895

SHA256
674fbcb40282d629a6016c755940e7cfd9fcf128281db3efa2db9d93ff9454a7

SHA512
d44264593a644f450d26d8fcca78dd76ad7f555ba4c058d8c56176c7a2b152d3ef802276b08b377c433e408fed207d79979513c856d3d0da457ea6d6f975d08f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d15ce9c490dc343aa6294e42019ecd9

SHA1
4433ba05067f010058bd3c5efdf5cec958d81112

SHA256
6828137523d4c0d586f6429eb93c4a4bd2c48182dba2a3eaeba80459535b4146

SHA512
c95eb8bb1b1a8b4b3dc0bd652d55cd3085dc0e50e9cf7bb21f401e19153ceddd69f86942f266a203868adf2791da1eea04a00477645a9bf05ad6c670b12aea78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36957ffa500e29f7d5739a5143432745

SHA1
2b7d42dc3f0a13b750b36756a817f56c7bbe4d5e

SHA256
dfc47a0f3467429002c1f5b308184549147acec6af381b75a3cf29f4273361c6

SHA512
de37411154bdee438e5a9e2893f393c679e0ef5f2ac72996701f41624e4f6d1e9071486a97c88a938a49cfd0a16cb4b5aaa78bfde30e3783c365351ba2fc5ccd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
730769397f304b1e978e164420978e19

SHA1
c4abe318490a06f4fbd1db913634b8f9a66077e8

SHA256
97e93e48271c4154605f8158bdd205f227f8f5544c7013495e8a8cc21c460e21

SHA512
a912c2897cdb29b0ab0175bfb6670164c7f87d38f70e9c657391cee061008a6548463b122cbdb9291521d73732b2d4758687b6c66771b2fbe7d00fe281ce3814

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ec661956ec3e2d973d59f506fce1029

SHA1
755ede65fef1331fbc3564c670818a79bcf62f63

SHA256
4f7ebeba80b8f9ef66148d1d7c9a8d0055c421114f98aee187704a70bda12189

SHA512
2d18d87d0c7a44d02fff234ac3ea55646a211001eab6ccc052c4646815f7abe726630c013ae32838d2fb077798789c444719277ff40ba0fc9120bab947837c4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a063e4de91c2031960e7d14bc07b9411

SHA1
659ac370864762c3aa9cd91e853da1d262cc6835

SHA256
2289647405f07f12ac39aa524e11940e691f476d450f1d33b86b6e1f773d89d9

SHA512
c943e67aef898529c0b53391a0ec5ad774aba41cbacd71da9b31ef088af8273a0d29be934063d8835e8165ebb149877ae7414bcedb21bbcf630bfeaec33ea1b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
830d5591665f750b38799b2de9584112

SHA1
2fef9c71dd16bbba52fbb9622feeebfa8d19dd5d

SHA256
5172f5484d1fc11a02c60c577076a05f2a080d1b637781cd9a9f1973feff3aa0

SHA512
4c7e248f16893a0291dd78097ed9eb83e809fbf056493fa05a6699a26f04f912e88f8c271812f55f03174f20678d9cbe8492c53b1922214144b6ea45a715629c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b70adddfee8fa9f39415f6f53b73f799

SHA1
cbe683a37317ea37ed90bada5b02a7e53759c3a7

SHA256
3a6a026de5e1c63da2f67ee54f388810d24ab93be8d59d10a2db6c60f627ecb5

SHA512
d5c2e1ff0838675b0d703ffd22ad2b1875bd89ede830007d49b25fd04210e6148615d5664c7a4db150762c10365e589cc4322b8a979f34924832835541aa0283

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
226B

MD5
c98675e9e1ad128be622629b53ec62de

SHA1
c07a9fa647f4e293a9fb1fb6c2fb4d1db64dd217

SHA256
8e32431a77e89bbd599201f34d5205785f325352f190f32d6484015e7c332d65

SHA512
94d897522b53b3fecf83047c8c696a7e5b420d733079a38563430e3e8d3d9c09751e032685918d75c047bafd40deeb52c4edc480a3eb224fe8e1bf940fc46d7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\4ufk0Q6MZw.bat

Filesize
226B

MD5
a590652230db92e73ad684497bb3aafe

SHA1
0237f012acec8e273f62775d9e1dfe060badd5ff

SHA256
957e59dbea28bb7d0b939135e434b4a81140d2e030c8b5c0efacd60b5355e602

SHA512
7ae99d10602125cbef6af7940ac001a85d0743317fbd3cdf7a205289a3b61a3f3ebb7472c43c948088619114d5762e4ddfee1303293985a3e1dc8211503b27cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\8t4fMT0wY0.bat

Filesize
226B

MD5
43901ff7a05a5ea1f9b1aa244a254a5d

SHA1
31b9ec23c850152bc5b5b5eedcf36f9793e2ed96

SHA256
15aa2522bf99e1d0a950a8f58d5edc31f168d19f243505aef72e72596b3a4153

SHA512
90268293c242824c47b6b7fe21cf1933fc341d848a66791a13da2797ac6b93deb5fa69b45173b2478d41c69e6ab51aaa095655adf6e29dcceaefa5c481446698

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
226B

MD5
fb17c886f25c6215a9a4ada990be6a08

SHA1
71da56f89332d220e4db6f7f79a08102f9c1e492

SHA256
1aa2b8222854ea99e72fdf2498498e49dbf5d121a609d5bd5f3926495281080a

SHA512
e5bd50cb28a01b0ee7a0eee246178d3d042352802f80cc496df5925b99f658ae07720d48cfd92c9efee821cc32557df8c0a58d1e995427685c72fe71f4b25c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\BjebbrynYr.bat

Filesize
226B

MD5
afa3514b22c0338b941121d0cd756f79

SHA1
e2d62b42db5da598755724184ba7375a307faa94

SHA256
1a093bc6c229a456aecd63b0371e325ca9b4f2366e45d71fb2ec99d841bc95e6

SHA512
648ffc3a11befa6807ffd8c32514820e3be7af4c4772d5d9dbb483aea6ca37e924d8e007b7f73931f3f856e2fef405664f84ecc284961ab031e1da6ab94150f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE2E2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

Filesize
226B

MD5
a6e59438e0dcd1f6c7a08369e9c67fea

SHA1
af89c3d3df3ee0ea0789ed8d422215c887395daa

SHA256
be0aaf0dca10bb9e518f3ab086c406bce931acf44521ba0a6618ba25cc971b3d

SHA512
132910ffae2926a8dc30db7c0fe40a0fa96b0c50a50218f9e691c19ad51398b25bb1aac3705467f1e7f21e17392af66abe566076d5bbeaca8257b2aa8b0e100d

Download Submit
C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat

Filesize
226B

MD5
14b0f2324ddeeff17d46f6a983eb2a2b

SHA1
359e45c0d15070b7eb82794d016084c785a60060

SHA256
dc0160df9ef1559fe7765969e68197f82707911c13fa79632a9560f0844ff2e8

SHA512
b9652ebbb21724e448561126b31e8bb99e23d5ae7aaed5c13120a0513589707ef1119e8b84bd09b8dde6c23d9724294931483e7211d36f09608fd0e619fef14d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE2F5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
226B

MD5
7fc2833f8e179f0fb1ef093561cc0346

SHA1
14ffc0364a98d83c721515c06e12f6a4da2e9a78

SHA256
886522071376a84aa272383e135be258325d05359c3bc9791d4d0eec57aec609

SHA512
dc9e8c8626456d6a9484589fdbb72cb0a016c45bb93ab18542d5c342f22071dd8986f524e19e4becf70b14fa7cc4fc03af8f788f2dd12bbdddd7b93c3e098d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

Filesize
226B

MD5
c81bba8913b8fb6d135b1ee084159f56

SHA1
06b485e59c4ffdfa45b3802bcf30dce54d106120

SHA256
146e28fc7e849a7cbbfb1b02ed6c6d82a5b294f25980fdea77d84cd1ea13103c

SHA512
7e6fa1589c7c5aaa0f8bca4b5c09cdac501e636ccc4224f33346f12176c7ee82c8bc85a320afd0c1daab18710127963c7e749fb82e5d219f86e17d566cc9af02

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

Filesize
226B

MD5
9d0990ee94641202658ec22c02c27d01

SHA1
c889f15c4f6a13e57ab0dc5fe64378e2dd68624f

SHA256
3b82aa7544dfa04383bd34af81dd57789be070bcae4c62595ffc86c417c4ff57

SHA512
7ca49da9e3429dc82b90c348d3ee3b8ed403acf461962bd06da96a04f8fd3cc55bf0f2fb86fedc305b74b4b812d32b90ad7f90748382ea5498f49da94b20a716

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

Filesize
226B

MD5
b42cd2b6b1aeb2b2103f5f36123cb76b

SHA1
eeaf778c30f0dd2099d855569ebb6e01ce80229a

SHA256
e0fbc31a31bbc6946ba9596f4bf162be7e535e32887e5cb6f4b562c1c768e4fe

SHA512
8f2a6e7b93abee9dee0df66889c71089baf8edab7d4804902eea76d931b9ed0cea4eef9efb7632cf29f7dd5bc62669147a92e02955bd6a074dc20a3c99ce91b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
226B

MD5
ee7835cbb8ee9d606c07f8693dd67ac9

SHA1
171fd604989f7b58e4be1fd800d30809f73c202c

SHA256
0371236e8a19429a72fd095fbed599b558f466dd50281ff37fe7a1da335edcd6

SHA512
6fa7848c3b3a2148c8b677e84fd21db1d7dcf891d87aff6cf0eb95d12adc001ed42a26998a6e2a86e18a94cd40dc5570a57df980b4ff299850cb68a245614bc3

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6ff21a5a736f598ed497cdc5627847e3

SHA1
9651964437e525b52ebf33657e330fadfaffbcd7

SHA256
a1f009465a590d7f8b49146ab75667d91edda4617fc0da7690e246dad731fee0

SHA512
417932843ed008a439f3523e54d969c1b7f9692d20e088cc78b51b6228222102ed07ee5df6398b80c49201f8e6309f2a3084dcc903bfe09b899e919072cb74b9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1792-380-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1792-379-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/1812-499-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1956-140-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2044-677-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2236-13-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2236-17-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2236-16-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2236-15-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/2236-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2504-81-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2504-80-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/2556-60-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2776-319-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2880-62-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2896-259-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download