dcrat | 40603df340cee8c3d00939469470a28acbf64401ec12d32ba68fe54e7f04c6d4

Analysis

max time kernel
145s
max time network
142s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
31/01/2025, 16:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

HEUR.Trojan-Spy.MSIL.Stealer.exe
Size

1.3MB
MD5

20043020e5b82ce7e3d69c407a85e50c
SHA1

1502bdf6ccaa56c45716852cd1be8552d2cfa52c
SHA256

40603df340cee8c3d00939469470a28acbf64401ec12d32ba68fe54e7f04c6d4
SHA512

d62a363bcddd24bcb7d2e92f4fe5c1f6347560db439f83499973de59462605645c6b89d720eb768275da34bdecb715381471f14d0767e1e727684379535548d6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2572	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	628	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	344	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2968	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2968	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000017447-10.dat	dcrat
behavioral1/memory/2700-13-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1744-73-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/784-152-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/2692-212-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1720-272-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2808-332-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/1340-392-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2476-452-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/1684-571-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2416-631-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/2376-691-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2112	powershell.exe
2928	powershell.exe
2160	powershell.exe
1264	powershell.exe
1680	powershell.exe
568	powershell.exe
3004	powershell.exe
2940	powershell.exe
2748	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2700	DllCommonsvc.exe
1232	DllCommonsvc.exe
1744	System.exe
784	System.exe
2692	System.exe
1720	System.exe
2808	System.exe
1340	System.exe
2476	System.exe
980	System.exe
1684	System.exe
2416	System.exe
2376	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2300	cmd.exe
2300	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
20	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\lsm.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\tracing\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Windows\Media\Festival\smss.exe	DllCommonsvc.exe
File created	C:\Windows\Media\Festival\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HEUR.Trojan-Spy.MSIL.Stealer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1660	schtasks.exe
940	schtasks.exe
2752	schtasks.exe
628	schtasks.exe
2872	schtasks.exe
1620	schtasks.exe
2128	schtasks.exe
1536	schtasks.exe
344	schtasks.exe
3068	schtasks.exe
1764	schtasks.exe
1724	schtasks.exe
2584	schtasks.exe
2624	schtasks.exe
2068	schtasks.exe
1092	schtasks.exe
1676	schtasks.exe
2608	schtasks.exe
2572	schtasks.exe
1712	schtasks.exe
764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2700	DllCommonsvc.exe
2940	powershell.exe
1264	powershell.exe
2748	powershell.exe
2928	powershell.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
1232	DllCommonsvc.exe
3004	powershell.exe
568	powershell.exe
2112	powershell.exe
2160	powershell.exe
1680	powershell.exe
1744	System.exe
784	System.exe
2692	System.exe
1720	System.exe
2808	System.exe
1340	System.exe
2476	System.exe
980	System.exe
1684	System.exe
2416	System.exe
2376	System.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2700	DllCommonsvc.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1264	powershell.exe
Token: SeDebugPrivilege	2748	powershell.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	1232	DllCommonsvc.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	1744	System.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	784	System.exe
Token: SeDebugPrivilege	2692	System.exe
Token: SeDebugPrivilege	1720	System.exe
Token: SeDebugPrivilege	2808	System.exe
Token: SeDebugPrivilege	1340	System.exe
Token: SeDebugPrivilege	2476	System.exe
Token: SeDebugPrivilege	980	System.exe
Token: SeDebugPrivilege	1684	System.exe
Token: SeDebugPrivilege	2416	System.exe
Token: SeDebugPrivilege	2376	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2492 wrote to memory of 1716	2492	HEUR.Trojan-Spy.MSIL.Stealer.exe	30
PID 2492 wrote to memory of 1716	2492	HEUR.Trojan-Spy.MSIL.Stealer.exe	30
PID 2492 wrote to memory of 1716	2492	HEUR.Trojan-Spy.MSIL.Stealer.exe	30
PID 2492 wrote to memory of 1716	2492	HEUR.Trojan-Spy.MSIL.Stealer.exe	30
PID 1716 wrote to memory of 2300	1716	WScript.exe	31
PID 1716 wrote to memory of 2300	1716	WScript.exe	31
PID 1716 wrote to memory of 2300	1716	WScript.exe	31
PID 1716 wrote to memory of 2300	1716	WScript.exe	31
PID 2300 wrote to memory of 2700	2300	cmd.exe	33
PID 2300 wrote to memory of 2700	2300	cmd.exe	33
PID 2300 wrote to memory of 2700	2300	cmd.exe	33
PID 2300 wrote to memory of 2700	2300	cmd.exe	33
PID 2700 wrote to memory of 2940	2700	DllCommonsvc.exe	44
PID 2700 wrote to memory of 2940	2700	DllCommonsvc.exe	44
PID 2700 wrote to memory of 2940	2700	DllCommonsvc.exe	44
PID 2700 wrote to memory of 1264	2700	DllCommonsvc.exe	45
PID 2700 wrote to memory of 1264	2700	DllCommonsvc.exe	45
PID 2700 wrote to memory of 1264	2700	DllCommonsvc.exe	45
PID 2700 wrote to memory of 2928	2700	DllCommonsvc.exe	47
PID 2700 wrote to memory of 2928	2700	DllCommonsvc.exe	47
PID 2700 wrote to memory of 2928	2700	DllCommonsvc.exe	47
PID 2700 wrote to memory of 2748	2700	DllCommonsvc.exe	48
PID 2700 wrote to memory of 2748	2700	DllCommonsvc.exe	48
PID 2700 wrote to memory of 2748	2700	DllCommonsvc.exe	48
PID 2700 wrote to memory of 1236	2700	DllCommonsvc.exe	52
PID 2700 wrote to memory of 1236	2700	DllCommonsvc.exe	52
PID 2700 wrote to memory of 1236	2700	DllCommonsvc.exe	52
PID 1236 wrote to memory of 1784	1236	cmd.exe	54
PID 1236 wrote to memory of 1784	1236	cmd.exe	54
PID 1236 wrote to memory of 1784	1236	cmd.exe	54
PID 1236 wrote to memory of 1232	1236	cmd.exe	56
PID 1236 wrote to memory of 1232	1236	cmd.exe	56
PID 1236 wrote to memory of 1232	1236	cmd.exe	56
PID 1232 wrote to memory of 1680	1232	DllCommonsvc.exe	69
PID 1232 wrote to memory of 1680	1232	DllCommonsvc.exe	69
PID 1232 wrote to memory of 1680	1232	DllCommonsvc.exe	69
PID 1232 wrote to memory of 568	1232	DllCommonsvc.exe	70
PID 1232 wrote to memory of 568	1232	DllCommonsvc.exe	70
PID 1232 wrote to memory of 568	1232	DllCommonsvc.exe	70
PID 1232 wrote to memory of 2160	1232	DllCommonsvc.exe	71
PID 1232 wrote to memory of 2160	1232	DllCommonsvc.exe	71
PID 1232 wrote to memory of 2160	1232	DllCommonsvc.exe	71
PID 1232 wrote to memory of 2112	1232	DllCommonsvc.exe	72
PID 1232 wrote to memory of 2112	1232	DllCommonsvc.exe	72
PID 1232 wrote to memory of 2112	1232	DllCommonsvc.exe	72
PID 1232 wrote to memory of 3004	1232	DllCommonsvc.exe	73
PID 1232 wrote to memory of 3004	1232	DllCommonsvc.exe	73
PID 1232 wrote to memory of 3004	1232	DllCommonsvc.exe	73
PID 1232 wrote to memory of 1744	1232	DllCommonsvc.exe	79
PID 1232 wrote to memory of 1744	1232	DllCommonsvc.exe	79
PID 1232 wrote to memory of 1744	1232	DllCommonsvc.exe	79
PID 1744 wrote to memory of 3040	1744	System.exe	81
PID 1744 wrote to memory of 3040	1744	System.exe	81
PID 1744 wrote to memory of 3040	1744	System.exe	81
PID 3040 wrote to memory of 580	3040	cmd.exe	83
PID 3040 wrote to memory of 580	3040	cmd.exe	83
PID 3040 wrote to memory of 580	3040	cmd.exe	83
PID 3040 wrote to memory of 784	3040	cmd.exe	84
PID 3040 wrote to memory of 784	3040	cmd.exe	84
PID 3040 wrote to memory of 784	3040	cmd.exe	84
PID 784 wrote to memory of 1488	784	System.exe	85
PID 784 wrote to memory of 1488	784	System.exe	85
PID 784 wrote to memory of 1488	784	System.exe	85
PID 1488 wrote to memory of 1100	1488	cmd.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\HEUR.Trojan-Spy.MSIL.Stealer.exe
"C:\Users\Admin\AppData\Local\Temp\HEUR.Trojan-Spy.MSIL.Stealer.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2492
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1236
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1784
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Media\Festival\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\OSPPSVC.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:580
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1488
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1100
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat"
        12⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:316
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        14⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1920
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat"
        16⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1588
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        18⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:940
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        20⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2824
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat"
        22⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1484
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        24⤵
        
        PID:296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2880
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"
        26⤵
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1864
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Windows\tracing\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Windows\tracing\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\Media\Festival\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\Media\Festival\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Windows\Media\Festival\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
891efb98e6cad8390812bd971f39ce80

SHA1
024a3e1fc5304965eded987717e5253bbe182798

SHA256
54b1a12b42ead778d49228ce9dd5430c5f37ec4053f79c2f43a161688aaae8e2

SHA512
7a2bf46376a5982ae61968917e51c842f194edd3b468895462a69bc9969eeaadbaad101927070bc227e020e4a9f5e4f5f7c8d6ed03f45b4c30e22c525bdf3e9f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5f9b84cda31ba432a07aa19532829b2e

SHA1
a66fed68ed06656d35e0b728f3157fb49b6c870f

SHA256
28b0cf21755695b33284c5cc7abbad2e51eb9a2275efa1d7a8720208895041b9

SHA512
5d86eb9a2ddb44a9e815bb12db248a0ac0798858524d2a3b9dbb9f4ff9fafcecf5734da18cf9a9209d9687dccba5485641f15f48adc954cef62f242e7fa20b2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b27e204f3bcfb4b55f12d2a9840ee50

SHA1
9fb847dcae31a8efd71365eef058b3241f47bd75

SHA256
4aa42a3e259c1d80743c693770ef13319db6b8ec63ac04dab32b2061dafc27a5

SHA512
fccc587cd3dd7ecbf360cc2af66010f7c1e7ede6793020d7bb20c1e789f4aa2823c10ccdb4f1394e3e96bbd103ab24a319f702667295037edc627c21ad2fcd47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
358c70c21e549d5aa5c7d46ff5cd568b

SHA1
313a4586e2a8ceef4600fc264ce8fabe2c15b082

SHA256
b38d99de6ad390c782e77748bdb5868d388fa9ad970138118b8e89d42625ce70

SHA512
2533547a6f40f673dd3f5a32e83fec9ad2e3bbc7494c78df2a32262d1bcd173d0ab29db37f96705ff1e7e197c36a058be222ce160b729365f2a38216cd6f37f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1a092399ab07ac16386c075d88350be

SHA1
dd7ce3e04b86df23a3515b88edcfdef730e576b3

SHA256
736606ddd8261e2a3e1f9cf330a0d1c2d645ab9d1c0581ca88282a4c94436497

SHA512
e19f2938d3a38d2d69101f3a9e5e4b59332ec5910ba2b52c59f661b06df560639ef0aa10ea70de2ae351287a2c3f9d3cc4f8eb51b3143a99d2a6cd8514d6ec04

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b0ebb78b4ddbeb2e7c03201a50c54bb8

SHA1
cc1e139afd0a60c7a807d40fbd6ed4f9ded3824a

SHA256
775e94f7ea36c0769d13a6c8d6f9d29e14455e277d25ae88b5a8f51fbda807db

SHA512
d0f6e030ac7bb935bb958c3ed53fb355169675f0d0a8f62b63cc241b2e85299001ae4878c368209101a6201769428b28c9fb84c6dee16cfd86564b16444cfec3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39bc5e753eb8a6dff1625279c6661800

SHA1
6ac3d47279e2a0b5f46bc81f6f3855255c169736

SHA256
627cc4105dc8577c38065004083753b5f54ad6abebd45471e04fc1fe1f241dfc

SHA512
7a8ab8b4d21a586d6fe15618d80ec1adc7106b2c3cd469b288432cd0b31b9ebbffea8e46caf0299d8fa3394fe8ace1b45f5d7aafe349270a8d199fdcdf82d277

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
594c3b7475666ab81ae1394ff3f83393

SHA1
df9633e7bf4b8f7b0210adc161fd2dd7fce7fbe4

SHA256
5a7974b81fea7707a8fb74d2dbac0a4c5c4d6f30d635e2b805fd76583aff841f

SHA512
990e52ef2a0620f45e820461e0c24c08de5137b79c14c188b39e4d970c4278b16693bbec5987360df2689a086fec5db41b021f1ab9940f889873f26470bf75b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb12ea364d267f5acbfcdeaa75b538cf

SHA1
0939265a7b91d2cd17c581602519eec0cc5e4819

SHA256
3997bf25a42be855417e273187bf53fcd61536d96fa372822090a20ee44a5f05

SHA512
e87f06cd17deb7dcbf87ddd940071e9843ff96b0610eb58a8a984e90c5416f0939e99b045edca53d0d20d0e80c7039700f6b104efcd0bc986c951d74a77f3aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
238B

MD5
9ecef8fb51bd2540104af3638fb9a4e6

SHA1
d9a0b9560074da9c607b9b0acd7f02fce1af088f

SHA256
5382f4e6e8d03030b3560fd7e4cfe984ab0bcd5cd24175347ed7ea456cb941ec

SHA512
10e92b6ebebd5a76d865cad8c9861ad8a69d33543a439acfe964e7b41b10e6f310836b6dbcaf11f8eb07b75443f31fae7a4bc030dee71649f75a2814a2a563c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF71D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
238B

MD5
ec88ebaaa4b75dce4450de30330203bf

SHA1
ac6726cca20443020e4f4e9019e04c07f54be6be

SHA256
fabe7f70b2a0f1980ce22991261c7f14987633df8d3fef8e96ec62c9bd86cdb5

SHA512
438c234e33784fae06e4f9212bbe9dc6f3484c9beceeb48cf1aeb8e71ddf4a472565cc2dd8a3bab02c9b02f22b480536d2e4a898f12a3f4d5cbf35490d255db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
238B

MD5
d104b5c0489c426db51270c7a4b36b02

SHA1
233a8497e64fdc5becb3fb9407e057941e7ec399

SHA256
744423528d5135ee613440c53c6a93ef467aa2f6c79fc511f1d29747ab68476d

SHA512
9f8e97dd9a985f00f21bca66ec940e3a769e68e89f7bf9d8180b67c4f46b1ee63aed632b9bcd92120a57771e2e833841c2e571f370353c36b4b302bc0774a777

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
238B

MD5
ce85fb43e2fb764eb84b0f35bbf88821

SHA1
e25fc95ce3c154877e114e0bc3e057a2fbbd31f4

SHA256
3b9b53689c26f0a6689bfb305427a749ab21bc10d21cc7e40a6644e36ca36041

SHA512
85e60478ba6c6887563f41feb3130748814779d1e7265662cfdb7d21512f3c2e50f88e309a9ec23a2a3f4e9593ceb6631412373527b8e7db33b1d7a4c6d33abb

Download Submit
C:\Users\Admin\AppData\Local\Temp\TK13bru719.bat

Filesize
238B

MD5
3a02666c0ee30d2943e2a49391448576

SHA1
e49fd6dbe08c54538b9537d84b23f6e187bbddee

SHA256
9f20f5cca6884583b6ee32bffdcab5f9a36274f48ef8ebd967661161ac2453ab

SHA512
fb4ac3a359cc8474e0a2e2a7544c077ada574a5fb60b482fb70ee82abf4194cf74226041931c5bdecb9afd7c839c3c50ef47cf3ea8ca876840c4ad5b4d25ef09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF73F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V9nTU0UPEK.bat

Filesize
238B

MD5
c25e99dd31d24c1a560cd73589e3089a

SHA1
272ffb245e49f5042a5dc217f2617735f62ac920

SHA256
4adf6dc27e1b691012822917a10903ed37f8420cbf4616e523ed14ceef892098

SHA512
2c482645d1624d2b8c691ecdd5b33fc448fb331bee0256de82d7638fbf8127da952c329081d4d0f43998bddf6d65513d47e3894352622ab7cc1ae623f712f7dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YXbxSkVmu9.bat

Filesize
238B

MD5
48ef4dc581e23f3b63f39fbf2e56bd83

SHA1
f9fab83fa7697db3db7bad40d266de3fa5a58be6

SHA256
4b32c9a765d3c47170cf6a7cdbeabc30fb6176a05778542bb6753d1decd3469c

SHA512
0c3cc63994a116bfe562d9c300dbada7817ddc2a6ee73f757b89acbf8882ae9e4df078d3d821068ac570d6b0a5aa1a87b9a1605c468b98b240d2f4027c4aa3b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\bbT3NvUu3s.bat

Filesize
238B

MD5
a91651d268f136383a09a4fa8cb7fc02

SHA1
7e410e278878534843e838a87582decfd02e4acc

SHA256
d81348b8fc80159e263a1fffed4f351632391320912b1c45f0f14cc79f265d2a

SHA512
fd989a91dfadea2f30f4c4ea8192163892ac86515ba309bab9ef29ba50cfcd43bda4199b85c42b17860a59395d93ce30a727edeb41853144693513feac1dc1e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
238B

MD5
139b02d02f3c1fd6b28f3e2d1d175689

SHA1
4f8390bc9d2acc8f6510c294f392949730607992

SHA256
bbd1c803ffa5f7170dbda2726f501524d2daacdc048d78384f098e6b2aa94354

SHA512
89249fcd265e6eb3b7ebea75b1dbdb8b9c9c184e6118002e8841211e026847241fb379eae86650bf763c2d5c177299083b8bf919ff8448ba3ba3565cd14fd9eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\mqKWPsdws2.bat

Filesize
199B

MD5
9bc80f842bdfdee5b63e1319a06a03d4

SHA1
c49bf9e1949fcc6c78e00c90c23842e8b000ca02

SHA256
a6d3ef08cc021e58bc857f3231a25806657034b45d8a6b7038bb6208278e9bba

SHA512
5fd168e8d98361c600e6c88cc614d851630adfca365fc8cb69a8369ae27c140a4428fd26130b2a2a176f1ffd164f3b486f0a0c43a3eb6ef94284931d8c07dd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat

Filesize
238B

MD5
023c5cd2c4a451184c2d1a90c5d5dc3c

SHA1
4f058bb9e508622255ba2efbe412362991c7604a

SHA256
b2edf7955ca6a537a50eea19978472bac2a58c76a06dd161e55afa95f8a5116e

SHA512
88a9caf4f8124d91063049511e031821cad48edf46573f896d84bf09a84d23774f4f27b169bd91ad7d3b1bde0d579f00a60808ad7caef0a46df6d1eb0f65bde1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\7829R39F75HFM5HEES9T.temp

Filesize
7KB

MD5
17b3b5ef0182f22aa1d40179a1bd12ad

SHA1
a4adb53df6a25d12c953e686f38f7237ab7f673a

SHA256
0a8577d349e09752dfab637a81b4baeb9695fddfbff33849a0b5740f0da749d2

SHA512
ed5f327bb48249cbac8f57d6c834741450a86cba357f990884768a3c98953bfa01a8bb5cebaebee390faeced10e7424cdd71f2229b6536b1a7c36146d353540f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/784-152-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/1232-51-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1340-392-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/1684-571-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1720-272-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1744-73-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2376-691-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2416-631-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/2476-452-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2692-212-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2700-13-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/2700-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2700-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2700-16-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2700-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2808-332-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/2940-39-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/2940-38-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/3004-74-0x0000000002380000-0x0000000002388000-memory.dmp

Filesize
32KB

Download
memory/3004-72-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download