dcrat | d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1.exe
Size

1.3MB
MD5

95ba0188222051191746a13264ca210e
SHA1

d8d52d2cf500d79a8ceed39937d933124c413ab6
SHA256

d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1
SHA512

ed92e1a13fefcfd0559231b50e8ff14eb032fe07aeba2de6d60e92dbaaed1c68e9f0bdc212a8c88091afaf79af4d1830767e78e2b0772c3ace429c6d23d133ef
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2556	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2556	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016e1d-12.dat	dcrat
behavioral1/memory/2432-13-0x0000000000850000-0x0000000000960000-memory.dmp	dcrat
behavioral1/memory/1716-50-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2188-143-0x0000000000840000-0x0000000000950000-memory.dmp	dcrat
behavioral1/memory/2808-204-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/2636-324-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/1660-384-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/3056-504-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/1308-683-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2124	powershell.exe
2116	powershell.exe
2056	powershell.exe
264	powershell.exe
2120	powershell.exe
1876	powershell.exe
2092	powershell.exe
2396	powershell.exe
548	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2432	DllCommonsvc.exe
1716	conhost.exe
2188	conhost.exe
2808	conhost.exe
2776	conhost.exe
2636	conhost.exe
1660	conhost.exe
1316	conhost.exe
3056	conhost.exe
2320	conhost.exe
1048	conhost.exe
1308	conhost.exe
1584	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	cmd.exe
2844	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
39	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\en-US\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\Idle.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\LiveKernelReports\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2504	schtasks.exe
2672	schtasks.exe
2948	schtasks.exe
1568	schtasks.exe
444	schtasks.exe
1488	schtasks.exe
2348	schtasks.exe
1512	schtasks.exe
672	schtasks.exe
2532	schtasks.exe
3020	schtasks.exe
2900	schtasks.exe
2156	schtasks.exe
2316	schtasks.exe
1208	schtasks.exe
2232	schtasks.exe
1932	schtasks.exe
2740	schtasks.exe
2808	schtasks.exe
2016	schtasks.exe
2324	schtasks.exe
2424	schtasks.exe
556	schtasks.exe
2332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2432	DllCommonsvc.exe
2432	DllCommonsvc.exe
2432	DllCommonsvc.exe
2120	powershell.exe
548	powershell.exe
2056	powershell.exe
2092	powershell.exe
2396	powershell.exe
1876	powershell.exe
264	powershell.exe
2116	powershell.exe
2124	powershell.exe
1716	conhost.exe
2188	conhost.exe
2808	conhost.exe
2776	conhost.exe
2636	conhost.exe
1660	conhost.exe
1316	conhost.exe
3056	conhost.exe
2320	conhost.exe
1048	conhost.exe
1308	conhost.exe
1584	conhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2432	DllCommonsvc.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	264	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	1716	conhost.exe
Token: SeDebugPrivilege	2188	conhost.exe
Token: SeDebugPrivilege	2808	conhost.exe
Token: SeDebugPrivilege	2776	conhost.exe
Token: SeDebugPrivilege	2636	conhost.exe
Token: SeDebugPrivilege	1660	conhost.exe
Token: SeDebugPrivilege	1316	conhost.exe
Token: SeDebugPrivilege	3056	conhost.exe
Token: SeDebugPrivilege	2320	conhost.exe
Token: SeDebugPrivilege	1048	conhost.exe
Token: SeDebugPrivilege	1308	conhost.exe
Token: SeDebugPrivilege	1584	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2700	1960	JaffaCakes118_d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1.exe	30
PID 1960 wrote to memory of 2700	1960	JaffaCakes118_d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1.exe	30
PID 1960 wrote to memory of 2700	1960	JaffaCakes118_d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1.exe	30
PID 1960 wrote to memory of 2700	1960	JaffaCakes118_d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1.exe	30
PID 2700 wrote to memory of 2844	2700	WScript.exe	31
PID 2700 wrote to memory of 2844	2700	WScript.exe	31
PID 2700 wrote to memory of 2844	2700	WScript.exe	31
PID 2700 wrote to memory of 2844	2700	WScript.exe	31
PID 2844 wrote to memory of 2432	2844	cmd.exe	33
PID 2844 wrote to memory of 2432	2844	cmd.exe	33
PID 2844 wrote to memory of 2432	2844	cmd.exe	33
PID 2844 wrote to memory of 2432	2844	cmd.exe	33
PID 2432 wrote to memory of 548	2432	DllCommonsvc.exe	59
PID 2432 wrote to memory of 548	2432	DllCommonsvc.exe	59
PID 2432 wrote to memory of 548	2432	DllCommonsvc.exe	59
PID 2432 wrote to memory of 2120	2432	DllCommonsvc.exe	60
PID 2432 wrote to memory of 2120	2432	DllCommonsvc.exe	60
PID 2432 wrote to memory of 2120	2432	DllCommonsvc.exe	60
PID 2432 wrote to memory of 1876	2432	DllCommonsvc.exe	61
PID 2432 wrote to memory of 1876	2432	DllCommonsvc.exe	61
PID 2432 wrote to memory of 1876	2432	DllCommonsvc.exe	61
PID 2432 wrote to memory of 2092	2432	DllCommonsvc.exe	62
PID 2432 wrote to memory of 2092	2432	DllCommonsvc.exe	62
PID 2432 wrote to memory of 2092	2432	DllCommonsvc.exe	62
PID 2432 wrote to memory of 2124	2432	DllCommonsvc.exe	63
PID 2432 wrote to memory of 2124	2432	DllCommonsvc.exe	63
PID 2432 wrote to memory of 2124	2432	DllCommonsvc.exe	63
PID 2432 wrote to memory of 2116	2432	DllCommonsvc.exe	64
PID 2432 wrote to memory of 2116	2432	DllCommonsvc.exe	64
PID 2432 wrote to memory of 2116	2432	DllCommonsvc.exe	64
PID 2432 wrote to memory of 2056	2432	DllCommonsvc.exe	66
PID 2432 wrote to memory of 2056	2432	DllCommonsvc.exe	66
PID 2432 wrote to memory of 2056	2432	DllCommonsvc.exe	66
PID 2432 wrote to memory of 264	2432	DllCommonsvc.exe	67
PID 2432 wrote to memory of 264	2432	DllCommonsvc.exe	67
PID 2432 wrote to memory of 264	2432	DllCommonsvc.exe	67
PID 2432 wrote to memory of 2396	2432	DllCommonsvc.exe	68
PID 2432 wrote to memory of 2396	2432	DllCommonsvc.exe	68
PID 2432 wrote to memory of 2396	2432	DllCommonsvc.exe	68
PID 2432 wrote to memory of 1716	2432	DllCommonsvc.exe	77
PID 2432 wrote to memory of 1716	2432	DllCommonsvc.exe	77
PID 2432 wrote to memory of 1716	2432	DllCommonsvc.exe	77
PID 1716 wrote to memory of 2532	1716	conhost.exe	78
PID 1716 wrote to memory of 2532	1716	conhost.exe	78
PID 1716 wrote to memory of 2532	1716	conhost.exe	78
PID 2532 wrote to memory of 1920	2532	cmd.exe	80
PID 2532 wrote to memory of 1920	2532	cmd.exe	80
PID 2532 wrote to memory of 1920	2532	cmd.exe	80
PID 2532 wrote to memory of 2188	2532	cmd.exe	81
PID 2532 wrote to memory of 2188	2532	cmd.exe	81
PID 2532 wrote to memory of 2188	2532	cmd.exe	81
PID 2188 wrote to memory of 2936	2188	conhost.exe	82
PID 2188 wrote to memory of 2936	2188	conhost.exe	82
PID 2188 wrote to memory of 2936	2188	conhost.exe	82
PID 2936 wrote to memory of 1600	2936	cmd.exe	84
PID 2936 wrote to memory of 1600	2936	cmd.exe	84
PID 2936 wrote to memory of 1600	2936	cmd.exe	84
PID 2936 wrote to memory of 2808	2936	cmd.exe	85
PID 2936 wrote to memory of 2808	2936	cmd.exe	85
PID 2936 wrote to memory of 2808	2936	cmd.exe	85
PID 2808 wrote to memory of 2196	2808	conhost.exe	86
PID 2808 wrote to memory of 2196	2808	conhost.exe	86
PID 2808 wrote to memory of 2196	2808	conhost.exe	86
PID 2196 wrote to memory of 1808	2196	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d9514f67a362034e3a338508452070a0b998110da2bcba77b6c496c0c09883c1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\en-US\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1716
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1920
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1600
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1808
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat"
        12⤵
        
        PID:2732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1560
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
        14⤵
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1208
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat"
        16⤵
        
        PID:2608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2392
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        18⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2376
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
        20⤵
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1512
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat"
        22⤵
        
        PID:1956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:264
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1048
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat"
        24⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1924
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        26⤵
        
        PID:1060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1560
        
        C:\Windows\en-US\conhost.exe
        
        "C:\Windows\en-US\conhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\LiveKernelReports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Windows\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Defender\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27cf77415fc37c145cc03442a12ddb5f

SHA1
7dae665caedaaade434d50d601ccb8abf285deb6

SHA256
69cc9381feeefab56910e35fcb3ba8068ce2daf685bc60276cd830e93e604fe3

SHA512
b0cd0fec0de2e7ea0f090f12880e808e8190e4e6343037b1ad08a014900b7a9b21cc0ac4eda8390a0028c54fbd0697026d3eb02802d3109f2fd436f000fd6ae9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
900747bbeea2ac20d5680f768b40dc88

SHA1
bd76abcd2eba236d693cdfe3edd310e8fef2e655

SHA256
b9d4812bda35861631d7e739aff6b0643ed6fb697541afd0bdcffe6f7e08f8e2

SHA512
e660377400b6504bde41ee0adfa5270f2632558f4eb9032e2fda051f52fa7df92d2cee7f4feb84326553333901d213eabd476aac14dd9a2a553596c19d9237b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4d3927fcfbb4bc5b38df60be5c120e3

SHA1
1d117e193a9f75cecdeec7e87d674d63e900872c

SHA256
3c94919c99d0651276747cb486eab9f49723b97d418baf46b46a9a6521ee5a58

SHA512
989624197733614ae1f03e246808717714ce88c64908b94e6a3d9e00a2ce71c4a1c7d54819712700335af79620b01d2e43168ba54ffbc16a7e5c12a339dc3db4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3655925e78551e3cbf7cd56b4ad61342

SHA1
8d659cc443fc0224cd2050c0e77c7b659fd12ce0

SHA256
070db2c5d33841f96878a980205cca6a394c902d88f2a5e2d25c66598ded263b

SHA512
866a284fad68bf0cdeb572e9dac4cf5d4d0d491e09ae95b7e09ad22e37ae2b9bc5e3ec47eedb228e1695d9bb3b3e5db1f096a558b6a440dac9b6952534809d77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f040aab50170fa20d9bcf44d0ecda2ca

SHA1
751d2c7d976950117767a42bce0e515e55029dda

SHA256
12ed48dcf55dc7b5ec9004671c5b11f79c1890a064db3d866b3ac61f04f68f0b

SHA512
6ed9497382bb1e3caa18c361b687ef546ce3a996117a262b0307885c4b2c45e6e67fad856889013b3bbc876144f306d1d08c0f6f96c8d7a52aa2915bc6d99e6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
524ea73dc54851d66cd7be0b6bb86228

SHA1
630593e438200f933c94849ceae66f234d5b37f8

SHA256
13281f84f57a2949bcca3305532c3e7085380f179e73ea4de5c389897d44c647

SHA512
7bb45d83ae458b67269f38e9d68b8d65667a2b7f807128e87d8265cbe49e3bcdbe7415d6757dc3cc7f7d5cb201978b535fac8f0b064dbc0afb7b934dab35a0ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b0cf5962eb546b29cd078bceb9ae622

SHA1
10310d2561e9b808b6ec31fa2aa80524d6ab269e

SHA256
15e736748e7ff06aa6bce29b0ccd8dfde026e0f74935e3d4728bf4d603d75faa

SHA512
17b7ec0074874ec81bac15ef54610e65035bb344138935bc60cc1cb696e9b6a011c0c529afa2327944c7a6648d4f8a1b74ed005f4d96ca4dfbb8d857b9264487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b053fcfcf4d2be5a59cbdca986158cb

SHA1
0b6973a1fa89e046e7b2da95b305e2d0eb506313

SHA256
78d57526ab600f124bf86b3ec5f84417850b537e76c669080015186f5855d5d4

SHA512
baa044ff5daf85152f53805ddebc229d5855d73234dd39c26f5f18ff8b1d067340c01f68e44bb5c1a7553d42f4c7e4a3568333d800874c6562ac3d2b2bd337c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c51786bd8d0f0705dc6870ea6853946

SHA1
ecde9b7266b0ee45bcabcd59f0e26b871967340a

SHA256
cd0404179ec5b1ba0f09adee8809bc123e3e6d17a9ac599a1c3ca5b989214a18

SHA512
eb91eee2877d0c4d691dff3a08f18d770ed0a947f800b745a00e5246b0404ade05e54e65173149f0c8f5b8e588749fb5c3cd8d9ee0fa5c0255274ca4e20d633e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76605ccc64c4d5d15d01237245bc3f43

SHA1
9df17865cad1d2a4175bc372cbde87cb83e059bf

SHA256
bd579068cb41bfda4c364e3245c097246a80cab0fc30e318fa0b946d8ed05667

SHA512
8ecedc4b83e73688bb26bd935381dcbe42f66906322ee0c00a18e596805eca11d5dd24b401cb424359ef1037c1b1f9f953300795a22be354895b9f1d468c5167

Download Submit
C:\Users\Admin\AppData\Local\Temp\1kSioVLOLD.bat

Filesize
193B

MD5
6fcd922437b8b7d55704e0061b7f8446

SHA1
c0705b44a80c76f49efd3c6edcb4874bba42d5dd

SHA256
1b89e9ff8ad37bde6e47c202c0fee706dd15143eb3ed3bb4d915265554b8a599

SHA512
c14cd860d06ac093a3803350e5bfec629514e445008720e2b5f9ccd3e86b4ff50d7b0fffda0256c67b09a13c99e5a1f03f709092765c29d7a69e4659db1bf2fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\23CLvB8Ots.bat

Filesize
193B

MD5
ac706c35dad28832d4c6489ae1922e4a

SHA1
fc576b2a90a96875341ef0646dc662467bad36ef

SHA256
be8881f4351a2835e70c44ef1d9a2b2392fe4d181c488c0e322d91bf8cc1b15b

SHA512
a21bb63d5b29fd5c6233d3550b50bc326ad37249774d0d442b17ec707e8aa4de7d376e0c6fb829a1e76fca8c44dc57508adc74bb71bd6e76a60d7ef283fafe4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ezzJRb6cS.bat

Filesize
193B

MD5
74c511af71a12c206e4a3d3dde831717

SHA1
2be586c582f08d70eba950a726e944f75c2fd366

SHA256
d41ffb83e5036cf60fcf77ccdf50df4016eae50007c4a9fd1be00e5c9f1826af

SHA512
5f2d010a581b1e8d304070c72bd50f5b5ce6d6490fbdf20a0b8807c7d403fa239d7221eaa31a6e55696562c006c4fccea53b351eb3a4758b26539d382aa969b6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab820D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MpmmxgpAh8.bat

Filesize
193B

MD5
3b70701ca8cd9c32b7c086ff5f56e0c2

SHA1
de39b5894694e03169ae86350d4658847d43f99f

SHA256
54d186354f4e3ae6e67222d814074ed9e2b4ea563d21fbebf6860ee2c23cad3f

SHA512
b7e43add7a155dccf69c00ba51b2725c91d35da21acb279d3fe70922fa17ec01b6de79848f89ab1f09025bfd4e4ad96d1033901872342bf8be77d151eb7d1e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
193B

MD5
c4f7d1f114af4db3a55b56da2ecc95f3

SHA1
6a11a663a1958d93e89ae1f30b3798f3928047f2

SHA256
336aefa800e04b2ae5b4a60151fa20ebbe3ab9aec2113cb7ad652a141032ac97

SHA512
8d304e7efda0b5ca7f157ea10dab5583e53d35fdcda9e6ffa20345e2246cf1f2d8f46ddd185caa55c9baa6146768d9cc94ca122641351c8d4a0ecbdb03df57d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8220.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat

Filesize
193B

MD5
d8c211b2ff19ecfedbe08d4f08d9034a

SHA1
1cc58eaa6552c19b89062c849d8c08a4d0142072

SHA256
506c4f78bc38fc2aba92f09a84f85db811dfe33e23da5ab05495e532b4997c82

SHA512
54cb84906eb60ed2da0a3fdc86311c139583334715cb2fd266963f3d349facd60f7992bb0b97e77640d73e0cef6539383a0427ba9530e06dbfd16a04981c6762

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
193B

MD5
e13cf25eafd4cb07639c49246eda8242

SHA1
cb557d6e40fcf0d0f1d9190a4dcc8aee9dcbd465

SHA256
250e251923a9af0031ee0cc9f315d4bd5269d3b927d7b04f1a4d4518a247ea13

SHA512
de201edc043ad478b05dbc6d5d4f7034f0ba01e7f067c2f033f50da90a988aa1f995b8ca0b82bc6fbf4cd45cc533afc1dd01b70ee778e7c931af8de582e63fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\daA37ewxym.bat

Filesize
193B

MD5
9c8811d1750f8a70022d7ca1bfc3b7d9

SHA1
711f92a4e48bad7b71b0af10b9a9db1b329512c9

SHA256
b90b058cd4741c747fcfcfe5d61a00cc111816a54213b73ac40c2e38be0eae43

SHA512
b239c4c322cf9cf719a8d2622cc3cc43b37a63be71043731303873bd8b83154fe484575956420ecff897d80c66947e424e952af5669c1ec94cecd7f984c8643a

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
193B

MD5
b940532056e80d2adedf34ecf9587ccd

SHA1
4da157ebf43749e7927db1f170e4d6fc27630eac

SHA256
b84bb9655f650cd102b0085952338959f784dcdeda9b6d96ac1b79a94d94d8e1

SHA512
92bcbf5ad8718f249045dc5096318be0a202f3fcc1f949ea245ee83028a886829a1551a5387118afa980c3c33cf3b93c846a9a47d87f744a707d60794c57fed3

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
193B

MD5
7d3c8888b79352f67fd25dcc2ff0babe

SHA1
ab7931ea5d77e41a76a90a50bbfcd52782316893

SHA256
cf654ee87a3b22d66835028bb611a16fb8b36f2a81bf392b050110128956c5f5

SHA512
0675c23560e355ef7f518a06c9dabc468e166c403151844560713f796924297a1ab7d83d3492dc8ba0a4d7e1fcac68c2ce03c031e2225f500d3fab07c42f83da

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat

Filesize
193B

MD5
9e86582e16263be6a8cda51effbe3da3

SHA1
18817e7e3ba2aefd4f2fb5b61f7f3ca7a0043dd3

SHA256
7eabdf4e09975b7eb590ddbaeaa53a7fa22cdc7d2d464c2f24d3579b42f0abc9

SHA512
5fbce37873deaf25301f9ad33c9c1740f221f6aae09d77f3d07c06fcb9fdd1da926cafda9664f5f3a04765b36902601ee8a7fecbde628a768b1fbff67e86eff8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\1WU2VRO621QDW6CJFAD8.temp

Filesize
7KB

MD5
c131e222aaad4db86373bea2b0412570

SHA1
691dbb220fe21f3149256719ccca4ade843989b1

SHA256
1f0808983e21d7c74c555d14cb3f5157742eb40bbe41bcd22d13337883936750

SHA512
ed74739be633c754a7867b4e3895495aeccf2051249959c82d8b8bf188ace10530f7308c11bdb3249ddd773bd5314597c1142663ab07768c2ca8624e53da13de

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/548-49-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/1048-623-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1308-683-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/1660-385-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1660-384-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/1716-50-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/1716-84-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2120-52-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/2188-143-0x0000000000840000-0x0000000000950000-memory.dmp

Filesize
1.1MB

Download
memory/2188-144-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2432-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2432-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2432-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2432-13-0x0000000000850000-0x0000000000960000-memory.dmp

Filesize
1.1MB

Download
memory/2432-16-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2636-324-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2776-264-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2808-204-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/3056-504-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download