dcrat | 8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 18:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9.exe
Size

1.3MB
MD5

c4ab913ffb3487531d4f472888ee127f
SHA1

6f0b8bc499748aa3c2e0ff59678ba49a101338b5
SHA256

8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9
SHA512

753d998a1ca377050bbd1682e1d641c714da4d4d815d3e0cf3a9bd2267ec52d39c85c1f40d2e24553b8ccdcaaa1a41f27fa345c112d414faab22e331a7bb3e7d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2776	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2776	schtasks.exe	33

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000018b05-9.dat	dcrat
behavioral1/memory/2844-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp	dcrat
behavioral1/memory/2960-94-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/1004-153-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/2288-272-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/3060-332-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/1464-451-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2592-512-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2576	powershell.exe
2620	powershell.exe
660	powershell.exe
1552	powershell.exe
1968	powershell.exe
2056	powershell.exe
976	powershell.exe
1776	powershell.exe
2216	powershell.exe
2052	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2844	DllCommonsvc.exe
2960	lsass.exe
1004	lsass.exe
2468	lsass.exe
2288	lsass.exe
3060	lsass.exe
1608	lsass.exe
1464	lsass.exe
2592	lsass.exe
2244	lsass.exe
2252	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2336	cmd.exe
2336	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
20	raw.githubusercontent.com
24	raw.githubusercontent.com
34	raw.githubusercontent.com
9	raw.githubusercontent.com
17	raw.githubusercontent.com
13	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\DataStore\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\diagnostics\system\Search\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2016	schtasks.exe
1448	schtasks.exe
1168	schtasks.exe
3044	schtasks.exe
2192	schtasks.exe
2512	schtasks.exe
2728	schtasks.exe
2784	schtasks.exe
3028	schtasks.exe
2452	schtasks.exe
2200	schtasks.exe
2348	schtasks.exe
1616	schtasks.exe
2600	schtasks.exe
2396	schtasks.exe
2588	schtasks.exe
2812	schtasks.exe
3020	schtasks.exe
1020	schtasks.exe
1144	schtasks.exe
1916	schtasks.exe
2540	schtasks.exe
1524	schtasks.exe
1768	schtasks.exe
1064	schtasks.exe
2508	schtasks.exe
2424	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
2844	DllCommonsvc.exe
1968	powershell.exe
2216	powershell.exe
2576	powershell.exe
976	powershell.exe
1776	powershell.exe
660	powershell.exe
2052	powershell.exe
2620	powershell.exe
1552	powershell.exe
2056	powershell.exe
2960	lsass.exe
1004	lsass.exe
2468	lsass.exe
2288	lsass.exe
3060	lsass.exe
1608	lsass.exe
1464	lsass.exe
2592	lsass.exe
2244	lsass.exe
2252	lsass.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2844	DllCommonsvc.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2576	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	660	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2960	lsass.exe
Token: SeDebugPrivilege	1004	lsass.exe
Token: SeDebugPrivilege	2468	lsass.exe
Token: SeDebugPrivilege	2288	lsass.exe
Token: SeDebugPrivilege	3060	lsass.exe
Token: SeDebugPrivilege	1608	lsass.exe
Token: SeDebugPrivilege	1464	lsass.exe
Token: SeDebugPrivilege	2592	lsass.exe
Token: SeDebugPrivilege	2244	lsass.exe
Token: SeDebugPrivilege	2252	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2448	2124	JaffaCakes118_8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9.exe	29
PID 2124 wrote to memory of 2448	2124	JaffaCakes118_8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9.exe	29
PID 2124 wrote to memory of 2448	2124	JaffaCakes118_8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9.exe	29
PID 2124 wrote to memory of 2448	2124	JaffaCakes118_8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9.exe	29
PID 2448 wrote to memory of 2336	2448	WScript.exe	30
PID 2448 wrote to memory of 2336	2448	WScript.exe	30
PID 2448 wrote to memory of 2336	2448	WScript.exe	30
PID 2448 wrote to memory of 2336	2448	WScript.exe	30
PID 2336 wrote to memory of 2844	2336	cmd.exe	32
PID 2336 wrote to memory of 2844	2336	cmd.exe	32
PID 2336 wrote to memory of 2844	2336	cmd.exe	32
PID 2336 wrote to memory of 2844	2336	cmd.exe	32
PID 2844 wrote to memory of 2056	2844	DllCommonsvc.exe	61
PID 2844 wrote to memory of 2056	2844	DllCommonsvc.exe	61
PID 2844 wrote to memory of 2056	2844	DllCommonsvc.exe	61
PID 2844 wrote to memory of 976	2844	DllCommonsvc.exe	62
PID 2844 wrote to memory of 976	2844	DllCommonsvc.exe	62
PID 2844 wrote to memory of 976	2844	DllCommonsvc.exe	62
PID 2844 wrote to memory of 2052	2844	DllCommonsvc.exe	63
PID 2844 wrote to memory of 2052	2844	DllCommonsvc.exe	63
PID 2844 wrote to memory of 2052	2844	DllCommonsvc.exe	63
PID 2844 wrote to memory of 1776	2844	DllCommonsvc.exe	64
PID 2844 wrote to memory of 1776	2844	DllCommonsvc.exe	64
PID 2844 wrote to memory of 1776	2844	DllCommonsvc.exe	64
PID 2844 wrote to memory of 2576	2844	DllCommonsvc.exe	65
PID 2844 wrote to memory of 2576	2844	DllCommonsvc.exe	65
PID 2844 wrote to memory of 2576	2844	DllCommonsvc.exe	65
PID 2844 wrote to memory of 1968	2844	DllCommonsvc.exe	66
PID 2844 wrote to memory of 1968	2844	DllCommonsvc.exe	66
PID 2844 wrote to memory of 1968	2844	DllCommonsvc.exe	66
PID 2844 wrote to memory of 2216	2844	DllCommonsvc.exe	67
PID 2844 wrote to memory of 2216	2844	DllCommonsvc.exe	67
PID 2844 wrote to memory of 2216	2844	DllCommonsvc.exe	67
PID 2844 wrote to memory of 1552	2844	DllCommonsvc.exe	69
PID 2844 wrote to memory of 1552	2844	DllCommonsvc.exe	69
PID 2844 wrote to memory of 1552	2844	DllCommonsvc.exe	69
PID 2844 wrote to memory of 2620	2844	DllCommonsvc.exe	71
PID 2844 wrote to memory of 2620	2844	DllCommonsvc.exe	71
PID 2844 wrote to memory of 2620	2844	DllCommonsvc.exe	71
PID 2844 wrote to memory of 660	2844	DllCommonsvc.exe	73
PID 2844 wrote to memory of 660	2844	DllCommonsvc.exe	73
PID 2844 wrote to memory of 660	2844	DllCommonsvc.exe	73
PID 2844 wrote to memory of 1488	2844	DllCommonsvc.exe	81
PID 2844 wrote to memory of 1488	2844	DllCommonsvc.exe	81
PID 2844 wrote to memory of 1488	2844	DllCommonsvc.exe	81
PID 1488 wrote to memory of 2924	1488	cmd.exe	83
PID 1488 wrote to memory of 2924	1488	cmd.exe	83
PID 1488 wrote to memory of 2924	1488	cmd.exe	83
PID 1488 wrote to memory of 2960	1488	cmd.exe	84
PID 1488 wrote to memory of 2960	1488	cmd.exe	84
PID 1488 wrote to memory of 2960	1488	cmd.exe	84
PID 2960 wrote to memory of 2928	2960	lsass.exe	85
PID 2960 wrote to memory of 2928	2960	lsass.exe	85
PID 2960 wrote to memory of 2928	2960	lsass.exe	85
PID 2928 wrote to memory of 1932	2928	cmd.exe	87
PID 2928 wrote to memory of 1932	2928	cmd.exe	87
PID 2928 wrote to memory of 1932	2928	cmd.exe	87
PID 2928 wrote to memory of 1004	2928	cmd.exe	88
PID 2928 wrote to memory of 1004	2928	cmd.exe	88
PID 2928 wrote to memory of 1004	2928	cmd.exe	88
PID 1004 wrote to memory of 2164	1004	lsass.exe	89
PID 1004 wrote to memory of 2164	1004	lsass.exe	89
PID 1004 wrote to memory of 2164	1004	lsass.exe	89
PID 2164 wrote to memory of 1716	2164	cmd.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8349584eee82c56a2b58dfb752b4a854390b4ad51d8304830aeb4ba4a2f9d2c9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:660
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZ3uyAIjIU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2924
      - C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1932
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1716
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat"
        11⤵
        
        PID:456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2084
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        13⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:540
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        15⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1692
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        17⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2384
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat"
        19⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2536
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat"
        21⤵
        
        PID:1448
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1160
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat"
        23⤵
        
        PID:1220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:948
        
        C:\Windows\Performance\WinSAT\DataStore\lsass.exe
        
        "C:\Windows\Performance\WinSAT\DataStore\lsass.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\v3.5\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\PolicyDefinitions\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\PolicyDefinitions\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\TextConv\de-DE\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\DataStore\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b67e5cc83e4f81faa419c828b9fbddbd

SHA1
708afbc3ee0d3d37f160615ea29618ca19fda2a2

SHA256
57bf329675448dada2df71913ef388d8337eb933d07df5c478dd6f3f7c9d3284

SHA512
b7488df31ed1e237412dacac1ee3f76f0e0cda248b3bf2421a9116e865f35dec8b4fd83c44118cd6b3cc8db53fcebc1993be87d6e98d71572160103583489099

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
013fecc0f28d26fb2f5b2eabf6b891c8

SHA1
0532ad292793eba2059d6f938aebb1533130bd4c

SHA256
643e70bbb9465d1b2793b5b1984d6fba2e89571f3e064d53f8e208a47dabfa95

SHA512
d01dac4d66b95403ce2d43ff3f0ab99b389f61e1ade9da704c82f62ff76bebc4c4f1cfe1d022d03f02f1798051d807f6a613347dc254f0a6229c656ab4e27d03

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7960459ac20eb117e5be80c4a062e3e6

SHA1
6aeeaacce50fdfdb949d39b610978f0b0fcc22f6

SHA256
001fb61a9e1ca49d51e770c75bd710e0f6cec070249b0d558a6ceb4af428243e

SHA512
23593a2cf7d5fd82ced9a5259a087acd8607d0c7172c34faebfd1051b1b19b7ad98ba7ceb6f7a47dea06f84371ccd3ecf401d9ceeb4e92b9d46f28b53375b147

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39c33b8feae49722ba1675ffaf2248ad

SHA1
260b44072133001363fe011c24f9c0869bde23db

SHA256
e508ffb80c3bbb3f000cef2a016537f1ab65cf47876d97c296bb5ffe3bb9010e

SHA512
222a779139b3146071a5ea4fc222fb391064261c84e1782c326cc3258ef1e0e4c21bfec74e3939a9a5134f5c3353c364c1987ac5fd3e3f195d8513c3b9acec39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa54b415e3accdde3fe43990add52997

SHA1
3560d2ee99c0b1ee8eb8f7df3126d7194d87660e

SHA256
7efa0fc1d8d82658d78181991f81682e5861bc2a5c0816e6b9b2ba930de77014

SHA512
71a1a31f742c62f3526e2393c8aa4b3663e5201c3d984fec2c833bf8170fc68c11a3ff689e3aab3d00bf984b875b8b64e203ddc74ab50f5f93e0560a4f58e336

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f6f67a66e9c3ce74e471605fd79bd88

SHA1
c0d73119fca49f2ad6c6221667f1d7d753ed7bd9

SHA256
3a8eaa90b33a4875a4605a6f336aebe4428e387752664581a4446cb41a89db09

SHA512
0222f21388c64f8ee684ff33484fb9ddf1a4ff6b9d43c15e994aba312c1d3f88503bcfc3c850e2b0b5a2d914f779720571e4ec32448c4dd263410a4ed4d78811

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e11f5a28b6212de5ffb444259e42a29a

SHA1
d35bfbeed9227e9e4f8be096b7e2584ae66c645f

SHA256
85edafc6d0416fbb33770630020eb161ac533cb5483deace651e24fca08a125a

SHA512
7297873f2fc3a44004ebf19982cc786464b6920e046a31dd8d7acc92f836243d081e1dc0c9908308070b50aa1f58412b8a4e09cf00d77f5ec9c2da0b5dfe2462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22083b90d3eb04f8878c6b9c325dfa59

SHA1
b08e1001321505d8e72f192ff56839209b79008d

SHA256
5939265815a08993d2f8ad5b22e6a0c60a36dee6737333d74492532144e0b51a

SHA512
7cb0498fbb1b6f0430204282796afc32b56fbd09a6f2fc2385c012524424c003b453c7b9d4784ebed0c9194dfee601250d0f6c568e99623bb92a4400894c26f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\12JaEZR6zX.bat

Filesize
214B

MD5
e2646cd71a4fb655183f4d01cc7e68db

SHA1
b295e831d33875ebf5275f7389667ff2ffe67b1f

SHA256
c7236b1206257826288bf7835f946322e0ec6fe09a6a89eee82893d7445e5f2b

SHA512
8f46887eb86053b95d135e4100761928202be258f02a3bcf5507e2e0db221db0c03fcaee5bc347dd76affab373d3848ffaf009038ae7d770c659e20b5fbd384f

Download Submit
C:\Users\Admin\AppData\Local\Temp\3dopRv074r.bat

Filesize
214B

MD5
a5db1bf8fba963092aab71d9149018f0

SHA1
096026307469dc0fefb9ecda3cfa419ce457abc2

SHA256
ed8c9e2fc92b8d897854887afd0062df3c90a5be992f0232c86f49dfa13d366b

SHA512
c811fc5dd11abac59a0b3a77777aaef783b3697989a8a0600f01d84917e11d49baa77b03d4fa141a3335a5486258dcea59ab26ae298120bdf06e76948d9489b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\7kLsQlNPpi.bat

Filesize
214B

MD5
29bd268b5ec95e36ecc0a70d21941040

SHA1
ddd793a994ef867c23cddb0644eeffcfe649de52

SHA256
5990cb35cf7bf941deedf181c4ddec3bb14fa87b344967a169757f4dbc716dc1

SHA512
4128bf3cdc87e70b6c493e4e2668008fd274f2cf1a3c75092bea147c68ff23b2bec385acde501b250b49dd0a16be6779106c0fbd6f40619a81ad602e048416a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9484.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DXR1U0Y5m3.bat

Filesize
214B

MD5
1572ed03b99db9ba454b5a151fd434ef

SHA1
cdf03aa0822467a6971082ce02ff389d006f4342

SHA256
e2c16d2f0f256c91eedeae4a80191dee8f78752fb8628827062fea184f41f50e

SHA512
d2e6b0834692aaa0074992cffeddd21dfc0cf2967e248e2a3d5509c85844416b6482bd30b806aedba49afd011c89a831ee0b96a0366a20f4d325f2318b43e1f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
214B

MD5
59f50d7269bd1d777380ed73a2f545d7

SHA1
4c2ad791dd2782cd96d3f4761c0b1ae5dd38e4e5

SHA256
e1cd21b693164271092e98cb2e0559ef0cfd3c38356de0ec69164c518afe039d

SHA512
ba03f658db86380df5d78699cedb1a602fd5070b660f8511c2b84204377a4be06444e7015042b22dba414c03f6c89f5426c6afe27142b8ad62dbd219d8e366f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\I0OceA6Xfh.bat

Filesize
214B

MD5
c89866c17c117faf7c4cf844444598a9

SHA1
765e5695da4f3bdd1993fec9e38c61ddef936554

SHA256
8e3ff06db4c1f8e59235a3b2cd18ace65e1a438409cf9c991426a80f4231a1d4

SHA512
3394e6ee26ea95d3d98b7dad23f8f3e3111442169d025c7afbf66ec2f24ebd0f51b54a2b392b6a06f272cf6ad86e73d34289d62f9038cc23852e7ed4eceedb85

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9497.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
214B

MD5
03f3a178595866f37d6451652a5da207

SHA1
2aac41eae8ef81eb54d5e279b7391796969ebfb0

SHA256
b730d7dfc6c08d65d7367934e5981e13903c38d903d72f7a250e1bb0649e5cd3

SHA512
58eb682898f240eb62a8d4226f2739561422b6a8b6c6e2043e8f672a935299163ead936014c1636f550484666ff0e315ae61ba86ff5c505b6b7dc1964b528d6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
214B

MD5
7260a12e33d85e83f011b065973089d6

SHA1
0e9b24d192aaf4e079e749993b4caefb3c0b797a

SHA256
8f99b127f29c87a84d66e9465458d03cd86c2df1991334cc15b35fb07728a2ea

SHA512
a9d2fa0e01472accf6d4efdd2f616942da30702586b33d23c0bdfa7d8240d2c9fb87fd3bcaba015cc658d8b1b4f7cfede0d6c401aa54c51124487c264a614f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ewVMycoP0v.bat

Filesize
214B

MD5
68b7c116db482092436fa37c55a0f947

SHA1
3fde4f0f525ba0bfce793cdb6b8f3a96194b8e0b

SHA256
60ff3a9a45919b589b819a4cd2bf84a92d483a441cef6096d8c8c04e8db77c35

SHA512
8565f226a5921b916654658746d9c3a983efb0bb8b27c058e69134680b31da918382bc077bf6af1915ba9b452af6775d9a23da4d44f439cab116b3b4305a790c

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZ3uyAIjIU.bat

Filesize
214B

MD5
ae791dd9a743fbdf575d785718181b6f

SHA1
bf5547508d962fe4ffcfdbc7ea4dd13b9bc29b3d

SHA256
add579197446f89352d13c931c62b2e1922f2c717639349b55e52c26060d8bb4

SHA512
b9fb9d74a03693e8824ccc50000198d6d2d6ff4f160673676b40cd1b49569982a131ca8a78b0083c36cefa12af2ec593dfa236e74ef162bbf3015245b3f815af

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
5eee5483e876ce7444c7702218b12341

SHA1
a87fd6240198a7a67911816c8ada3e850c9f14f1

SHA256
5ae1fa3aa008b5a73cb695b4182d5fe571c37d478d312f1fa45241a25c48a17f

SHA512
c8d64485ecc544247047dec6f78103684136285f8f6603b3c051763db2da05d3bb9d64ca7ea9704985bc172fa39534d4a32c35528a6447b07cc8e70882f25474

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/660-90-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/1004-153-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/1464-451-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/1464-452-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2216-91-0x0000000002220000-0x0000000002228000-memory.dmp

Filesize
32KB

Download
memory/2288-272-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2592-512-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2844-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2844-13-0x0000000000EA0000-0x0000000000FB0000-memory.dmp

Filesize
1.1MB

Download
memory/2844-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2844-16-0x000000001ACA0000-0x000000001ACAC000-memory.dmp

Filesize
48KB

Download
memory/2844-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2960-94-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/3060-332-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download