dcrat | 4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb

Analysis

max time kernel
147s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb.exe
Size

1.3MB
MD5

8962a51d7731cf1ec1737457bf2ed826
SHA1

b72a3b826cd3e00660654a07463d1b55afa3cb79
SHA256

4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb
SHA512

7cb63e338c493caa505fed9e07f5b25302c1756d34bbf75ac80dead1c2e22aed07c00b59733983b29c86ed07c6db690b462763be91b66b52c861e17f0e5822c3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1060	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2800	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2800	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000019326-9.dat	dcrat
behavioral1/memory/2812-13-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/1784-66-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/2260-153-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2032-273-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/1544-333-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2476-393-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/2788-453-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/1168-513-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/2852-632-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
2392	powershell.exe
2504	powershell.exe
2216	powershell.exe
1804	powershell.exe
820	powershell.exe
1952	powershell.exe
2096	powershell.exe
1368	powershell.exe
2460	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2812	DllCommonsvc.exe
1784	conhost.exe
2260	conhost.exe
2916	conhost.exe
2032	conhost.exe
1544	conhost.exe
2476	conhost.exe
2788	conhost.exe
1168	conhost.exe
2404	conhost.exe
2852	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	cmd.exe
2936	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
9	raw.githubusercontent.com
22	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Tasks\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1668	schtasks.exe
2112	schtasks.exe
972	schtasks.exe
2976	schtasks.exe
1988	schtasks.exe
2344	schtasks.exe
2668	schtasks.exe
2784	schtasks.exe
952	schtasks.exe
2244	schtasks.exe
2352	schtasks.exe
2036	schtasks.exe
1196	schtasks.exe
3040	schtasks.exe
2472	schtasks.exe
2684	schtasks.exe
1060	schtasks.exe
2208	schtasks.exe
2452	schtasks.exe
2952	schtasks.exe
2992	schtasks.exe
2348	schtasks.exe
2872	schtasks.exe
2544	schtasks.exe
2732	schtasks.exe
3056	schtasks.exe
1768	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2812	DllCommonsvc.exe
1756	powershell.exe
1804	powershell.exe
1952	powershell.exe
2216	powershell.exe
2096	powershell.exe
2504	powershell.exe
820	powershell.exe
1784	conhost.exe
2460	powershell.exe
1368	powershell.exe
2392	powershell.exe
2260	conhost.exe
2916	conhost.exe
2032	conhost.exe
1544	conhost.exe
2476	conhost.exe
2788	conhost.exe
1168	conhost.exe
2404	conhost.exe
2852	conhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2812	DllCommonsvc.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1784	conhost.exe
Token: SeDebugPrivilege	820	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2260	conhost.exe
Token: SeDebugPrivilege	2916	conhost.exe
Token: SeDebugPrivilege	2032	conhost.exe
Token: SeDebugPrivilege	1544	conhost.exe
Token: SeDebugPrivilege	2476	conhost.exe
Token: SeDebugPrivilege	2788	conhost.exe
Token: SeDebugPrivilege	1168	conhost.exe
Token: SeDebugPrivilege	2404	conhost.exe
Token: SeDebugPrivilege	2852	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 572 wrote to memory of 2924	572	JaffaCakes118_4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb.exe	29
PID 572 wrote to memory of 2924	572	JaffaCakes118_4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb.exe	29
PID 572 wrote to memory of 2924	572	JaffaCakes118_4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb.exe	29
PID 572 wrote to memory of 2924	572	JaffaCakes118_4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb.exe	29
PID 2924 wrote to memory of 2936	2924	WScript.exe	30
PID 2924 wrote to memory of 2936	2924	WScript.exe	30
PID 2924 wrote to memory of 2936	2924	WScript.exe	30
PID 2924 wrote to memory of 2936	2924	WScript.exe	30
PID 2936 wrote to memory of 2812	2936	cmd.exe	32
PID 2936 wrote to memory of 2812	2936	cmd.exe	32
PID 2936 wrote to memory of 2812	2936	cmd.exe	32
PID 2936 wrote to memory of 2812	2936	cmd.exe	32
PID 2812 wrote to memory of 2392	2812	DllCommonsvc.exe	61
PID 2812 wrote to memory of 2392	2812	DllCommonsvc.exe	61
PID 2812 wrote to memory of 2392	2812	DllCommonsvc.exe	61
PID 2812 wrote to memory of 2504	2812	DllCommonsvc.exe	62
PID 2812 wrote to memory of 2504	2812	DllCommonsvc.exe	62
PID 2812 wrote to memory of 2504	2812	DllCommonsvc.exe	62
PID 2812 wrote to memory of 2216	2812	DllCommonsvc.exe	64
PID 2812 wrote to memory of 2216	2812	DllCommonsvc.exe	64
PID 2812 wrote to memory of 2216	2812	DllCommonsvc.exe	64
PID 2812 wrote to memory of 1952	2812	DllCommonsvc.exe	65
PID 2812 wrote to memory of 1952	2812	DllCommonsvc.exe	65
PID 2812 wrote to memory of 1952	2812	DllCommonsvc.exe	65
PID 2812 wrote to memory of 1756	2812	DllCommonsvc.exe	67
PID 2812 wrote to memory of 1756	2812	DllCommonsvc.exe	67
PID 2812 wrote to memory of 1756	2812	DllCommonsvc.exe	67
PID 2812 wrote to memory of 1804	2812	DllCommonsvc.exe	69
PID 2812 wrote to memory of 1804	2812	DllCommonsvc.exe	69
PID 2812 wrote to memory of 1804	2812	DllCommonsvc.exe	69
PID 2812 wrote to memory of 2460	2812	DllCommonsvc.exe	70
PID 2812 wrote to memory of 2460	2812	DllCommonsvc.exe	70
PID 2812 wrote to memory of 2460	2812	DllCommonsvc.exe	70
PID 2812 wrote to memory of 820	2812	DllCommonsvc.exe	71
PID 2812 wrote to memory of 820	2812	DllCommonsvc.exe	71
PID 2812 wrote to memory of 820	2812	DllCommonsvc.exe	71
PID 2812 wrote to memory of 2096	2812	DllCommonsvc.exe	72
PID 2812 wrote to memory of 2096	2812	DllCommonsvc.exe	72
PID 2812 wrote to memory of 2096	2812	DllCommonsvc.exe	72
PID 2812 wrote to memory of 1368	2812	DllCommonsvc.exe	73
PID 2812 wrote to memory of 1368	2812	DllCommonsvc.exe	73
PID 2812 wrote to memory of 1368	2812	DllCommonsvc.exe	73
PID 2812 wrote to memory of 1784	2812	DllCommonsvc.exe	81
PID 2812 wrote to memory of 1784	2812	DllCommonsvc.exe	81
PID 2812 wrote to memory of 1784	2812	DllCommonsvc.exe	81
PID 1784 wrote to memory of 1380	1784	conhost.exe	82
PID 1784 wrote to memory of 1380	1784	conhost.exe	82
PID 1784 wrote to memory of 1380	1784	conhost.exe	82
PID 1380 wrote to memory of 2316	1380	cmd.exe	84
PID 1380 wrote to memory of 2316	1380	cmd.exe	84
PID 1380 wrote to memory of 2316	1380	cmd.exe	84
PID 1380 wrote to memory of 2260	1380	cmd.exe	85
PID 1380 wrote to memory of 2260	1380	cmd.exe	85
PID 1380 wrote to memory of 2260	1380	cmd.exe	85
PID 2260 wrote to memory of 2284	2260	conhost.exe	86
PID 2260 wrote to memory of 2284	2260	conhost.exe	86
PID 2260 wrote to memory of 2284	2260	conhost.exe	86
PID 2284 wrote to memory of 2004	2284	cmd.exe	88
PID 2284 wrote to memory of 2004	2284	cmd.exe	88
PID 2284 wrote to memory of 2004	2284	cmd.exe	88
PID 2284 wrote to memory of 2916	2284	cmd.exe	89
PID 2284 wrote to memory of 2916	2284	cmd.exe	89
PID 2284 wrote to memory of 2916	2284	cmd.exe	89
PID 2916 wrote to memory of 2044	2916	conhost.exe	90

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ca49fef971f07e86a3dc5e185d375b6281aab30eccef0b341566dd4cff75ceb.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:572
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2924
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2316
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2004
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat"
        10⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2392
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        12⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2668
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
        14⤵
        
        PID:1568
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2260
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
        16⤵
        
        PID:1308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1076
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        18⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2996
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat"
        20⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2272
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        22⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1704
        
        C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\Packages\Debugger\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Tasks\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a91a38ab436239155de5143f7719727d

SHA1
bfd1f62264b0aaa2c5e9befac7e24e9dead32bd5

SHA256
73ee4d861b427d0717e63f6fb54ae73cf19aafbcc1b4fc40e9530ef89ae7b174

SHA512
148012e05278297c7caf368d6a0c8e7233de1d7351fabdbe4f5265acc2997f392fde64a6bc41540451cfd33943add9caf98d2fa81a6abbf763de7800d5b2153e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d6427791b53f42411aae573a8e96603

SHA1
e0bf428fea0597a15d06de135ba912506d03f241

SHA256
c7d82223e69c83860b98b70528fdb9246938d7ded060469534514dd56a3d0bcd

SHA512
020e1eb31c315470201336023a0c73dc6f9df0c8c4b089c515dcd977e644a46ed5a661636cc1f2ac242a5f5d2d26c97fc5b249a7d2846f75637863a1f1d154c5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1068751f3b6dc00edc1dfbf023a15ec0

SHA1
c4a270b54d49befb12bdfccb3dc5e1f3f549a2d5

SHA256
95d24582a1f3fff032321ae6a073b14eeda9bc09b2109de32b5194412c97d234

SHA512
e94d0ea03b4e24f548e6a5417065e9928e306bfbdbfe3a41dcf4c1f41fdccf77d97fd8c4df756f33d7944f29087a79e13041f13a230b7cd8917ca0ee71470a47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a03992d0b119167a1c3a31479b35f69

SHA1
76a9833b8a28fb90b3ce1d352a09186a4b90e415

SHA256
4a14a4779fae9e1ebfcca9c92e5f5dfce2751b89fac8414d6515854d34d44e4f

SHA512
45247c26980481850f792abd4fdc8bb9eb338a124346e4978bff7803bfd9d5a1a9417787fdeeb49129ff61bea8f1324a9ef2a9b462e4b9762f16b270c1012e41

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0612e8ff3fe78dfd36590013269edfc

SHA1
7e955bde7edc51990c24edacd51f2b16956616e6

SHA256
6ad3d2713fe3f779744aef1a20425b7b9e4d023ea9ae9b156e489147f72e7700

SHA512
ff20fb8f935413a0271d53c1606b725037985c912cd77c64e330e173774d0444eaeff869489fc19671d030e1a9dea4f5a5e54e605c9b367a46cd04353b51e93c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2940d79a491d6be685ebc93422b7d20a

SHA1
555eebf5ac0f72fd2cfce1747711ec6c158cd044

SHA256
fef5cafc599668f54a58e5fafd5a887e8b97682235bff49c869475195eec4db9

SHA512
726e0491d18ec7f00b861ca7ddb0098318f89558f430aa3fb7f2c7fc2029ed85db3bb6f6c02aa4e315aa94b875a3ad44dadfa05d123370f0e036c520fa8ee585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e39e7114c3ca341b3501a18c3647d34d

SHA1
4a35d0479a6b106b91d7f9576c0718596207286f

SHA256
16c8ac738b837f6c4e8ab02036783565f3353e76c52cc53f9f22bd4e4b6371b0

SHA512
036f3c66e21e320b1229ac2d0371b9a4cda832c87978bb11e902b55d7dee2920e3fc7a34e7aaeddb1618624ded82c7c9fe3d233bf3d2d55d36fe905763b603ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8dbd550f5c98eb8484e3fe286fd4ec41

SHA1
3e2769ff6ce6d6a94fb0353bbd2bbb9e3054a899

SHA256
6a3b26d86bd1f165a8b76d126f0234b689b0507efba80585c3cd9deb718e60c8

SHA512
ff67cb71e38761d69951d45c8192ea28a6654a453e75eb8d0e0f671dbd51bb7cdc7a86c8e836080fe4d09b4b36fce3a5f5ffa058b586ed71e65d44de1c55619e

Download Submit
C:\Users\Admin\AppData\Local\Temp\18eSMsDQCm.bat

Filesize
239B

MD5
39d6ac7a787f3ab9b3ff095df938920c

SHA1
506e7194e06c2d4ab6d112a3b34718f99c1c7738

SHA256
2e7ef94e14f1b079c4d86fd99a1eaad2b11dc6aba76a5974dd03d7ab065a1a0e

SHA512
79406067ece4802a63611d8065706f66f0cc088e7020716199f68302419a76ea4c746182bc4bb6f4e03cd39d3d15b499afd795acfe07cbbccd3c5054989c3deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab96C5.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DJG58brWjr.bat

Filesize
239B

MD5
db69293a6d2d564f819e0c31d0e9d6e3

SHA1
797ac72e1843aa35878fb253d436404c19516ec2

SHA256
f10d7a803b35c0458f77b2123d2281aa035409a7d12933aaf81d99bc2599ec41

SHA512
e2e2e4634e16e4d160026abb2af07586508e269372e9c79b956634bdae892127f58e0b6c8206c40000262283fde3b65df4075542090700f834c4107548aad941

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
239B

MD5
cc22457f4d0a4e1422f789ed3e1e9a3e

SHA1
5293f65324892483b305f170a0b327e920ecbe67

SHA256
6887f6f11a11a9f33be31a1e9c6c8bdf2f11331894170e36de92dc79b39d1c74

SHA512
8bd55c49a2553b47ddd63d066012daf02a519b28dc381df608fe4269277039442987d72c247a26ba40e0bcf3d93446474211617fefee2ec408beb36474c71834

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
239B

MD5
4f57d478362c85a2215aa91bd5d4e899

SHA1
1ac3db7100c4be85bf05023d5f4b9dd95bfd7e28

SHA256
ef74ecaf00580cd6506e842653c9cfa931c74b02771ed37d275c1ba5d97cbffb

SHA512
20adbbec3b84a2368ff140ed0e2451e537495e75804aa22abfaa2b2f22c0cd18520d18168339bd640834d1a184981704d541e0b577db0acbdfb5db52e245660a

Download Submit
C:\Users\Admin\AppData\Local\Temp\NDsGBfOUR3.bat

Filesize
239B

MD5
a4a407192d5f7719cbae3103f8b4744a

SHA1
287d371dc535ed66b6fd864d5da83144cb38a760

SHA256
623b1f763549a0035850558e3444db697eef854777d258fc8e4ed9fc981da406

SHA512
685e1933ddd07cf8f1e4915a4bae7357df5e32c40918039ae4e9b204b5dc037149108b8d4dfa4e85bfeb5eb857033879f50010a1491051a525757535369c9df1

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar96D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

Filesize
239B

MD5
d06228ddeb9f50f92a3b843f2946579c

SHA1
25e07b00a4fdd18e677b26b7ada11d40ef9da30f

SHA256
b25c830f6f87ba20b1906f7db222e20edc06b6ea95e8937b0658501e2a34d6f6

SHA512
679fefb514c9a7fbbde825faf9eade0ac38daa06a435bd1913b7c24506616400628f1d67bad551e59a02b7d30a7fb0c6a5ae0544db6bfd1c16497422be95ab8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbMo3XBCxD.bat

Filesize
239B

MD5
eb3dc5ceea2d098ac6262f2df67e7c49

SHA1
3e7ca781c10cb7116d7fe7a22595ee4ca6607d85

SHA256
4da14de96feea81b17c4f3c033cce7ca1bf4d84c432a325517a9e9c715410619

SHA512
d69961d5e3405ebaa55140345739471189d21708b92fca8b6823c648e900c840945f04cbbcd5f64217807d54b7180d331c3c04a8722322a6a6aaedc5a2a9772d

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
239B

MD5
1c1aa7910da832813f0c0c3ffb1642ce

SHA1
8239de71f104178368e16edccb327e0a456ed51a

SHA256
f5cf6ecc3bf158fcde49f48bbb511307aa369ecf39b9aff3dc19de3049173d47

SHA512
9c2d8083d8ad2dce2e75933af143be31dee96f877e8ef2fd0f608fd3bb4fa83e849bbcd51cc725a1d6deb35ce3837dfbe9fb3e61017ae8619624e8ba568e48ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

Filesize
239B

MD5
b7054734c367c676e2d5fb7fa40d8fde

SHA1
4cc5c1c6161ba15563843163325066b62db9d6a8

SHA256
bf77f41c9a396f8bf13c66d41f2e05c2544c19bffa14add2ee43aa9f8b58ec6e

SHA512
3e5017d24016082a67a72216ac9acdd1560140a99536b271b5092c5b11e08735e99ebd2707f96eb2a154bb18fee665c4e9263312798f1d5273889da47594242c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e8e317433c61edf786607531cb31578a

SHA1
23a01bd41ef32080f5807d08be825270932b0c77

SHA256
3d38133553d6f1a92fea011740176085deae4fe667801e4281313ff2fe5c4578

SHA512
f8d2f6ae000cb2665429f80ed48bd3d338db61ef58ea6b27733635691c955b4a44360da14e645d1919df4e69e8a1d75478043914cdd734a9dc47ea86558f54d7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1168-513-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/1544-333-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/1756-73-0x0000000001F30000-0x0000000001F38000-memory.dmp

Filesize
32KB

Download
memory/1784-66-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/1784-79-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2032-273-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/2216-68-0x000000001B3B0000-0x000000001B692000-memory.dmp

Filesize
2.9MB

Download
memory/2260-153-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2476-393-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-453-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2812-13-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2812-15-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2812-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2812-16-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2812-17-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2852-632-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2916-213-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download