dcrat | 7386643d99fbe783380f85fa364cce332c31ff0bdf023b78de58d329990842ad

Analysis

max time kernel
149s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 11:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proverka by xdwd.exe
Size

1.5MB
MD5

b6d84083a9a6d904f8fce712472503db
SHA1

be3cea644584be972eed12578bdcf3cd6ff4ecbb
SHA256

7386643d99fbe783380f85fa364cce332c31ff0bdf023b78de58d329990842ad
SHA512

0cca303cc79bd20a593e1d5a01cce8783c7daffa4c99cf1694dfdaa5c14b7e7be64a35f73e9b8f7063948a94b492c830d32870965ba7fd0f0d067d06b9806539
SSDEEP

24576:U2G/nvxW3Ww0tNAo6ME182LavUt3U27dLqYTZb0yJSogzbKRYSDxtXbkP0hNZnB:UbA30NAF8MIGfQ/Km6XoP05B

Score

10^/10

dcrat discovery infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 57 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2300	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1340	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2336	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2336	schtasks.exe	34

DCRat payload 20 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d7e-9.dat	dcrat
behavioral1/memory/2548-13-0x0000000001210000-0x0000000001342000-memory.dmp	dcrat
behavioral1/memory/2340-62-0x0000000001310000-0x0000000001442000-memory.dmp	dcrat
behavioral1/memory/1488-69-0x0000000001340000-0x0000000001472000-memory.dmp	dcrat
behavioral1/memory/2188-76-0x00000000003D0000-0x0000000000502000-memory.dmp	dcrat
behavioral1/memory/1832-83-0x0000000000E00000-0x0000000000F32000-memory.dmp	dcrat
behavioral1/memory/1600-96-0x00000000000B0000-0x00000000001E2000-memory.dmp	dcrat
behavioral1/memory/2496-103-0x0000000000340000-0x0000000000472000-memory.dmp	dcrat
behavioral1/memory/2548-110-0x0000000000960000-0x0000000000A92000-memory.dmp	dcrat
behavioral1/memory/2012-123-0x0000000000DF0000-0x0000000000F22000-memory.dmp	dcrat
behavioral1/memory/1672-130-0x0000000000050000-0x0000000000182000-memory.dmp	dcrat
behavioral1/memory/2952-137-0x0000000000270000-0x00000000003A2000-memory.dmp	dcrat
behavioral1/memory/664-144-0x0000000000AA0000-0x0000000000BD2000-memory.dmp	dcrat
behavioral1/memory/1936-151-0x0000000000130000-0x0000000000262000-memory.dmp	dcrat
behavioral1/memory/944-158-0x0000000000E90000-0x0000000000FC2000-memory.dmp	dcrat
behavioral1/memory/2760-165-0x00000000000D0000-0x0000000000202000-memory.dmp	dcrat
behavioral1/memory/1396-172-0x0000000001170000-0x00000000012A2000-memory.dmp	dcrat
behavioral1/memory/1844-197-0x0000000000150000-0x0000000000282000-memory.dmp	dcrat
behavioral1/memory/2504-204-0x0000000001290000-0x00000000013C2000-memory.dmp	dcrat
behavioral1/memory/2432-235-0x00000000002C0000-0x00000000003F2000-memory.dmp	dcrat

Executes dropped EXE 28 IoCs

pid	Process
2548	driverSessionRuntime.exe
2340	csrss.exe
1488	csrss.exe
2188	csrss.exe
1832	csrss.exe
1816	csrss.exe
1600	csrss.exe
2496	csrss.exe
2548	csrss.exe
2648	csrss.exe
2012	csrss.exe
1672	csrss.exe
2952	csrss.exe
664	csrss.exe
1936	csrss.exe
944	csrss.exe
2760	csrss.exe
1396	csrss.exe
2560	csrss.exe
2652	csrss.exe
2592	csrss.exe
1844	csrss.exe
2504	csrss.exe
1636	csrss.exe
2264	csrss.exe
1992	csrss.exe
2896	csrss.exe
2432	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2560	cmd.exe
2560	cmd.exe

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\defaults\pref\1610b97d3ab4a7	driverSessionRuntime.exe
File created	C:\Program Files\Internet Explorer\fr-FR\taskhost.exe	driverSessionRuntime.exe
File created	C:\Program Files\Windows Portable Devices\cmd.exe	driverSessionRuntime.exe
File created	C:\Program Files\Windows Portable Devices\ebf1f9fa8afd6d	driverSessionRuntime.exe
File created	C:\Program Files\VideoLAN\VLC\b75386f1303e64	driverSessionRuntime.exe
File created	C:\Program Files (x86)\Windows Portable Devices\csrss.exe	driverSessionRuntime.exe
File created	C:\Program Files (x86)\Windows Portable Devices\886983d96e3d3e	driverSessionRuntime.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\OSPPSVC.exe	driverSessionRuntime.exe
File created	C:\Program Files\Windows Defender\it-IT\dwm.exe	driverSessionRuntime.exe
File created	C:\Program Files\Windows Defender\it-IT\6cb0b6c459d5d3	driverSessionRuntime.exe
File created	C:\Program Files\Internet Explorer\fr-FR\b75386f1303e64	driverSessionRuntime.exe
File created	C:\Program Files\VideoLAN\VLC\taskhost.exe	driverSessionRuntime.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\6203df4a6bafc7	driverSessionRuntime.exe
File created	C:\Windows\Installer\lsass.exe	driverSessionRuntime.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proverka by xdwd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1736	schtasks.exe
2468	schtasks.exe
2180	schtasks.exe
1552	schtasks.exe
1008	schtasks.exe
2736	schtasks.exe
1192	schtasks.exe
1816	schtasks.exe
1716	schtasks.exe
1564	schtasks.exe
2656	schtasks.exe
2688	schtasks.exe
1488	schtasks.exe
2500	schtasks.exe
1916	schtasks.exe
2652	schtasks.exe
580	schtasks.exe
1928	schtasks.exe
2212	schtasks.exe
2300	schtasks.exe
2764	schtasks.exe
1372	schtasks.exe
2144	schtasks.exe
2124	schtasks.exe
2116	schtasks.exe
1200	schtasks.exe
988	schtasks.exe
2120	schtasks.exe
2152	schtasks.exe
2384	schtasks.exe
316	schtasks.exe
1396	schtasks.exe
2480	schtasks.exe
288	schtasks.exe
828	schtasks.exe
2952	schtasks.exe
1956	schtasks.exe
1584	schtasks.exe
1676	schtasks.exe
1660	schtasks.exe
2648	schtasks.exe
2092	schtasks.exe
1540	schtasks.exe
3020	schtasks.exe
2816	schtasks.exe
1244	schtasks.exe
3016	schtasks.exe
496	schtasks.exe
1776	schtasks.exe
1340	schtasks.exe
1164	schtasks.exe
2840	schtasks.exe
2400	schtasks.exe
1056	schtasks.exe
1076	schtasks.exe
2008	schtasks.exe
1028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2548	driverSessionRuntime.exe
2548	driverSessionRuntime.exe
2548	driverSessionRuntime.exe
2340	csrss.exe
1488	csrss.exe
2188	csrss.exe
1832	csrss.exe
1816	csrss.exe
1600	csrss.exe
2496	csrss.exe
2548	csrss.exe
2648	csrss.exe
2012	csrss.exe
1672	csrss.exe
2952	csrss.exe
664	csrss.exe
1936	csrss.exe
944	csrss.exe
2760	csrss.exe
1396	csrss.exe
2560	csrss.exe
2652	csrss.exe
2592	csrss.exe
1844	csrss.exe
2504	csrss.exe
1636	csrss.exe
2264	csrss.exe
1992	csrss.exe
2896	csrss.exe
2432	csrss.exe

Suspicious use of AdjustPrivilegeToken 28 IoCs

description	pid	Process
Token: SeDebugPrivilege	2548	driverSessionRuntime.exe
Token: SeDebugPrivilege	2340	csrss.exe
Token: SeDebugPrivilege	1488	csrss.exe
Token: SeDebugPrivilege	2188	csrss.exe
Token: SeDebugPrivilege	1832	csrss.exe
Token: SeDebugPrivilege	1816	csrss.exe
Token: SeDebugPrivilege	1600	csrss.exe
Token: SeDebugPrivilege	2496	csrss.exe
Token: SeDebugPrivilege	2548	csrss.exe
Token: SeDebugPrivilege	2648	csrss.exe
Token: SeDebugPrivilege	2012	csrss.exe
Token: SeDebugPrivilege	1672	csrss.exe
Token: SeDebugPrivilege	2952	csrss.exe
Token: SeDebugPrivilege	664	csrss.exe
Token: SeDebugPrivilege	1936	csrss.exe
Token: SeDebugPrivilege	944	csrss.exe
Token: SeDebugPrivilege	2760	csrss.exe
Token: SeDebugPrivilege	1396	csrss.exe
Token: SeDebugPrivilege	2560	csrss.exe
Token: SeDebugPrivilege	2652	csrss.exe
Token: SeDebugPrivilege	2592	csrss.exe
Token: SeDebugPrivilege	1844	csrss.exe
Token: SeDebugPrivilege	2504	csrss.exe
Token: SeDebugPrivilege	1636	csrss.exe
Token: SeDebugPrivilege	2264	csrss.exe
Token: SeDebugPrivilege	1992	csrss.exe
Token: SeDebugPrivilege	2896	csrss.exe
Token: SeDebugPrivilege	2432	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1164	2668	Proverka by xdwd.exe	30
PID 2668 wrote to memory of 1164	2668	Proverka by xdwd.exe	30
PID 2668 wrote to memory of 1164	2668	Proverka by xdwd.exe	30
PID 2668 wrote to memory of 1164	2668	Proverka by xdwd.exe	30
PID 1164 wrote to memory of 2560	1164	WScript.exe	31
PID 1164 wrote to memory of 2560	1164	WScript.exe	31
PID 1164 wrote to memory of 2560	1164	WScript.exe	31
PID 1164 wrote to memory of 2560	1164	WScript.exe	31
PID 2560 wrote to memory of 2548	2560	cmd.exe	33
PID 2560 wrote to memory of 2548	2560	cmd.exe	33
PID 2560 wrote to memory of 2548	2560	cmd.exe	33
PID 2560 wrote to memory of 2548	2560	cmd.exe	33
PID 2548 wrote to memory of 1680	2548	driverSessionRuntime.exe	92
PID 2548 wrote to memory of 1680	2548	driverSessionRuntime.exe	92
PID 2548 wrote to memory of 1680	2548	driverSessionRuntime.exe	92
PID 1680 wrote to memory of 1812	1680	cmd.exe	94
PID 1680 wrote to memory of 1812	1680	cmd.exe	94
PID 1680 wrote to memory of 1812	1680	cmd.exe	94
PID 1680 wrote to memory of 2340	1680	cmd.exe	96
PID 1680 wrote to memory of 2340	1680	cmd.exe	96
PID 1680 wrote to memory of 2340	1680	cmd.exe	96
PID 2340 wrote to memory of 580	2340	csrss.exe	97
PID 2340 wrote to memory of 580	2340	csrss.exe	97
PID 2340 wrote to memory of 580	2340	csrss.exe	97
PID 580 wrote to memory of 1956	580	cmd.exe	99
PID 580 wrote to memory of 1956	580	cmd.exe	99
PID 580 wrote to memory of 1956	580	cmd.exe	99
PID 580 wrote to memory of 1488	580	cmd.exe	100
PID 580 wrote to memory of 1488	580	cmd.exe	100
PID 580 wrote to memory of 1488	580	cmd.exe	100
PID 1488 wrote to memory of 3064	1488	csrss.exe	101
PID 1488 wrote to memory of 3064	1488	csrss.exe	101
PID 1488 wrote to memory of 3064	1488	csrss.exe	101
PID 3064 wrote to memory of 1712	3064	cmd.exe	103
PID 3064 wrote to memory of 1712	3064	cmd.exe	103
PID 3064 wrote to memory of 1712	3064	cmd.exe	103
PID 3064 wrote to memory of 2188	3064	cmd.exe	104
PID 3064 wrote to memory of 2188	3064	cmd.exe	104
PID 3064 wrote to memory of 2188	3064	cmd.exe	104
PID 2188 wrote to memory of 1112	2188	csrss.exe	105
PID 2188 wrote to memory of 1112	2188	csrss.exe	105
PID 2188 wrote to memory of 1112	2188	csrss.exe	105
PID 1112 wrote to memory of 2264	1112	cmd.exe	107
PID 1112 wrote to memory of 2264	1112	cmd.exe	107
PID 1112 wrote to memory of 2264	1112	cmd.exe	107
PID 1112 wrote to memory of 1832	1112	cmd.exe	108
PID 1112 wrote to memory of 1832	1112	cmd.exe	108
PID 1112 wrote to memory of 1832	1112	cmd.exe	108
PID 1832 wrote to memory of 1788	1832	csrss.exe	109
PID 1832 wrote to memory of 1788	1832	csrss.exe	109
PID 1832 wrote to memory of 1788	1832	csrss.exe	109
PID 1788 wrote to memory of 1996	1788	cmd.exe	111
PID 1788 wrote to memory of 1996	1788	cmd.exe	111
PID 1788 wrote to memory of 1996	1788	cmd.exe	111
PID 1788 wrote to memory of 1816	1788	cmd.exe	112
PID 1788 wrote to memory of 1816	1788	cmd.exe	112
PID 1788 wrote to memory of 1816	1788	cmd.exe	112
PID 1816 wrote to memory of 308	1816	csrss.exe	113
PID 1816 wrote to memory of 308	1816	csrss.exe	113
PID 1816 wrote to memory of 308	1816	csrss.exe	113
PID 308 wrote to memory of 3048	308	cmd.exe	115
PID 308 wrote to memory of 3048	308	cmd.exe	115
PID 308 wrote to memory of 3048	308	cmd.exe	115
PID 308 wrote to memory of 1600	308	cmd.exe	117

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\Proverka by xdwd.exe
"C:\Users\Admin\AppData\Local\Temp\Proverka by xdwd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\chainWebIntoSession\qD91Bf2FR629.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1164
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\chainWebIntoSession\mutZScugJ38QpfoGeguI2l.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2560
  - - C:\chainWebIntoSession\driverSessionRuntime.exe
      "C:\chainWebIntoSession\driverSessionRuntime.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2548
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cr6nEVp7M3.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1680
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1812
      - C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1956
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1712
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2264
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        13⤵
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1996
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat"
        15⤵
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:3048
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        17⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1028
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat"
        19⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2452
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat"
        21⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2300
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat"
        23⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2544
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        25⤵
        
        PID:1424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2364
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat"
        27⤵
        
        PID:2876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2288
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        29⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        30⤵
        
        PID:2092
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        30⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"
        31⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        32⤵
        
        PID:2424
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        32⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        33⤵
        
        PID:2128
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        34⤵
        
        PID:1408
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        34⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        35⤵
        
        PID:604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        36⤵
        
        PID:2724
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        36⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
        37⤵
        
        PID:832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        38⤵
        
        PID:1276
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        38⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        39⤵
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        40⤵
        
        PID:288
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        40⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        41⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        42⤵
        
        PID:828
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        42⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat"
        43⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        44⤵
        
        PID:692
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        44⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat"
        45⤵
        
        PID:1864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        46⤵
        
        PID:2460
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        46⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat"
        47⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        48⤵
        
        PID:2704
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        48⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
        49⤵
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        50⤵
        
        PID:956
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        50⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat"
        51⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        52⤵
        
        PID:1244
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        52⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        53⤵
        
        PID:1068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        54⤵
        
        PID:2000
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        54⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
        55⤵
        
        PID:1372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        56⤵
        
        PID:2128
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        56⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        57⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        58⤵
        
        PID:2684
        
        C:\Program Files (x86)\Windows Portable Devices\csrss.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\csrss.exe"
        58⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat"
        59⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        60⤵
        
        PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.es\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\chainWebIntoSession\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\chainWebIntoSession\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\chainWebIntoSession\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\chainWebIntoSession\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\chainWebIntoSession\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\chainWebIntoSession\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Defender\it-IT\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\it-IT\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Mozilla-1de4eec8-1241-4177-a864-e594e8d1fb38\updates\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\Installer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\Installer\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Documents\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\Documents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Documents\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Program Files\VideoLAN\VLC\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\0PvuKmrV6l.bat

Filesize
222B

MD5
4da91a5648964c4036c903ef7e5a6f6b

SHA1
e296662fa11ffbe7de39e42318b9aff5f02f1916

SHA256
35fed8d813d31c3f48a2c6677e7d88bf388d3f1c5f8ad1c3f306bfc321cfc1a5

SHA512
a5702b326d65e536e06f6946a4704027a8bf65c3bbb5cff32c1cd6e35ba3ac4e1c70a637b365f1e2b87b50ee5fed53d1d96a13474b22a136bd5b50d32c85258f

Download Submit
C:\Users\Admin\AppData\Local\Temp\45aGjaybPu.bat

Filesize
222B

MD5
b33d8041ed1b0fd990fc2892cdf63bd2

SHA1
237ff80507b53f2d31873abfc165f6e53f603ee1

SHA256
e3e6abba53595da912d04351703afec82ea0b0a4d72a9b44162dce38b7a74ab1

SHA512
932788e2d33f3e7a13776870dbd89941ae1b0d7ac3c4bc0e54df3c244d7643494980ce296b8a85f918fafeeba8980cc2b9d4b47d0e8395aeef45c47d9cd3741b

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
222B

MD5
5b086118808d297317d4e77a9a3da490

SHA1
7d5d152c8b39c79ca71da10a8b6afdaadba67afe

SHA256
aee7c91335384af661f07a199e6874ef8e351312f45c517267a5802eeb636a1d

SHA512
ca8662768cd0c98dc7810674e52a4b4464c2c0b5896e3f582b672f47577a38a72284d5a49161f3654e52245fe54f003cb59467aac2bc7fd2a4df4779cc24708b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
222B

MD5
64b0ba6522397ded15b9d09f2312193c

SHA1
74004de80cb038f6e6ae957e0e8f7c906697be77

SHA256
1491fd5f35c39d2bafdb9a5cb4ed05b42c56539fdaa1a05e7731133e703c1a96

SHA512
753f5cff414a162b868e31660a1834bda7a3c5cedec06aa20375ad1a420965d2615fcad9310ebe711633468b31a75f22a6b3173ac355127055c3c1a5180b31af

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
222B

MD5
4092674b86052d28949759d6354583ab

SHA1
0f15eb0a4b62aa480045234f47c0bb41fd129e89

SHA256
689738fbd778915577915ee0501d101cd54a6f02a7fc50eb8806bbe19d6c49bb

SHA512
100afbdbae5072849c9a60496a95a526d41ce73037956e2dfc74b28ac2aa98888db2f68dda07193ecbefc7b1c33cf592957556ba2e5665c60307d5582f65e479

Download Submit
C:\Users\Admin\AppData\Local\Temp\BDITavvsiM.bat

Filesize
222B

MD5
747549afd6247d18bb8191281a90d040

SHA1
26aef1d760898e01ad14260040a449d7e3b24d1f

SHA256
1cf905746cdaedbca60aac27927ff3b0bf076ffc42ca56c6a7da2a8fb1a59579

SHA512
536963e66194079da2557f254a3a322459390b7fbb4a68b6594751dff75d5e7ca9d8531a61ec6a6017dd3575b755634aa203d711609d17fee5c2e0123a6ab396

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cr6nEVp7M3.bat

Filesize
222B

MD5
cda1dc536183de1273686a349a24ff5a

SHA1
a47db2c16566a4ee7db0b225aeda50b45be6ddbc

SHA256
48cd8629aab0b88c43ee8cd5adf8c5cbf9cb011b6f5830d2a7375850917411d3

SHA512
cedf882142eb276dbbab5b961a07191dbb267c393620cfb47e836b82e9cb096564a91ffb99175eab3598f1f297f21586c54de9c3f904efd61b9ca6121424382d

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
222B

MD5
801bcc305c02ab2cadf4eb1775b09653

SHA1
53a85748eed748c2fae000e1b723af583646c0fb

SHA256
5a65a52badccf15682e5833abbb8d367d8159ac2c0d896f3d72d68bea380046c

SHA512
c61654e94a7368d4a5b3a8762217169d2eaf64ebc5b85f984b880cdc649608b84ce43b181b297429a99e7b149613018335ce69b9f560cb35706af70a202b7706

Download Submit
C:\Users\Admin\AppData\Local\Temp\K00M4WFsUw.bat

Filesize
222B

MD5
584c4953352f851c79a2b53d087fcfe0

SHA1
49d53b187ebea7828e76d8f82bb2ba1a9ef0281b

SHA256
b78944b4cc082e6cc5173db15d23e20a688cbfe95d5074088b3bd0b7352b2fb8

SHA512
5fdb17d8344bb0abcaa254219f39b9c8da8fe714998266763bad61ec20e8f86444f02a193f17547c4d376d619e1a9a8c7693502001e556e3c1f090b0e313e153

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdN2yJpTNi.bat

Filesize
222B

MD5
6cc87ee0c6372521623441ea82755f50

SHA1
a18f6d08e906f7f36859b722b225d9e69d6db7a4

SHA256
c864be056c629f5004848bec0db4b5f1a23a96b13b3098f351523b2e84cb1332

SHA512
c131d272975daf3fbf6c49aa43f674f031d98bb3cde6e53a856ef348731ba96b97cf88f00961eba6915b723ba71162b9b092e66a3cf8af8d82a3406d6328dfcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
222B

MD5
cdbe2f1181c40746f954b848163cb0f4

SHA1
f7dbdc3dc286c4f5fb517ebc33d741228a8ca95d

SHA256
67b503dbb7a6a26e246043dbfb25b58161e9b738f82edb1fb6d8f3d6d671789d

SHA512
9c54356f6e7276eea1839d9c3cc96b96daedee9ab7fd6b1630b2957a7c199273a185301abf1e436d59b67214bc4fc5632d4a139dbb700450131aa13de23b29d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat

Filesize
222B

MD5
62f16f620abe2210ac89867b32809364

SHA1
045eb9359ae7a23bee4d469f7d8bf5d4f3881c29

SHA256
04637f1af4eace67e5f76fa4c0184730883678dc4f26ab1c5a153051005b2141

SHA512
a125ff74740a1f4b7c9e9e27eeb5c2781fac83cc24a34627b1a7f6a7d6d360b6024f9d28bd07bf583187870f6a5c945c88226814f105f2a578126e95482c02cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
222B

MD5
0efbdd240e8066ea80f7570f5f6003d5

SHA1
1b05ab6477816419530792ebb21852ab132343a1

SHA256
df80e0997f293573ef083a1598c7fe05ea2a42722e84a313c4484a3fd5a39444

SHA512
218ea4a38ff98fea615acd2e2660c103fdcd19fc182a2d698145831c3580ef9a696eb629bdbda1eb4ad7e94f301a07922818d00d1862ed089e28ef94a966e47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
222B

MD5
11c9b0da4a2c0288e78ac4f745291043

SHA1
bbd8aa3a9ea8076a47758eaad14582a03deea290

SHA256
e6fb3208bf10812d5283cb32a522314f34ab77a1a7cf72303f0413046f085750

SHA512
a12a90450e0abc372977a2b1ea1b4c48bd3dcc528157dee2dcd11a15a9b426280a6a9372f43333b4d526cc425b41055ac4e2aa9f61fe8ecd27efce36a3c4d7e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\aoAocY3YSO.bat

Filesize
222B

MD5
127faf34cdf8c65bd6cd773a47ff36b8

SHA1
b2b00013225eeb8a223c07c726f5e5b943637e24

SHA256
1ed82d71f363b9759ac108daa21400779dbe37b66366cc7f5b696c5a0e4de87c

SHA512
e083be642bcf834eb6512613bbfcb206e8f84016460f78e35c2b5b231cabfc37eccb6f383fcac8de59c8c32d5e1818340d9a421a286b4ddf9b3c329a32a8cc37

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
222B

MD5
e278e8db486e3037a9d06892b86bf81c

SHA1
301611b62a9cf109618481fbc24dc649fa86a16a

SHA256
1f121ebd6b4bc938161907bffd5895320bb769deaaeaca86d6924390a819ebaf

SHA512
f43953d8b4dad9574a37656c75192e1ac7ee0719b19de9ac0c9fc2f627c86f61a84ff1d5685a5ac8395090a90d3f698e1d543e38b9708b8342a5fc76618b5b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

Filesize
222B

MD5
0bd5a9abd5088e616c28907d0b47decd

SHA1
75991dd1223e81c479fad5097e3c2fc8365a2aa4

SHA256
88fe3da0b89d48a6938de742e76163280d79a98bb3805c2006831b83f71ec07a

SHA512
3d3c5e28d5aeacf0e8438f6decc36a6d037dfe0b2a2d32afc2e62066619d708183f65a1b3b11040bffc21e23b212562bdd3609530537ffca79e7bd4238abe9a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\eON2Ze4cSc.bat

Filesize
222B

MD5
54b770c24a150122395c55c4b6c54aa7

SHA1
6e633b68adb298d1ffc10d13d40658dccbf00e39

SHA256
eada987c5df87ad47ec6071022723d829c4f6009c9f3c56b0a06ce1753346bd8

SHA512
310ecb5ff9b205607109c74170628999b8085bd64cc17e14240360f5669e1999317496ea3a6b5baaa13c0a47d6ff5a2864226b6e454472029a9f4cf095a9e378

Download Submit
C:\Users\Admin\AppData\Local\Temp\f70LHM7oRz.bat

Filesize
222B

MD5
8bd386e520103e7ed69bc78c401cb5e1

SHA1
b747bd3cffaaa290a115f0a7ca908c7b9f0c9062

SHA256
575f42746bd3792b76340c47ed9b647c9235d5d69970375c815fb890d66cf366

SHA512
a65703c16ce9a06da8155bc27a8420a10da6d5553e50357c508e11e897c8ae82304dcb03fb585179e904187af1be78298812c46bc1b1f704554eb462b24c1203

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

Filesize
222B

MD5
cb7f6dd040424d83ac9829de936272c0

SHA1
03a4cb8b9e8160eea7e701b3610f3edc9a45ada9

SHA256
b0447f7c32f660ccfec30e1c9a495c89f85393de1bd8587eb70359d5ac13ef43

SHA512
fab10bddad1820a3dfa6ef213420a4bda30c2c88eeb2c0ff401e1ac80259fa168a2841cf7a12a44b45c02fcd678a63b7d10e775c054201000bb549486ade61b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
222B

MD5
0f86bf9fc153e3a81dc66bea1fbfe3ab

SHA1
a13e7d6603b610fcccb10d7b3f3853aa9eb070ac

SHA256
146b10a07c81e2245b0d7cf01cddd6802d7f7fa5d34bae114f7e352694be29e3

SHA512
f358552869ae05194c94e727f78dfcd7788324d164cd18f7fbc5c01f6b0abc193d27ee2447ad5378b9b2dea4f6b975633908142160a257daa83ae776ece06176

Download Submit
C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat

Filesize
222B

MD5
04df9fe931cc05cd7c3e7ab32ec7378b

SHA1
88fb6c03921f34b4aabd902a87f24124fd31ffd1

SHA256
3b88e3a9170bbf03890ef7278f1ded277cdc0d7d02ba446bfce84b5f752a2cc9

SHA512
159547d4d95dac7d9147e03d016889410257b454889561a8c1ab5ffb131c479b1c6288086908bffddceff50f81733d5c7fe18df89bcf73c2c41dddc3fd8c6fab

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

Filesize
222B

MD5
200cb9eb178d91ae5ed8e4c5e27e5a5f

SHA1
a74a8677acfa85558bb8c9a52c4c4fd1add991de

SHA256
c3deb6d7b7011406f1ff1b0987eac2044e475150ba4a98b08fd665f098f36bd5

SHA512
e956fa536e847648cc5f5cdec756fe6732d0d362f31aef2deb93139cc88826130090f52a080203d44aa7649101598e194ff7ca0e56197a35e57de3da88dcccf6

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
222B

MD5
7d4999ce157068abe72a16bfbe5ee7d4

SHA1
4257d05f01158eea0fa2e1350ac775ea2241e911

SHA256
f413ecd859be294c3052f87bb55d54f1000dc13b3a4d79236568d444bb4ef64d

SHA512
f15a7695e7c23eec10bfd5afdcc27caea16ee976384709019b60cf424a0c8d949945eb939ac4dc0907fd4ade940feea990600bac858f715efafb8718ab2a89d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDwMkfOC2e.bat

Filesize
222B

MD5
ae3eacfabc8f8d38b9dc44144fefe0f6

SHA1
d54e09c32b761640bad2aed44fe83be52675009d

SHA256
7ab83f5a823801418e07d385927a9ba5ac71b916a740fc988222d515f1d35b8e

SHA512
abb5f859f6c1d93d01b37d2b1f2880526c6f94cd94152273ef09610bc4409f32978b489ec2c73d404d9a9ef5784db4bb03d633c0559d08fd0cdf5d20c4e62df9

Download Submit
C:\Users\Admin\AppData\Local\Temp\qKN9Q7Smhq.bat

Filesize
222B

MD5
0a4a1c545f4ce5e878555d7deb9133cf

SHA1
4f26d912b81eee9e0a572943512850b1724bfa1b

SHA256
38c915f814ec3b880a2042b851950aae427ad90b0db0c6ac63dfae71f54c658d

SHA512
ee63608c737e719deae3305c2f4d452521ed89e7561f8f6a54347c25f69f45657353a5b0c96471eec085d5b313bf7c016d567c5888732a2082455bba9b649e94

Download Submit
C:\Users\Admin\AppData\Local\Temp\raSqT8qddO.bat

Filesize
222B

MD5
9339d04bf101f8f6c4df37f1f46da3a7

SHA1
9e1073c60896fe8bef2a9f1627bf9789ea9b6903

SHA256
56d6485fa58fd72e379eb1e9cff1b53ce5e49d9fd123bac1edc4c68cf18f3cc3

SHA512
511c539b3fd7949a2754332dd28360076a716a981235d0a96b57dc50228abdda5e6322e5c7efd22974683bcfd55dc70e3480a604716a11be781b9d01d1db6714

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
222B

MD5
ca12e50d3fdb237ef0b01cef8ddaab71

SHA1
271681e9871482dcd59b2c039be4dad75207992f

SHA256
f24e6c74c67c2fe0203a743267bb60eb17bc254b8d677dcd040f3007f78e830e

SHA512
eb7bc29a8d806bbf20d5cef7f1d89b76ff19068257a0744f32a1823ce4404821a67281001e5d1c93c6afb704b574205047804360cbdd9fb89996033a075971da

Download Submit
C:\chainWebIntoSession\mutZScugJ38QpfoGeguI2l.bat

Filesize
49B

MD5
6000af83a4ec5ba337a3199e02ef3adc

SHA1
6d3e75d8513f156d5a0cdaca7c04754207897763

SHA256
cff888ba6c207a854350f2a5bfa943e933229e0f4b577c57e5e8d9c73fa678d6

SHA512
8181a8fa8d67c7aabc5d439c4338d7a5b92023992f148b498dbf6937bdcfe8c91b5961b06a1d745b46fe8a23aac857e3b5f88d19b6d10f2ade791b889185e4c3

Download Submit
C:\chainWebIntoSession\qD91Bf2FR629.vbe

Filesize
218B

MD5
e376bec17fcd43091d7e796e1990822e

SHA1
905ea05ef90ac3f2686443c8bc44e1b81c061a6a

SHA256
cb1d5eab7477bb30819023038a740abd7c5366f8ebe57b14e8339d4f79cfab3d

SHA512
c7e36f65a1da9681355a77e200a5d06fe2a6270d20a00b191f5c3b484ca52b16574058134a97f5008826f4b4e1f2153936e50d93f125a18c1019c306a97bb4ce

Download Submit
\chainWebIntoSession\driverSessionRuntime.exe

Filesize
1.2MB

MD5
6fa9d3afd6e7a33f230d630effcdcd68

SHA1
e36e510d35918147c19da9c2e4d153dd16acda56

SHA256
34067e70cf580aa3b0503f80c0944cc261f7b511988bb37cbc8d810a16e27229

SHA512
5466923061a3c3799a88a6947839c8d3e47f4aa08abe396adf4137bf9b2db38e9285f2a62d7c2ccd3c942f6199525cf47d33a2dd277a840bed0ed951a4ad50fc

Download Submit
memory/664-144-0x0000000000AA0000-0x0000000000BD2000-memory.dmp

Filesize
1.2MB

Download
memory/944-158-0x0000000000E90000-0x0000000000FC2000-memory.dmp

Filesize
1.2MB

Download
memory/1396-172-0x0000000001170000-0x00000000012A2000-memory.dmp

Filesize
1.2MB

Download
memory/1488-69-0x0000000001340000-0x0000000001472000-memory.dmp

Filesize
1.2MB

Download
memory/1600-96-0x00000000000B0000-0x00000000001E2000-memory.dmp

Filesize
1.2MB

Download
memory/1672-130-0x0000000000050000-0x0000000000182000-memory.dmp

Filesize
1.2MB

Download
memory/1832-83-0x0000000000E00000-0x0000000000F32000-memory.dmp

Filesize
1.2MB

Download
memory/1844-197-0x0000000000150000-0x0000000000282000-memory.dmp

Filesize
1.2MB

Download
memory/1936-151-0x0000000000130000-0x0000000000262000-memory.dmp

Filesize
1.2MB

Download
memory/2012-123-0x0000000000DF0000-0x0000000000F22000-memory.dmp

Filesize
1.2MB

Download
memory/2188-76-0x00000000003D0000-0x0000000000502000-memory.dmp

Filesize
1.2MB

Download
memory/2340-62-0x0000000001310000-0x0000000001442000-memory.dmp

Filesize
1.2MB

Download
memory/2432-235-0x00000000002C0000-0x00000000003F2000-memory.dmp

Filesize
1.2MB

Download
memory/2496-103-0x0000000000340000-0x0000000000472000-memory.dmp

Filesize
1.2MB

Download
memory/2504-204-0x0000000001290000-0x00000000013C2000-memory.dmp

Filesize
1.2MB

Download
memory/2548-16-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2548-15-0x0000000000640000-0x0000000000656000-memory.dmp

Filesize
88KB

Download
memory/2548-14-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/2548-13-0x0000000001210000-0x0000000001342000-memory.dmp

Filesize
1.2MB

Download
memory/2548-110-0x0000000000960000-0x0000000000A92000-memory.dmp

Filesize
1.2MB

Download
memory/2760-165-0x00000000000D0000-0x0000000000202000-memory.dmp

Filesize
1.2MB

Download
memory/2952-137-0x0000000000270000-0x00000000003A2000-memory.dmp

Filesize
1.2MB

Download