dcrat | 1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 13:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c.exe
Size

1.3MB
MD5

ef284d244f224b43ba44f389899d619d
SHA1

d6cb34aca3cd8d8ce1d1ee8e2c7f32d8b025902d
SHA256

1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c
SHA512

1c1b737581c9c9557fac2e119df22a67c92976d57e18b7054124ff9e79455fe71d9cc7c2bd610ddcc1bf2e6a06f89b6fe84d15ad2c0e2cd0ccae61cb5c1fefab
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2696	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2696	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018636-10.dat	dcrat
behavioral1/memory/2684-13-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2044-38-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/2800-138-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/3004-316-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2208-376-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/1824-436-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1660-496-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/2488-615-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2152	powershell.exe
2096	powershell.exe
2252	powershell.exe
2432	powershell.exe
1432	powershell.exe
2408	powershell.exe
2500	powershell.exe
2256	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2684	DllCommonsvc.exe
2044	WmiPrvSE.exe
2800	WmiPrvSE.exe
2752	WmiPrvSE.exe
1244	WmiPrvSE.exe
3004	WmiPrvSE.exe
2208	WmiPrvSE.exe
1824	WmiPrvSE.exe
1660	WmiPrvSE.exe
2184	WmiPrvSE.exe
2488	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	cmd.exe
2832	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\24dbde2999530e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
572	schtasks.exe
2948	schtasks.exe
2908	schtasks.exe
344	schtasks.exe
2204	schtasks.exe
2556	schtasks.exe
2236	schtasks.exe
2820	schtasks.exe
1160	schtasks.exe
2376	schtasks.exe
1916	schtasks.exe
2576	schtasks.exe
2636	schtasks.exe
2380	schtasks.exe
1736	schtasks.exe
3024	schtasks.exe
1816	schtasks.exe
2800	schtasks.exe
2000	schtasks.exe
1468	schtasks.exe
1396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2684	DllCommonsvc.exe
2500	powershell.exe
2432	powershell.exe
2152	powershell.exe
1432	powershell.exe
2096	powershell.exe
2044	WmiPrvSE.exe
2408	powershell.exe
2252	powershell.exe
2256	powershell.exe
2800	WmiPrvSE.exe
2752	WmiPrvSE.exe
1244	WmiPrvSE.exe
3004	WmiPrvSE.exe
2208	WmiPrvSE.exe
1824	WmiPrvSE.exe
1660	WmiPrvSE.exe
2184	WmiPrvSE.exe
2488	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2684	DllCommonsvc.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1432	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2044	WmiPrvSE.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2800	WmiPrvSE.exe
Token: SeDebugPrivilege	2752	WmiPrvSE.exe
Token: SeDebugPrivilege	1244	WmiPrvSE.exe
Token: SeDebugPrivilege	3004	WmiPrvSE.exe
Token: SeDebugPrivilege	2208	WmiPrvSE.exe
Token: SeDebugPrivilege	1824	WmiPrvSE.exe
Token: SeDebugPrivilege	1660	WmiPrvSE.exe
Token: SeDebugPrivilege	2184	WmiPrvSE.exe
Token: SeDebugPrivilege	2488	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2436	2644	JaffaCakes118_1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c.exe	30
PID 2644 wrote to memory of 2436	2644	JaffaCakes118_1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c.exe	30
PID 2644 wrote to memory of 2436	2644	JaffaCakes118_1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c.exe	30
PID 2644 wrote to memory of 2436	2644	JaffaCakes118_1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c.exe	30
PID 2436 wrote to memory of 2832	2436	WScript.exe	31
PID 2436 wrote to memory of 2832	2436	WScript.exe	31
PID 2436 wrote to memory of 2832	2436	WScript.exe	31
PID 2436 wrote to memory of 2832	2436	WScript.exe	31
PID 2832 wrote to memory of 2684	2832	cmd.exe	33
PID 2832 wrote to memory of 2684	2832	cmd.exe	33
PID 2832 wrote to memory of 2684	2832	cmd.exe	33
PID 2832 wrote to memory of 2684	2832	cmd.exe	33
PID 2684 wrote to memory of 2252	2684	DllCommonsvc.exe	56
PID 2684 wrote to memory of 2252	2684	DllCommonsvc.exe	56
PID 2684 wrote to memory of 2252	2684	DllCommonsvc.exe	56
PID 2684 wrote to memory of 2432	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 2432	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 2432	2684	DllCommonsvc.exe	57
PID 2684 wrote to memory of 1432	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 1432	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 1432	2684	DllCommonsvc.exe	58
PID 2684 wrote to memory of 2408	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 2408	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 2408	2684	DllCommonsvc.exe	59
PID 2684 wrote to memory of 2500	2684	DllCommonsvc.exe	61
PID 2684 wrote to memory of 2500	2684	DllCommonsvc.exe	61
PID 2684 wrote to memory of 2500	2684	DllCommonsvc.exe	61
PID 2684 wrote to memory of 2256	2684	DllCommonsvc.exe	62
PID 2684 wrote to memory of 2256	2684	DllCommonsvc.exe	62
PID 2684 wrote to memory of 2256	2684	DllCommonsvc.exe	62
PID 2684 wrote to memory of 2152	2684	DllCommonsvc.exe	63
PID 2684 wrote to memory of 2152	2684	DllCommonsvc.exe	63
PID 2684 wrote to memory of 2152	2684	DllCommonsvc.exe	63
PID 2684 wrote to memory of 2096	2684	DllCommonsvc.exe	64
PID 2684 wrote to memory of 2096	2684	DllCommonsvc.exe	64
PID 2684 wrote to memory of 2096	2684	DllCommonsvc.exe	64
PID 2684 wrote to memory of 2044	2684	DllCommonsvc.exe	72
PID 2684 wrote to memory of 2044	2684	DllCommonsvc.exe	72
PID 2684 wrote to memory of 2044	2684	DllCommonsvc.exe	72
PID 2044 wrote to memory of 2380	2044	WmiPrvSE.exe	73
PID 2044 wrote to memory of 2380	2044	WmiPrvSE.exe	73
PID 2044 wrote to memory of 2380	2044	WmiPrvSE.exe	73
PID 2380 wrote to memory of 532	2380	cmd.exe	75
PID 2380 wrote to memory of 532	2380	cmd.exe	75
PID 2380 wrote to memory of 532	2380	cmd.exe	75
PID 2380 wrote to memory of 2800	2380	cmd.exe	76
PID 2380 wrote to memory of 2800	2380	cmd.exe	76
PID 2380 wrote to memory of 2800	2380	cmd.exe	76
PID 2800 wrote to memory of 1692	2800	WmiPrvSE.exe	77
PID 2800 wrote to memory of 1692	2800	WmiPrvSE.exe	77
PID 2800 wrote to memory of 1692	2800	WmiPrvSE.exe	77
PID 1692 wrote to memory of 2956	1692	cmd.exe	79
PID 1692 wrote to memory of 2956	1692	cmd.exe	79
PID 1692 wrote to memory of 2956	1692	cmd.exe	79
PID 1692 wrote to memory of 2752	1692	cmd.exe	80
PID 1692 wrote to memory of 2752	1692	cmd.exe	80
PID 1692 wrote to memory of 2752	1692	cmd.exe	80
PID 2752 wrote to memory of 1664	2752	WmiPrvSE.exe	81
PID 2752 wrote to memory of 1664	2752	WmiPrvSE.exe	81
PID 2752 wrote to memory of 1664	2752	WmiPrvSE.exe	81
PID 1664 wrote to memory of 2868	1664	cmd.exe	83
PID 1664 wrote to memory of 2868	1664	cmd.exe	83
PID 1664 wrote to memory of 2868	1664	cmd.exe	83
PID 1664 wrote to memory of 1244	1664	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a6a99e8a6fcbe045c612869b31e73dac5c536d0c42d913c019c7b7e8bca5a6c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\My Videos\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2044
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:532
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2956
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2868
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat"
        12⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1816
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        14⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2200
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat"
        16⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2880
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat"
        18⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2292
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat"
        20⤵
        
        PID:3060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2240
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat"
        22⤵
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:264
        
        C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe
        
        "C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat"
        24⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Documents\My Videos\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Documentation\1033\License Agreements\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5474bfac8ef29c6d6e35be5465406d33

SHA1
5c63c3bad02a22ca785d0e54eaff8a3b98a2e8be

SHA256
48086f16e353df7020a2156f1358a17c12d4bf595f39b278b2d0d05448b3f44c

SHA512
c03d06a56ba2beb7f7062f8aadfb9f103d0ee2a1ee752d7d68e62eeaefaaa731c6f2c2870706236bb7c4de2764df92a3f230c96087d9a26a8bd6255c7b5eea4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
434dc26c893e69c5fa078aa0c95db554

SHA1
da8c1447a7a25f51060e388720d0dd416448998c

SHA256
af9c9b5cf4a622f30b3839f5b9433255dd67db1c87b69dc73932e74649bf919b

SHA512
ad1e3ede6502a35b67aa3be3fc7b19aa5f8ad115fd9496c3af9148eb18d9a15cc8f23786a99494fd2d9bdf6f5016224cf2733ec4902100ef3167b1ee0f4f0a54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5135dcd09c15a5d128184ecacdc4fd64

SHA1
593a45a301fdea7cbf1b56a8a9d51a1cb41c43c5

SHA256
8b7b4651afeca0b0a19546ce103251f665ff1f485e8c596ba2c9adb2350353f3

SHA512
aa22971e9266c1a2cb6a8a695156debf1aa1c2889f945b89fab8162680826af59f6bfeb1e3649f0a9039a79b479e6ef8df8f7b71b48964ff68008297f422cf50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e8dc1c9210d358f073e22454264512b

SHA1
6295c6edee38c648f6ec9984fe84800b39187cdf

SHA256
25b8455fd3166c5119edb25dfc0e94504a7574b28d0fe0701f5a41b982deea3e

SHA512
6319b26826613db2636497061d7c898509621c7d3c8ef4d95dbba640ce803fc7c563ec959abfb14099ea54dbbb63c40d012c90c97c9c1a1195395b6c01c41cab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d7e20ea4347be99260ec9f06d629944

SHA1
ae9a0a89bf500e619f6df4fa49b073bcb5d614b8

SHA256
f8aa78428e149303a1f99f736feec237eeb47e91783f20f983d4f19a44f5eb2a

SHA512
f24f447e940076270b9e1ae37bdfaa33513019d478df8f4987a889265de2465eefcdb5a0f8ccae7ecf16052bd7cd40b9d3da8f09c7ded13a4ad7e324afaf5101

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cbbe81c3dfd466de6d3019e94eefac3c

SHA1
0a976a1f1d81a3e248e6663b186ffdc298521eda

SHA256
a61148b544586827b2ff8f2040a04c3c24aa02a6fd29347b73c9c5f10be96050

SHA512
75b5329bc748cf617e55408b4dd45b41b4338a40265b3e7defabb2386e9c56ec22428527a228d836b18c0a1e0032adf249393602e835e4c71ca1c0ab08693da1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
63557cf293738ea486151f93c98acf39

SHA1
0c14024ca39bedcc4083bdd933611400376d22b9

SHA256
166a19b64378ddcbeee1763529185dde370d8a066d5f0680f6792a7c3e69dd88

SHA512
afd986a52407c916fb9f5b310444e688d26f9fb924b77f2c102a198c5fdd0a459a50d4d90c520f9f06dece578a1faa44bb073c36c46a7a288ae80a1f80c3fb22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3255bea8a16402e857efb5b74e686b8

SHA1
90ca0b0ae2f8baf44cd42ebdc285f0a70cb1a87f

SHA256
53ade5c4daa18980afcbe78a6a55755fe954bd56539cee8afbc340b8b97c03b2

SHA512
bde59db5f88f9cad1f8200ebe9d10b2650fd7d5282243c8e19c1b4eff821f0ae9066fd1d07b8160c85824020210f2cc45d0a9d389dc511097fff7501f1ae41a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccbab9625dd2e1873c79f4d503e08bf4

SHA1
ec647cd646e259b937d4733ce1809ead88b40f3d

SHA256
02eb9c40261d7bfeb185d64ba39241e90c1b99b7cb59c6dce4eb51cdfe56480e

SHA512
7a71416ff4aef133545ab63fa23ce5f73f6a667a567c62ddddc806c0d004424dab6e08dda1584a42bfd04b010b9abb2e01bb36ff2cd01643ca424658aaddad7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\1hmmkqxEk5.bat

Filesize
248B

MD5
85a387f27525751bf39199d68fe5f8b5

SHA1
cb9dd016f47a1dfe5439d25b8193fc67031d8446

SHA256
676d55a035bcd4102528615ec83224f973ac3256bf55d75539a208a207387c2c

SHA512
398df2e55a90ded245e8a7dd7831111063ef61288c8273cba6b303037d71c1663104979585659471c6d0c8dfab654424f5a5028f1c1bd1f375eee607c9042ef7

Download Submit
C:\Users\Admin\AppData\Local\Temp\6qhkY4Aj1y.bat

Filesize
248B

MD5
8dd097b72225405b58ccc62e595489e3

SHA1
0bdc3521ae1a8937cf331a66e703c50ff5b82d4b

SHA256
04413b0e62da1f5ad8439300fc33e202a488f0b620dd9f4db0534342477c359e

SHA512
e3da0327eb6d71e4065b2580bca2aae05dbb5077a50fa27ebdcba56f9d32edab5128c9e60dd292baf33f45e6376671ad5c9ca62b108d885d2528bfe45de25100

Download Submit
C:\Users\Admin\AppData\Local\Temp\CZdmQsnKkU.bat

Filesize
248B

MD5
e2545520e0e303d21e9687af0cbe9bc5

SHA1
399078fc193320e2c2d992b6c71fe6242cea4012

SHA256
53126888719d7a3b48ab5a30eb30633f938d2254d29a00e88a5187f2c7fe8b4b

SHA512
8f993761b8a4596878fa46cc180e202a4e5b841a0519b2f9748c465c121d763acafbeae040a39fa13ece6b36e0f9c89149dfb1546750b2dc0b311cca849a3413

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3D22.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JCnMdX7E06.bat

Filesize
248B

MD5
cdfe9b3c9ef1c4b1442d520295f0a81c

SHA1
1bd6e19d7cf5f095b1542576fbaf452ab71238cf

SHA256
9503d845c60627194b7f1db5e62ea45db279e621f51e77ebf5a28ac195db97f1

SHA512
b6afa14a01e400f0ceb67f870d18298de5b17679d346fcbf3bac87b760689a1857174762612f7fb2d0fec73c3bafe7dc4cb24dd9cc3ac22ecc5604fd746f4c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
248B

MD5
198cfdc9aa05109956a0ee799a2ea589

SHA1
2e58cbaa07022347bbd6e2bbe0dc71de0ee1e1ed

SHA256
6881e7db035f46838dab8541175558669a283f9091bf5b01e1314fa5ffc99c1b

SHA512
848fb5b9beffaff41174d143983d9eae596615a57a62837b38e3695ebff04283f1bf2b1fc40e95b59f3fe2946fd691066227955a89d617806f59df8e509f9cdd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PfMhC4n1i0.bat

Filesize
248B

MD5
26b49a73e7254a63257d9d4c9498cf99

SHA1
bd0107a8c2f592135a1a0c06e803a27439f54340

SHA256
1093c6cef4d82844948837a4091ae1153d6f2ae3642cdc69fcdcdf785188f93c

SHA512
8122339134a94d1529e79f2345b431761f1c71b37e20cc7f60ec778f6e91e3ca81b028b06dd87d9eb6a8aa6c8794243f45420c8ce5550dd2b5dbe4f0715e9891

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D63.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
248B

MD5
0160b2c2023587ff89df254725826793

SHA1
095ffdf96d7aee5d8f6bc68c7c5d878e4a2188a5

SHA256
c325cdc178f508434843e791b420fe4108c064b4618e3b5ab10daa4ef42e3640

SHA512
0c81208166b3b2410576c499c8268f476e0f5da915b2c0519eaf57750e850ee4a14e5ba9dd50549ee958826677485d11c4f40f07d69fe51a5283fc1194f31780

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
248B

MD5
91670bcbdee351ac9bd9bd4a508df65d

SHA1
009e9c878128b5f0b63d267402d22765d2b55699

SHA256
73169ee4f549da875f6aa9ad73802135ac677c98ad4ca74816b2317bb7b7250d

SHA512
fde6ba931d16ade0891b61219a70ee43c85e3141af30636b17e595c7c00dc1cf72c32fe3efd8ec1c4f60d729c2f1ba9d6e7bbcbb871368e1097f91c75f924b52

Download Submit
C:\Users\Admin\AppData\Local\Temp\x1DfgQ9qXa.bat

Filesize
248B

MD5
ccd5a98cececc12b3fdb52c5dd76fbbc

SHA1
807a14ef1ea3b70e4d7e0d6b71c6c99a5510e5d9

SHA256
c3b9e939db8a66a0c6fe6d0ea6540eb1457f911c10cc7dd2ce88a055329c8160

SHA512
020c6135a416c0dd180a83ebf03efd60eaf8e367cf7b2601b470c2faf61360bd3b00997b097a14a94dac7922cd86075569572af08d71fdb8a91d55e596909a5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zHC6P4FzNT.bat

Filesize
248B

MD5
4d234571ec00ebfac071abfd4d305858

SHA1
7e84eeda508d68a524114b8a8eb1eacc1da34a50

SHA256
1057ef7b36f93d474df24557af19a49ea11b46722337da140dc520c713e791bc

SHA512
78727d15a9e3df85f603ee1b6b789cacd24476c6dc9ec17287fbdbac0ded259a8e5629488823159a3a12bc7f043cd4b82822f64739b6028c4a8b1a932b3ce695

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FZJZIXXP3X7QO4KK9ZCS.temp

Filesize
7KB

MD5
d07ac6068a622782aab8478dfd20317a

SHA1
84dec5b2e294a6970ffa28270fdda2f91fca7196

SHA256
047bab229e254cde8c2cabbcf6659675eb3704bdaf33105c402df8a28e949bc9

SHA512
ee4e1a66383ad9ac205923d384790e5e109f68311da38965f7a4e5defaa99714c23468740b781284238ba6a2c6bb0b9085a327c48cf0ac9a9fb8e47bd664635b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1660-496-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/1824-436-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2044-38-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2208-376-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/2488-615-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2500-53-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2500-54-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/2684-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2684-13-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2684-15-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2684-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2684-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2800-138-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/3004-316-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download