dcrat | aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2.exe
Size

1.3MB
MD5

9827f536a3c334e385bf2d0b38efc6bb
SHA1

4e41441e5524d97eae6022f3b75adc03b5b9d2b6
SHA256

aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2
SHA512

fc4eeea269a867e1f4a68fafec5f91a30a754365847ec588b4925d37a103598f0daa2b6eb8e8a62c91cd8e3cd0c5e4ca7f392cfde6357e2b53442726d75579bf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2644	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2644	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c51-12.dat	dcrat
behavioral1/memory/2752-13-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/560-40-0x0000000000C80000-0x0000000000D90000-memory.dmp	dcrat
behavioral1/memory/2852-145-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/888-265-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/2736-325-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1692-385-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/904-445-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat
behavioral1/memory/2340-741-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2936	powershell.exe
1284	powershell.exe
2592	powershell.exe
1500	powershell.exe
2556	powershell.exe
2084	powershell.exe
2452	powershell.exe
1660	powershell.exe
2124	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2752	DllCommonsvc.exe
560	WmiPrvSE.exe
2852	WmiPrvSE.exe
2940	WmiPrvSE.exe
888	WmiPrvSE.exe
2736	WmiPrvSE.exe
1692	WmiPrvSE.exe
904	WmiPrvSE.exe
284	WmiPrvSE.exe
2844	WmiPrvSE.exe
984	WmiPrvSE.exe
3068	WmiPrvSE.exe
2340	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
1564	cmd.exe
1564	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
40	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Java\jdk1.7.0_80\bin\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\it-IT\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Branding\Basebrd\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Documents\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Documents\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\smss.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\Branding\Basebrd\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1928	schtasks.exe
2360	schtasks.exe
592	schtasks.exe
2660	schtasks.exe
1380	schtasks.exe
2036	schtasks.exe
764	schtasks.exe
1880	schtasks.exe
2512	schtasks.exe
2096	schtasks.exe
1560	schtasks.exe
296	schtasks.exe
1248	schtasks.exe
2260	schtasks.exe
1704	schtasks.exe
2608	schtasks.exe
1520	schtasks.exe
2564	schtasks.exe
1104	schtasks.exe
1784	schtasks.exe
2900	schtasks.exe
2668	schtasks.exe
2776	schtasks.exe
2296	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2752	DllCommonsvc.exe
2124	powershell.exe
2084	powershell.exe
1500	powershell.exe
2452	powershell.exe
2556	powershell.exe
2936	powershell.exe
2592	powershell.exe
1284	powershell.exe
1660	powershell.exe
560	WmiPrvSE.exe
2852	WmiPrvSE.exe
2940	WmiPrvSE.exe
888	WmiPrvSE.exe
2736	WmiPrvSE.exe
1692	WmiPrvSE.exe
904	WmiPrvSE.exe
284	WmiPrvSE.exe
2844	WmiPrvSE.exe
984	WmiPrvSE.exe
3068	WmiPrvSE.exe
2340	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2452	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	560	WmiPrvSE.exe
Token: SeDebugPrivilege	2852	WmiPrvSE.exe
Token: SeDebugPrivilege	2940	WmiPrvSE.exe
Token: SeDebugPrivilege	888	WmiPrvSE.exe
Token: SeDebugPrivilege	2736	WmiPrvSE.exe
Token: SeDebugPrivilege	1692	WmiPrvSE.exe
Token: SeDebugPrivilege	904	WmiPrvSE.exe
Token: SeDebugPrivilege	284	WmiPrvSE.exe
Token: SeDebugPrivilege	2844	WmiPrvSE.exe
Token: SeDebugPrivilege	984	WmiPrvSE.exe
Token: SeDebugPrivilege	3068	WmiPrvSE.exe
Token: SeDebugPrivilege	2340	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2268 wrote to memory of 2396	2268	JaffaCakes118_aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2.exe	30
PID 2268 wrote to memory of 2396	2268	JaffaCakes118_aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2.exe	30
PID 2268 wrote to memory of 2396	2268	JaffaCakes118_aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2.exe	30
PID 2268 wrote to memory of 2396	2268	JaffaCakes118_aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2.exe	30
PID 2396 wrote to memory of 1564	2396	WScript.exe	31
PID 2396 wrote to memory of 1564	2396	WScript.exe	31
PID 2396 wrote to memory of 1564	2396	WScript.exe	31
PID 2396 wrote to memory of 1564	2396	WScript.exe	31
PID 1564 wrote to memory of 2752	1564	cmd.exe	33
PID 1564 wrote to memory of 2752	1564	cmd.exe	33
PID 1564 wrote to memory of 2752	1564	cmd.exe	33
PID 1564 wrote to memory of 2752	1564	cmd.exe	33
PID 2752 wrote to memory of 1660	2752	DllCommonsvc.exe	59
PID 2752 wrote to memory of 1660	2752	DllCommonsvc.exe	59
PID 2752 wrote to memory of 1660	2752	DllCommonsvc.exe	59
PID 2752 wrote to memory of 2556	2752	DllCommonsvc.exe	60
PID 2752 wrote to memory of 2556	2752	DllCommonsvc.exe	60
PID 2752 wrote to memory of 2556	2752	DllCommonsvc.exe	60
PID 2752 wrote to memory of 2124	2752	DllCommonsvc.exe	61
PID 2752 wrote to memory of 2124	2752	DllCommonsvc.exe	61
PID 2752 wrote to memory of 2124	2752	DllCommonsvc.exe	61
PID 2752 wrote to memory of 2084	2752	DllCommonsvc.exe	62
PID 2752 wrote to memory of 2084	2752	DllCommonsvc.exe	62
PID 2752 wrote to memory of 2084	2752	DllCommonsvc.exe	62
PID 2752 wrote to memory of 2452	2752	DllCommonsvc.exe	63
PID 2752 wrote to memory of 2452	2752	DllCommonsvc.exe	63
PID 2752 wrote to memory of 2452	2752	DllCommonsvc.exe	63
PID 2752 wrote to memory of 2936	2752	DllCommonsvc.exe	64
PID 2752 wrote to memory of 2936	2752	DllCommonsvc.exe	64
PID 2752 wrote to memory of 2936	2752	DllCommonsvc.exe	64
PID 2752 wrote to memory of 1284	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 1284	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 1284	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 2592	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 2592	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 2592	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 1500	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 1500	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 1500	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 560	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 560	2752	DllCommonsvc.exe	77
PID 2752 wrote to memory of 560	2752	DllCommonsvc.exe	77
PID 560 wrote to memory of 824	560	WmiPrvSE.exe	79
PID 560 wrote to memory of 824	560	WmiPrvSE.exe	79
PID 560 wrote to memory of 824	560	WmiPrvSE.exe	79
PID 824 wrote to memory of 1272	824	cmd.exe	81
PID 824 wrote to memory of 1272	824	cmd.exe	81
PID 824 wrote to memory of 1272	824	cmd.exe	81
PID 824 wrote to memory of 2852	824	cmd.exe	82
PID 824 wrote to memory of 2852	824	cmd.exe	82
PID 824 wrote to memory of 2852	824	cmd.exe	82
PID 2852 wrote to memory of 2360	2852	WmiPrvSE.exe	83
PID 2852 wrote to memory of 2360	2852	WmiPrvSE.exe	83
PID 2852 wrote to memory of 2360	2852	WmiPrvSE.exe	83
PID 2360 wrote to memory of 2908	2360	cmd.exe	85
PID 2360 wrote to memory of 2908	2360	cmd.exe	85
PID 2360 wrote to memory of 2908	2360	cmd.exe	85
PID 2360 wrote to memory of 2940	2360	cmd.exe	86
PID 2360 wrote to memory of 2940	2360	cmd.exe	86
PID 2360 wrote to memory of 2940	2360	cmd.exe	86
PID 2940 wrote to memory of 2952	2940	WmiPrvSE.exe	87
PID 2940 wrote to memory of 2952	2940	WmiPrvSE.exe	87
PID 2940 wrote to memory of 2952	2940	WmiPrvSE.exe	87
PID 2952 wrote to memory of 2336	2952	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aea9c725549585e108d2eb303727b4ef650819a5f0e459f90f6747fcfaef40b2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2268
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1564
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\Basebrd\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Documents\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1272
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2908
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2336
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        12⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2984
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"
        14⤵
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2236
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
        16⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2684
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        18⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3060
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        20⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1688
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat"
        22⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2760
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        24⤵
        
        PID:1860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1644
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat"
        26⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2200
        
        C:\Users\Default User\WmiPrvSE.exe
        
        "C:\Users\Default User\WmiPrvSE.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Windows\Branding\Basebrd\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Branding\Basebrd\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Branding\Basebrd\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jdk1.7.0_80\bin\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\Documents\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c96ed659208e1ed54709678e75fe37d0

SHA1
b399c9e5f100ee7d2b0d9a20b272db3221523bde

SHA256
2e3b46a32c28fbb275de8a7840e5aad89b9300768f991c992ed107a347a686a3

SHA512
06993326af3e5dddac29278361fb722128382410265013d9db7d3e293998f7b8828b3774291ffbcebcce879d64eac54678ae47ff1168463623d179fbaf437d4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb7c1845ac4cf1a995bb2ddefa4f92a9

SHA1
c93d2a4facafd4ec9e2d086f64f602f3a636751c

SHA256
21c2bde73c49021ffa595d014c8aefb881c31cf0b571243b67285379d5b04131

SHA512
0ecd5fba1bbbbdd0f86282fa6635b35192443ee0877a71d4fd1bc89471cd10f823192c1062eecda249d11e8e8c9137a325525a349ecf9a1daf671c5634498136

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8aa11bb4a9bf49b3b2d6139a3a3652b

SHA1
0a608f306b11b2c8b205e0d3c64802952f207874

SHA256
7874f26943ebae4d55b5d6d9b4f7ed6dacdfa26908ea01dc01479bf1538595ee

SHA512
162c2f59ae96ae1da5c35a5f8b95ce4d4705c579fb053a1fce15b12f7c9f9a34805ae5cbf90235d67ad3957e09b523baae2914e58952f814bd4a4cbd24852780

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6998571dc348b0265ee08212bc02aede

SHA1
bc5eb783d6f0cbb084b7185f4c8a68553ab879bf

SHA256
46034f9a7a50242326bf00c9a212cd1cc47581e3c13a9da44747ab44d321dfb2

SHA512
dbd14b71293ee3edc19064125b78a390ce5db09e48d7c2641422840b8c0f4750407a72881fbcfbef49d87dab82359b5f5830858000f0bfd2c346b45d5e242366

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2adfea0cba43dda0c1b08958a3b720e

SHA1
117fd6179d108b8691b26718f9d92255bd5c2507

SHA256
f0bff30070502cd375aaf967f28e92358c18e59a344a812de133f7f014aad5aa

SHA512
a8e9403ad327902dcc5a82272987001382da70564a5c47717146f7618b035112b8e3009082f722bb19f78085d833bbfae2af98a43f8491f32b1144cdc78480a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87e4953c1676565832cee2ae61cd50da

SHA1
46b61cc19b7ca67516f0e5782379caaa3026c0e9

SHA256
6cd414615878219eaeb3aca417edf658b4b791628f45a3c7b2a17f40e61af42a

SHA512
ba1f2ad66244ae9345885f00ef70d93744d99ed0569a4302212d51c8512f5cb2c5134cf51bb9fca95eb1f0b45237cbf38f3ad5fd12063b8f99249286618cf5ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fae52989d310d3b2a2d95dd87d3c4ac

SHA1
35ed6561cabbd3e1852753a596161706c2d17883

SHA256
7dc9dfde64d4b19f0927dc266950a839791e4bbb12e6314d17eb2df21b33cdd2

SHA512
9cbe37c09ea2572d8aeae3b4fc4338426bcfc18e769e2ab1e5762109f0c304bc2f4c1cf2b398336dc4e1c4d662946a37a2f9f28727b6f4317d99a0c785c7623b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
70b55c3798e917f5594437039b06f99a

SHA1
48fb449a560fed0500216372441280ec4ae45378

SHA256
76d4bb4cb20c2e66e6faf624ff8b51e234da6a976e1bb2a9e02ed5e72c0694fe

SHA512
18c08d824718ca6b9bf104b4b151ef59b6c2dafdff35a650a69eb107fa2380803f862e5393e57f25dec409a025a6356ce19d7e6dbdade5209290daeb8903d3c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b924e8a339685709b5220b94d8b4d253

SHA1
f9a1a62bf8d4d5674e897a79f99ec69e63393670

SHA256
2476aa1910cc1b88d707c943058254d2dc2b2098bf03627be51ac307aed930ab

SHA512
fbef82c350950c5e4b93e423cd0de669021f567160ba9eadcd073b0a1b08a4128df532bdb166b78a0f6a13d2e9125e0fe99dcf894ef7deda4dbb1675354a2e7e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ecc56775ced0530193b9445ea2bbb50

SHA1
73aad5442a74f9c0cfc497d64d0bff171bc0b851

SHA256
bddf9d06f76e29412d90d88305424867a0119e160196d53a548bdf00f7c990e1

SHA512
33972002457218a52f0b771cd6960457fe17dca2d59926546b4de63014eb26d31c43aadecae5cec2d4e4baecf92f7ca2d107f0f38edee102af2feadb7821870c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
199B

MD5
4e2dd16dc03735cb2ddda87ba92f9387

SHA1
c3fcadbcca4d85a8260e74a7f09a6eb8e6e281bf

SHA256
a65a0b696c81b899d6a6c7088965ef344a9cced2be66868f0e7acc8348db18b3

SHA512
2da26df28ac166687abb1669fddf9a23d0b57e15ddfcee2907053b132bba6019d21de47017878338bd1ec6ae9cb2e440976f5fc8223fe5b14c27416a859191d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE78.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
199B

MD5
151cb96489c7410e5fefc8f1e5a9e2a4

SHA1
7309ae1433ff7de7a98a364b54aada65b3bb2f08

SHA256
cd946576261826c69b891447cff0729d28fcf91dd2d71e35458a9a7b3c262036

SHA512
4b5e355c91dfd83a3397d92f08f2f558780fce70893de1cff9107b4536d7fd4140d2434763e02c7a858525de6fccc38c2b67c25d76f5658b113c52de31ceeb5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EwXVi07PWy.bat

Filesize
199B

MD5
5f5ae5fc8260005a230c89755b12d601

SHA1
3f24f70ced561701595f615e49ac38b81a0b89d2

SHA256
72991d008c63312f6f9ec866df4849974e82db1841739f0f47bb940da6e9215c

SHA512
b223b71052f61ad091b2e294841633f82c24058102d660e15b5876a4aad80cf7568e978029c8e40cd76039c241e1b646a6a2545f779ba13fb90da666e961c677

Download Submit
C:\Users\Admin\AppData\Local\Temp\J2mXRZwkCj.bat

Filesize
199B

MD5
e894cae9d34966f1e6516b1b1c949f68

SHA1
e28aef199f9e294b0827c5c3f241cc83e782119b

SHA256
222db4f7fedcc46d70e3b6939a5455c061113d1c5834fb76017bf151821d6d5d

SHA512
6dd520b36802a1f2a8c76db234365500a13b0ab8b782bcb66c9ae3f9e077eaa2d6ba666f2f6ae146172ce450b8b5b6b110ab89c2cf1e219b149e1504f741c185

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat

Filesize
199B

MD5
b293ebdc738afbbb4ec51483a3817f6d

SHA1
4933fdafe5f62f6de96605bb4a5852e19bbe1464

SHA256
07b2a2be46be568a2a277282e932d802b7250e0c158e5cefab09c26b5a86c54c

SHA512
325b942c26f2d9cc585597865770887a4903a88fcd5fe2ffca37a6d7565721884a8f777002d566d9c4574d00d564596587081f8f7822f7d9d13ccb65ae044cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE9A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X8VSEkwS9E.bat

Filesize
199B

MD5
e732a88e5f30be21ec6069052c78b71b

SHA1
bed15f751e024017298a1103265f89f3fe05fa95

SHA256
25555b813f3aa2f8984eddb809f5080c1eca2c5a9ce0b34c8d1b09cab94543ee

SHA512
55dbdbd8a1634594b8889bfee268638e38673814a30e9dedfbc6c8425f4d4f0ae2aa95f96500cf31c6ce02fe34972e47726fc8779f58263c33568faa86a41372

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

Filesize
199B

MD5
b2198f4d7994021c83670e0ba9c632f3

SHA1
6a1dfcebd7b7877a0dd361a955ead7376cc8fda3

SHA256
266b3d6c267258dd039c640c66b13ea144e9323ba81affd6db641d9c359d71da

SHA512
f373faa48bce0b8386f58241ba2deb1a623b2cf01e700c005137dca4288d939a17e88e3aa7a91005fdc3e3768b4c5819cb2db963227475431ff1d3f6b348daa9

Download Submit
C:\Users\Admin\AppData\Local\Temp\fcYyv3mAUp.bat

Filesize
199B

MD5
fff08489c0c9715fd60c7e88c9516274

SHA1
3bd1f770ae5207442038cefc9dfe9c36a350fcc9

SHA256
67ffcd791cd81b9779074ac9f30abbf91e6df14b747714a389b17096bed94c93

SHA512
50fd662e84350d187568e503904fefdc882a87749725d46ead906cb01ad2c15612094d484dba460de694dcd8b023b724c872094fcd66d2a88204fc304eec766b

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
199B

MD5
032b9d649aba519ba84ff4fee19b1641

SHA1
571bf4d06640ffeac6b18976b6664afb2e28e89f

SHA256
2dff7fd4e095935bd23348f5ba68fb2839e4a1850c70cc15038d3ed01cb3626f

SHA512
1865603c52f5de20b7de06e403d8ac96e67215d59c9fa22e735f1538a33d8da72902470aca283559ea284e82f56e15b29e24b2cdefc3ac97e96ce7d5d04c2fd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
199B

MD5
ec929c39299971ec13d13a89cba85f1b

SHA1
e6bfe8834489be772cd953aa37443db645e51035

SHA256
e8cf5407fb967c5578e72428bf78b5b14c5d0159008b5fc30867c9dfa147bf4b

SHA512
c23afa124e47ec405d7927ed86710464a9e31ffdb4cdbd87c5dfab6d05dd47f7b2573bf12ddcd0283e536817c3e0f8fbbfb23b95ef40baf7368a39cb544efd47

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
199B

MD5
996038c5f48e432774773204a21b0fdd

SHA1
b260271da86f2cce033192ec9a6c0367a86827af

SHA256
dd9e4729d0adcedd31d4e4fe740f40cfcb2fce9c88eb273940fc97ae673b4869

SHA512
85a56834681ba70a552acf2d8ea463f8f597c8ad317ba3e9207c8c1316de61b032a490ccfc796d75bfc89153e2944f7fa3c22be84ffe707dcef69146199039e4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fc45108750855d157042c8ec98341dc2

SHA1
7e62891f90b7b9f5e698eb473b6e35c140819296

SHA256
efc27dff81dc74dd1fa4bbfcb6fc6ffab95488eaff1e5b07f787621266b060aa

SHA512
1ec1281e3377cc964c00ec1193500a55790f6e2623734ee61658a9d0efe1be58f4b9aefecb2bb343019ed5d986cf802bca9d14bb13af9e2360a6f0322f378310

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/560-40-0x0000000000C80000-0x0000000000D90000-memory.dmp

Filesize
1.1MB

Download
memory/888-265-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/904-445-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/1692-385-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2124-50-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2124-52-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2340-741-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2736-325-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2752-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2752-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2752-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2752-13-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2752-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2852-145-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/2940-205-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download