dcrat | da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13

Analysis

max time kernel
149s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13.exe
Size

1.3MB
MD5

a6f5880c202f898ded173505470d2a58
SHA1

3df648b02882775c80c90c00b17cc5adb4bb0c8a
SHA256

da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13
SHA512

9d440af0c8af5ef0231cb00ea74d9d3e70695e42207a73a98beede309e98a03e907b6cdfa7f77b08596c09cfa0671b67e0d57e42ba468213f8d78730393ce32b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2800	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2800	schtasks.exe	35

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018687-12.dat	dcrat
behavioral1/memory/1868-13-0x0000000000940000-0x0000000000A50000-memory.dmp	dcrat
behavioral1/memory/2408-80-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2840-139-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1772-199-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/3000-259-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2856-319-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/1868-438-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/1604-498-0x0000000000BA0000-0x0000000000CB0000-memory.dmp	dcrat
behavioral1/memory/760-617-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/1500-678-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2892-739-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe
2228	powershell.exe
2296	powershell.exe
2224	powershell.exe
2824	powershell.exe
2940	powershell.exe
2864	powershell.exe
2260	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1868	DllCommonsvc.exe
2408	conhost.exe
2840	conhost.exe
1772	conhost.exe
3000	conhost.exe
2856	conhost.exe
2280	conhost.exe
1868	conhost.exe
1604	conhost.exe
2392	conhost.exe
760	conhost.exe
1500	conhost.exe
2892	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2124	cmd.exe
2124	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
38	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
25	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\de-DE\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\DllCommonsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\lsm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2628	schtasks.exe
2168	schtasks.exe
2432	schtasks.exe
1164	schtasks.exe
2692	schtasks.exe
2680	schtasks.exe
1632	schtasks.exe
1160	schtasks.exe
2936	schtasks.exe
2652	schtasks.exe
2464	schtasks.exe
1064	schtasks.exe
2972	schtasks.exe
2664	schtasks.exe
1092	schtasks.exe
1984	schtasks.exe
2820	schtasks.exe
2000	schtasks.exe
1720	schtasks.exe
1284	schtasks.exe
2008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1868	DllCommonsvc.exe
2260	powershell.exe
2296	powershell.exe
2864	powershell.exe
2228	powershell.exe
2940	powershell.exe
2224	powershell.exe
2824	powershell.exe
2140	powershell.exe
2408	conhost.exe
2840	conhost.exe
1772	conhost.exe
3000	conhost.exe
2856	conhost.exe
2280	conhost.exe
1868	conhost.exe
1604	conhost.exe
2392	conhost.exe
760	conhost.exe
1500	conhost.exe
2892	conhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1868	DllCommonsvc.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2296	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2408	conhost.exe
Token: SeDebugPrivilege	2840	conhost.exe
Token: SeDebugPrivilege	1772	conhost.exe
Token: SeDebugPrivilege	3000	conhost.exe
Token: SeDebugPrivilege	2856	conhost.exe
Token: SeDebugPrivilege	2280	conhost.exe
Token: SeDebugPrivilege	1868	conhost.exe
Token: SeDebugPrivilege	1604	conhost.exe
Token: SeDebugPrivilege	2392	conhost.exe
Token: SeDebugPrivilege	760	conhost.exe
Token: SeDebugPrivilege	1500	conhost.exe
Token: SeDebugPrivilege	2892	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2348	2080	JaffaCakes118_da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13.exe	31
PID 2080 wrote to memory of 2348	2080	JaffaCakes118_da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13.exe	31
PID 2080 wrote to memory of 2348	2080	JaffaCakes118_da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13.exe	31
PID 2080 wrote to memory of 2348	2080	JaffaCakes118_da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13.exe	31
PID 2348 wrote to memory of 2124	2348	WScript.exe	32
PID 2348 wrote to memory of 2124	2348	WScript.exe	32
PID 2348 wrote to memory of 2124	2348	WScript.exe	32
PID 2348 wrote to memory of 2124	2348	WScript.exe	32
PID 2124 wrote to memory of 1868	2124	cmd.exe	34
PID 2124 wrote to memory of 1868	2124	cmd.exe	34
PID 2124 wrote to memory of 1868	2124	cmd.exe	34
PID 2124 wrote to memory of 1868	2124	cmd.exe	34
PID 1868 wrote to memory of 2824	1868	DllCommonsvc.exe	57
PID 1868 wrote to memory of 2824	1868	DllCommonsvc.exe	57
PID 1868 wrote to memory of 2824	1868	DllCommonsvc.exe	57
PID 1868 wrote to memory of 2940	1868	DllCommonsvc.exe	58
PID 1868 wrote to memory of 2940	1868	DllCommonsvc.exe	58
PID 1868 wrote to memory of 2940	1868	DllCommonsvc.exe	58
PID 1868 wrote to memory of 2864	1868	DllCommonsvc.exe	59
PID 1868 wrote to memory of 2864	1868	DllCommonsvc.exe	59
PID 1868 wrote to memory of 2864	1868	DllCommonsvc.exe	59
PID 1868 wrote to memory of 2260	1868	DllCommonsvc.exe	60
PID 1868 wrote to memory of 2260	1868	DllCommonsvc.exe	60
PID 1868 wrote to memory of 2260	1868	DllCommonsvc.exe	60
PID 1868 wrote to memory of 2140	1868	DllCommonsvc.exe	61
PID 1868 wrote to memory of 2140	1868	DllCommonsvc.exe	61
PID 1868 wrote to memory of 2140	1868	DllCommonsvc.exe	61
PID 1868 wrote to memory of 2228	1868	DllCommonsvc.exe	62
PID 1868 wrote to memory of 2228	1868	DllCommonsvc.exe	62
PID 1868 wrote to memory of 2228	1868	DllCommonsvc.exe	62
PID 1868 wrote to memory of 2296	1868	DllCommonsvc.exe	63
PID 1868 wrote to memory of 2296	1868	DllCommonsvc.exe	63
PID 1868 wrote to memory of 2296	1868	DllCommonsvc.exe	63
PID 1868 wrote to memory of 2224	1868	DllCommonsvc.exe	64
PID 1868 wrote to memory of 2224	1868	DllCommonsvc.exe	64
PID 1868 wrote to memory of 2224	1868	DllCommonsvc.exe	64
PID 1868 wrote to memory of 1324	1868	DllCommonsvc.exe	73
PID 1868 wrote to memory of 1324	1868	DllCommonsvc.exe	73
PID 1868 wrote to memory of 1324	1868	DllCommonsvc.exe	73
PID 1324 wrote to memory of 1168	1324	cmd.exe	75
PID 1324 wrote to memory of 1168	1324	cmd.exe	75
PID 1324 wrote to memory of 1168	1324	cmd.exe	75
PID 1324 wrote to memory of 2408	1324	cmd.exe	76
PID 1324 wrote to memory of 2408	1324	cmd.exe	76
PID 1324 wrote to memory of 2408	1324	cmd.exe	76
PID 2408 wrote to memory of 1948	2408	conhost.exe	77
PID 2408 wrote to memory of 1948	2408	conhost.exe	77
PID 2408 wrote to memory of 1948	2408	conhost.exe	77
PID 1948 wrote to memory of 1432	1948	cmd.exe	79
PID 1948 wrote to memory of 1432	1948	cmd.exe	79
PID 1948 wrote to memory of 1432	1948	cmd.exe	79
PID 1948 wrote to memory of 2840	1948	cmd.exe	80
PID 1948 wrote to memory of 2840	1948	cmd.exe	80
PID 1948 wrote to memory of 2840	1948	cmd.exe	80
PID 2840 wrote to memory of 1164	2840	conhost.exe	81
PID 2840 wrote to memory of 1164	2840	conhost.exe	81
PID 2840 wrote to memory of 1164	2840	conhost.exe	81
PID 1164 wrote to memory of 2008	1164	cmd.exe	83
PID 1164 wrote to memory of 2008	1164	cmd.exe	83
PID 1164 wrote to memory of 2008	1164	cmd.exe	83
PID 1164 wrote to memory of 1772	1164	cmd.exe	84
PID 1164 wrote to memory of 1772	1164	cmd.exe	84
PID 1164 wrote to memory of 1772	1164	cmd.exe	84
PID 1772 wrote to memory of 3064	1772	conhost.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_da2d4fed597440383981256d1ef2596a49d6ab11546d2cf36f0455aca91c6d13.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2080
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2348
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2124
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\Multiplayer\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X0nrmdHBrq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1324
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1168
      - C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1432
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2008
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat"
        11⤵
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1124
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat"
        13⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2848
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        15⤵
        
        PID:292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:900
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat"
        17⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1792
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        19⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1524
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat"
        21⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:376
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        23⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:872
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat"
        25⤵
        
        PID:1744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1856
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        27⤵
        
        PID:1968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:944
        
        C:\providercommon\conhost.exe
        
        "C:\providercommon\conhost.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Office\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\Multiplayer\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\Multiplayer\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Games\Multiplayer\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Mail\de-DE\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Mail\de-DE\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca94d78c5c412dae19da59d19a05fff0

SHA1
d6d675a1e733331e380529e06182b174e926d275

SHA256
36660aaf27890bae22316c431b9e2c5d3003dd7cecc341963675ca1ede7bed09

SHA512
3c2baed786e70b174ba528668a78dbc23a0fda57ffae973cc6471343dd80510ae46e7b7b3fc26b83bd1c053ae6adb4a8c6b24abe1a22e7bbd17d8e24b62aa872

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ad9c5db4515569914271dd25a1af269

SHA1
0c2265a21106ed9526bacb0597302534dae16e80

SHA256
ec8186ad230e5c7e9dcf0ff18c2af1700889e0033264d57a840e063b31a23d58

SHA512
e4db49aefff4858f5c2ce42277f1d084e93782e7ccb88c3a2c6f41527a636e1d302681764a90a397977a518ef2499a431268ebca459ecd0b02a78301404be67a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8986ba2dcc45a5f8392e50487831b9d

SHA1
35d4a5bce501e28adf7a1bf996d191ec5e021b34

SHA256
f71e9d8ec50501a78ad0d19cc7db4b8d623cac5bf84ce33a42c0c8f21b03fd3b

SHA512
05eea807b8e46c7390a3a40ee71c1d411e4fbd4fe19dc6729943a39c9043f6ad6a97654b38d619b92b958880864618e1d718075107853167d8df80a4f71447eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4307c1c92927569f316815864a147ef

SHA1
99d99077bc7381bdadb114c9c45443404c3ed934

SHA256
a67124b93717e7a0b7ff8941acac45d5260742ff99b076bc9e65c19cc5d59123

SHA512
2dcc79f3d009b8667734ccead179e4a528d9ed20fa8877195bb1c62e49f3e011818595f6339a863e0aa53d853948e1dd4c856299af6ea0cbacb8c959d1aa32db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ce206f0bf6a563407f6f9818bfb62791

SHA1
907565efd996f2888cc4155976ed02653eb2b656

SHA256
f3c5952cba23851163ecd1d3f93303d3eab1a4f9ddf8d53d22da82e83239abb8

SHA512
e8a3b48f20f73ded0b24bdb1adc6f6090354c332a72b9eed453351527a812c01891ad6dd369be7bd8b9caefaf0bc801d2333803e2e2b2a42e80badc1c445d636

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a791fa2442478723f5f36eb31a4b61d

SHA1
0d3c1645a19560a4e23940bf47571a145768cd08

SHA256
52b0929faca625175181b89aed835c56057fd7acf12fd24a6ceebd903ecdc391

SHA512
5fe26212338d948c8b04f81faad8eb0c1e88876f1b4566bcae12dc5dedead581b2ba9ba0b736a23c9999db2a95b37d39690b4adb9e0dbe1f2d923c80b7a3c220

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8b4b52bdddfc6fa55271a4e4749349f

SHA1
c1be0a3472944c0b4033690e1ad894947675cde8

SHA256
af60be66b0efc83fec24b53c62be48ac296630f86d4183de7ec9a7c7c1db7caa

SHA512
a0f2df7514b12d0b6775cd6f7e2f31bf6f337992234a0bda8acc27e81c17c1a8d3967dead49e478ffe86f81c9c874aeb0f72de9bdbac626bbb3eb5c93b1dedab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f88b20b06126ae320eb37ba3c9969df8

SHA1
e8093d109ffad74588af72691d9549bad15fa165

SHA256
acc54424f77b84da1ca2f2445742900e99a37d674a8d3f6de0598828de17a932

SHA512
68a12e0417089596a227f0cebd2bc6c908418671ec98712ddcb17130a9395878be4b222c79e26578cb890bfb6fe3e945cfa9500b96deea98daf77d58509b8665

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01443825f9417a3afc3597332f61ed3b

SHA1
ecaf715583826cea4c9836a5a80b3fdf2d9fcce2

SHA256
d16f3a966e0bae08495ef1ae8f3b390abb2285d3133f1d326f656783c7ad7bfb

SHA512
dafeef6635cc7930fb8111a0beb328bcbe9522ac7de4e5fc442d42acbc9e89b2fbdd081c95d14fd84a74442d63f5aee63d8563cbc0e43e569f14176be4bcec9b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
575ff244ae891236fa03f069615bbbd9

SHA1
5f720410ee9c53f8d627cd0d12d61d57b38348e7

SHA256
ed02d6e3a9e8379373220b6135c3d4494d0a31abde058e52423f9c9b5f748545

SHA512
4a19bb330fdf6d6ba09e549426dc978b4e669d7ee73b5a038cc2b2b50d7c1d079a71962994e5f5bd66b72dd3e3f8869b77c6d3a3eb32527e5e21b3d788b0b622

Download Submit
C:\Users\Admin\AppData\Local\Temp\0VN2lTwXPf.bat

Filesize
194B

MD5
ebae03103bd0af120e72d0217da2fc28

SHA1
207fdbdb3bfa0b042dd79c49c5d2b9dd4c9f9870

SHA256
dc304a6d9b3e61362e8dc30882a3cbe4d0efbcbdb445df0d5b2fc3ac92b3293b

SHA512
617a3e33c442faef710b6d170e5ddcd2ff31700bd83242f12837c2c6357df9217a6b12428d4c803659c10a28076cc92548931fa5fda91eed2bbf1329542cadb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\64IFTJQeKo.bat

Filesize
194B

MD5
76e1db659576f07ce4c950021a7750ec

SHA1
327ffb381841db4a179c6ee1d1ff32c0daf108c2

SHA256
d48f1441fed44c31c136911d7b4eec0b70349cd770d2dc7c547a98d4451bc6c1

SHA512
83980294dbfa38e2fa966909097a8fad86baa706ffa0c2788d8cd7d6def08d7646557e40b04e22dd2b9c47fb2ce34d19d25e9663527f2b48ddd44480d1998074

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
194B

MD5
d069ac5a5a22a28cd3b5fc6464f36c7e

SHA1
3b1a34dba1b45769bf2a7f830834a9c0ab4af26d

SHA256
ae91be3419691c92dbf7803e80a31bab156af3547f320289b9ee37696d9f5138

SHA512
bf382aa60cacf50cffe0703a4bbbcf016c5c3e068b16d853d944b1ea8393b7977c851ea1307e72a0951d52dcc53f23f95c229b7a0643aa8d879fe0753ee886a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab28A8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IxigaWiN4Z.bat

Filesize
194B

MD5
492804c0794c88e874e7f82910a76669

SHA1
a995f5887c3d82a504ac2591029ffa7ea7064e8b

SHA256
c3e506afa2e6949b176ccac396e335ac22fe05cc30099baba38069b120d785e2

SHA512
0b752ebb16d943dce219d7afbb92d8feb3f7f706990024cd464b1d1114745ef7c18a7f1eef5a9f6856e8ee0ee93d2c19d05fe53f1f8b68bfd29b29598639b501

Download Submit
C:\Users\Admin\AppData\Local\Temp\JGN3MoCgVZ.bat

Filesize
194B

MD5
49e32282f3ac9c19c2f35d396b7fa7b1

SHA1
afd6212fe1ec1d1c70d7b83c02ead26b1ecd1ecb

SHA256
f30a24a02250334737bf58f8a0da92aa6a9bb7ef17c3b958d90f3d1d4666a3b3

SHA512
05883ef7a65283e36161f04f134a45c20e4549052a84243f55015ef6e1028a2105d4e2c115fa6c56bc68055a5ea72c2630e282d29b781cfd2da15af67c753090

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q3ZRkRg4YZ.bat

Filesize
194B

MD5
12a76f41985ee208f12ad063726bfc52

SHA1
c188f419b57d46c9e98c1f3cdb4152d5fff4f076

SHA256
93a8fc5d287e17ba7e1bb8eb83859d211e33ac15a2aecaaf317a7bf5e6b775b3

SHA512
51d682e80cf2176f3d2e27e184be57109cea813b774259370a94c199077ad11b36e3bfcd92142c9648682c51f49c62416a6f36b0882799e04b324fc27c24474f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar28CA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
194B

MD5
4545e746e3d51505cac36cb89b833b92

SHA1
8a436ed756cd57b59c888067ec1162b9f005a4c3

SHA256
d4d2d2cdc90843b8b5813b47f9d2de366331879f528d58459acf0744bfdc5bff

SHA512
3aace2191085a9403c5321722207089f49f44e8203dcd94786e8b14c563d8d34d9e1738922ed103a88467aa6a509d078c683859fc1dc9d9de7a8a2e3b053995c

Download Submit
C:\Users\Admin\AppData\Local\Temp\X0nrmdHBrq.bat

Filesize
194B

MD5
00974f264794673601fc78463d783941

SHA1
715edc4e838257f4c601b784b02ae0237758dc68

SHA256
b1a435d2d7c773eaf9eb43859ecc1144dbcf38c2aadb7afc9f14e172d9acb7a5

SHA512
6270bf99e16ca1249c96a765a75207c4654aa032a806b3beb31de2a3bdd88bc97b0f05e18cc0fa899ab9d9b63d64a329824fc8d079080af4a96cfaf5593b50a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
194B

MD5
32ef73e8afa8e2c2444c173bc0b7aeb1

SHA1
0914f119e8e9f771edc2f3cdfcf47dbc036804c5

SHA256
44abf1e79fbea8499a4265699203e7ce413e12d8d88a4de545aa994fdc5a2288

SHA512
a862244f8af405de535889c6dd646ea3dc46f42d7a5360a59c04be3d64cdd8dd9117c4ca3602b7580f125c8ef0f505ac5d49cbeb0915478911e9dbe565b51ca0

Download Submit
C:\Users\Admin\AppData\Local\Temp\h9TWO8Gj4g.bat

Filesize
194B

MD5
efd690856626af826d90f85750f5b60f

SHA1
93be6f2a8bc5725ef0764e4e1c644dfe970d1232

SHA256
ed626ef283c01eaf267863dc2c9965188e30094b5ae668d4b67dcc4f708ed3a2

SHA512
30a16a3269448d2054f9d8599680015399955b393bcbca98097e7a9bf2bd3122e5a1e834799c9f55d972ede583ed9dc141e680fb6224e7c6643f8d9f0a2d8dcb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mxrgiezM67.bat

Filesize
194B

MD5
5e00a7bcd876984155a89d8702e4678b

SHA1
20a5ff4064a0bb9402ce20fab096faa1b13e6e0e

SHA256
b4d0cf8b6427c09515b1f10a903d05f59da5eec6068296383fcfc0fe65a8ecd0

SHA512
376e69d0e8bb143b8a45554ec6f4b378f986f89e6215a11bcd610771b24eb5949e26bd171e5ed35461b2d53afe7a6b633fe49f665bf434e0b9a97e7b2cc40ee6

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
194B

MD5
d8f1dbe42e08faace7da0a73bd792eb5

SHA1
189acbc0cc04f17ab811d0ed063b308aa5a8ff6d

SHA256
ae4373a8a0be3f0258e5eaebe1c2d48a2d0b87988bca3f88ab321ca9ac96bf04

SHA512
57e261d7cb868d37be7d1cf3f77d2649f35799ee32a7630836995fc304b58b3ffcf24d5a3b3c666d31bd4e5ac7ccff013b42e121adee5af1f28486b5c7e12882

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4f412975ab7644dc464bdb9c09a35388

SHA1
b5635150145d5b8befe89ccc2abeedb32251cf9f

SHA256
abe1f38dd8e14a168006ee31574f721fa20b524af3e71a7f66f4f626b21ad1da

SHA512
1859b8f290b2fc4850ce0e144823e76e1f7d4a156b91e1e1a1dc1115fc74bf16e86dc33d71c63cd8458aac1dfc8cf27d20208730d31e2e30c8acc1d778adca98

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/760-618-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/760-617-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/1500-678-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/1500-679-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1604-498-0x0000000000BA0000-0x0000000000CB0000-memory.dmp

Filesize
1.1MB

Download
memory/1772-199-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/1868-16-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/1868-13-0x0000000000940000-0x0000000000A50000-memory.dmp

Filesize
1.1MB

Download
memory/1868-438-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1868-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1868-15-0x00000000003A0000-0x00000000003AC000-memory.dmp

Filesize
48KB

Download
memory/1868-17-0x00000000003B0000-0x00000000003BC000-memory.dmp

Filesize
48KB

Download
memory/2260-45-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2260-46-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2408-80-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2840-139-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2856-319-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2892-739-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/3000-259-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download