dcrat | 953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72

Analysis

max time kernel
150s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72.exe
Size

1.3MB
MD5

7e0bc3dca926a7b5294b8c30e575c275
SHA1

ec929ef0ec7348699cd343f351409a44847f790b
SHA256

953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72
SHA512

5a2244d43ee41f0c06bd03924ac4b58f113d60784e06f412eb7bdf7d6f5e87add997a5c4322f872a94c77ffb6a5e115c4783454e04ec578f2f887552211819c0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	516	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1132	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2080	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2080	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0002000000018334-10.dat	dcrat
behavioral1/memory/2932-13-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/1308-91-0x0000000000BB0000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/1940-211-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/1332-271-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/1824-332-0x0000000000890000-0x00000000009A0000-memory.dmp	dcrat
behavioral1/memory/2508-393-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2768-453-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/520-631-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2504	powershell.exe
1336	powershell.exe
1980	powershell.exe
976	powershell.exe
1768	powershell.exe
1844	powershell.exe
1864	powershell.exe
2460	powershell.exe
1384	powershell.exe
1676	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2932	DllCommonsvc.exe
1308	csrss.exe
2748	csrss.exe
1940	csrss.exe
1332	csrss.exe
1824	csrss.exe
2508	csrss.exe
2768	csrss.exe
2088	csrss.exe
1784	csrss.exe
520	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2812	cmd.exe
2812	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\pt-BR\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\System32\pt-BR\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\inf\SMSvcHost 3.0.0.0\taskhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\inf\SMSvcHost 3.0.0.0\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\inf\SMSvcHost 3.0.0.0\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1152	schtasks.exe
2512	schtasks.exe
1380	schtasks.exe
1960	schtasks.exe
2020	schtasks.exe
2096	schtasks.exe
2840	schtasks.exe
2904	schtasks.exe
2244	schtasks.exe
2464	schtasks.exe
516	schtasks.exe
2188	schtasks.exe
760	schtasks.exe
2144	schtasks.exe
1912	schtasks.exe
1416	schtasks.exe
2948	schtasks.exe
2720	schtasks.exe
2100	schtasks.exe
1132	schtasks.exe
1780	schtasks.exe
2668	schtasks.exe
604	schtasks.exe
1800	schtasks.exe
2912	schtasks.exe
1632	schtasks.exe
2332	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
2932	DllCommonsvc.exe
1676	powershell.exe
1384	powershell.exe
1768	powershell.exe
1844	powershell.exe
976	powershell.exe
2504	powershell.exe
1980	powershell.exe
1864	powershell.exe
2460	powershell.exe
1336	powershell.exe
1308	csrss.exe
2748	csrss.exe
1940	csrss.exe
1332	csrss.exe
1824	csrss.exe
2508	csrss.exe
2768	csrss.exe
2088	csrss.exe
1784	csrss.exe
520	csrss.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2932	DllCommonsvc.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	1384	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	2504	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	1336	powershell.exe
Token: SeDebugPrivilege	1308	csrss.exe
Token: SeDebugPrivilege	2748	csrss.exe
Token: SeDebugPrivilege	1940	csrss.exe
Token: SeDebugPrivilege	1332	csrss.exe
Token: SeDebugPrivilege	1824	csrss.exe
Token: SeDebugPrivilege	2508	csrss.exe
Token: SeDebugPrivilege	2768	csrss.exe
Token: SeDebugPrivilege	2088	csrss.exe
Token: SeDebugPrivilege	1784	csrss.exe
Token: SeDebugPrivilege	520	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 3020	2484	JaffaCakes118_953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72.exe	30
PID 2484 wrote to memory of 3020	2484	JaffaCakes118_953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72.exe	30
PID 2484 wrote to memory of 3020	2484	JaffaCakes118_953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72.exe	30
PID 2484 wrote to memory of 3020	2484	JaffaCakes118_953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72.exe	30
PID 3020 wrote to memory of 2812	3020	WScript.exe	31
PID 3020 wrote to memory of 2812	3020	WScript.exe	31
PID 3020 wrote to memory of 2812	3020	WScript.exe	31
PID 3020 wrote to memory of 2812	3020	WScript.exe	31
PID 2812 wrote to memory of 2932	2812	cmd.exe	33
PID 2812 wrote to memory of 2932	2812	cmd.exe	33
PID 2812 wrote to memory of 2932	2812	cmd.exe	33
PID 2812 wrote to memory of 2932	2812	cmd.exe	33
PID 2932 wrote to memory of 976	2932	DllCommonsvc.exe	62
PID 2932 wrote to memory of 976	2932	DllCommonsvc.exe	62
PID 2932 wrote to memory of 976	2932	DllCommonsvc.exe	62
PID 2932 wrote to memory of 1384	2932	DllCommonsvc.exe	63
PID 2932 wrote to memory of 1384	2932	DllCommonsvc.exe	63
PID 2932 wrote to memory of 1384	2932	DllCommonsvc.exe	63
PID 2932 wrote to memory of 1676	2932	DllCommonsvc.exe	64
PID 2932 wrote to memory of 1676	2932	DllCommonsvc.exe	64
PID 2932 wrote to memory of 1676	2932	DllCommonsvc.exe	64
PID 2932 wrote to memory of 1864	2932	DllCommonsvc.exe	65
PID 2932 wrote to memory of 1864	2932	DllCommonsvc.exe	65
PID 2932 wrote to memory of 1864	2932	DllCommonsvc.exe	65
PID 2932 wrote to memory of 1844	2932	DllCommonsvc.exe	66
PID 2932 wrote to memory of 1844	2932	DllCommonsvc.exe	66
PID 2932 wrote to memory of 1844	2932	DllCommonsvc.exe	66
PID 2932 wrote to memory of 2504	2932	DllCommonsvc.exe	67
PID 2932 wrote to memory of 2504	2932	DllCommonsvc.exe	67
PID 2932 wrote to memory of 2504	2932	DllCommonsvc.exe	67
PID 2932 wrote to memory of 1768	2932	DllCommonsvc.exe	69
PID 2932 wrote to memory of 1768	2932	DllCommonsvc.exe	69
PID 2932 wrote to memory of 1768	2932	DllCommonsvc.exe	69
PID 2932 wrote to memory of 1980	2932	DllCommonsvc.exe	76
PID 2932 wrote to memory of 1980	2932	DllCommonsvc.exe	76
PID 2932 wrote to memory of 1980	2932	DllCommonsvc.exe	76
PID 2932 wrote to memory of 2460	2932	DllCommonsvc.exe	77
PID 2932 wrote to memory of 2460	2932	DllCommonsvc.exe	77
PID 2932 wrote to memory of 2460	2932	DllCommonsvc.exe	77
PID 2932 wrote to memory of 1336	2932	DllCommonsvc.exe	78
PID 2932 wrote to memory of 1336	2932	DllCommonsvc.exe	78
PID 2932 wrote to memory of 1336	2932	DllCommonsvc.exe	78
PID 2932 wrote to memory of 2724	2932	DllCommonsvc.exe	82
PID 2932 wrote to memory of 2724	2932	DllCommonsvc.exe	82
PID 2932 wrote to memory of 2724	2932	DllCommonsvc.exe	82
PID 2724 wrote to memory of 2740	2724	cmd.exe	84
PID 2724 wrote to memory of 2740	2724	cmd.exe	84
PID 2724 wrote to memory of 2740	2724	cmd.exe	84
PID 2724 wrote to memory of 1308	2724	cmd.exe	85
PID 2724 wrote to memory of 1308	2724	cmd.exe	85
PID 2724 wrote to memory of 1308	2724	cmd.exe	85
PID 1308 wrote to memory of 2388	1308	csrss.exe	86
PID 1308 wrote to memory of 2388	1308	csrss.exe	86
PID 1308 wrote to memory of 2388	1308	csrss.exe	86
PID 2388 wrote to memory of 2252	2388	cmd.exe	88
PID 2388 wrote to memory of 2252	2388	cmd.exe	88
PID 2388 wrote to memory of 2252	2388	cmd.exe	88
PID 2388 wrote to memory of 2748	2388	cmd.exe	89
PID 2388 wrote to memory of 2748	2388	cmd.exe	89
PID 2388 wrote to memory of 2748	2388	cmd.exe	89
PID 2748 wrote to memory of 1976	2748	csrss.exe	90
PID 2748 wrote to memory of 1976	2748	csrss.exe	90
PID 2748 wrote to memory of 1976	2748	csrss.exe	90
PID 1976 wrote to memory of 1636	1976	cmd.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_953aacd9a29d2fcde8161d65a0279453072f1f13a1c4d776dac127a9d10dbb72.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\inf\SMSvcHost 3.0.0.0\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Saved Games\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\pt-BR\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Favorites\Links\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1336
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xQtK96VToy.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2740
      - C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2252
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1636
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
        11⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2292
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat"
        13⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2936
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat"
        15⤵
        
        PID:956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1636
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
        17⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3008
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        19⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2108
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        21⤵
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1364
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat"
        23⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2604
        
        C:\Program Files\DVD Maker\csrss.exe
        
        "C:\Program Files\DVD Maker\csrss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
        25⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\inf\SMSvcHost 3.0.0.0\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\inf\SMSvcHost 3.0.0.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Windows\inf\SMSvcHost 3.0.0.0\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\providercommon\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\providercommon\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Links\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Links\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Saved Games\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Saved Games\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Saved Games\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\WidevineCdm\_platform_specific\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files\DVD Maker\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\pt-BR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\System32\pt-BR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\System32\pt-BR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Favorites\Links\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\Favorites\Links\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Favorites\Links\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3949554b8d7c60e96c99ee2a44dc1b02

SHA1
e7256f50acd21ab6492f8859014d7b2add964541

SHA256
728e86c36f50b06ab475ce1a151437e71f15ea2bb29dc15cfdf2a067b6e31a08

SHA512
feccc11b5f393bf421696ad03575884c3469c2910b5086b2893f6f2d6f89a52b24bb7aabcac241ac22903d8fe817803c35f67c44553ec3bbf057a17c46683d7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13fc96e5ef2d44c3006e40a7704f21f8

SHA1
3efd5c56970fe0dfd317f4488cd5eb7d0712c7ea

SHA256
7e1c144e34207d7a3dc83e680bde7663fd0a5f9c9dbd7f7a69ecf1e8ef4a2a68

SHA512
66e6a36051bd834faabbe46d5849735c88d7bfd2a3d2f419489759c8878f4f3d97405ee2399e39f81359c7c3b5e7952f0f300591cea23d2a66b53170a5be5be1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1121f25de6144f0ff226c60e22133788

SHA1
62501ed90a2bc0fe1841c3881576a34a184dcae7

SHA256
5581f7be2da9bc3f19f5370aad2c4aec2df0bdbbcd56b2e55db6ec37c3447378

SHA512
e7a3d8beb1013f74ddb151daa87cf063b193c99f175e694ed8de8c1b6ec1863c4a55b139b2ce622e062029169b9eebf21d518051b85c389a8db47672eba14f8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0141f052a85a7fb7437c27869ea6bfea

SHA1
370e6eeb6e998673eb4024313d7aeb51de7ba813

SHA256
1a7b1d9c263ce364c4ed3bc87cd1a86b7cf09e3ead36f5a3a4eb19bc36d4b7e7

SHA512
86ed6df779befbe7c1893f5c8f7bd0001bf2b6b1632f4a9c265b5fab97250461da679c4e4fafdd3b5fc0b990f8e6e17fccfc7d73eae2239b0a189d8492f7651d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d80c7a238f13d2e896caf7314f431000

SHA1
15fdf1047a99e97ab8fda57d0c610b0dc2a584ae

SHA256
5e445f466b5be7abebd5a309e8c30048a78a33ecdcfeadc3d29b034f08182404

SHA512
436d5c683abf1997dd1df728d3501137ac31bf231e8a148547de485ac386fd9bacdc1bee99de7d9188832447d1d465d6b8e499efb3bf112ee1c975054ee61047

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
192b8c7e56268d6587e970f458a7c049

SHA1
89c99600017afcd534cfd2fe959195a06124a35f

SHA256
fb536a3a213d6edcd983f16d8984d3098b2ee646ec9ada5802720ac65d37f398

SHA512
4b0b87f0623aaf86bf95d3ac4cdebd2f6ad45d5b904d171d0f1d1492f994f9b4e6af44a2e5a05dd2fbd4b59146e37298831655c7e5bd3ee19f80a3bd5532ff59

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d65a4a9775122dae5514a19ec9fea93

SHA1
a77a3986a71970fafb5591621dd752f3b80f590f

SHA256
9345b779837a32e269a5b5eaf6110c1140f802f93c6e48ec63af0d522936af8f

SHA512
55eb9fadf1807c6139c9c98d0a5cec1955d02ec0e2a234bbbbb349650328fedc63a17b17c628f55c19019d307b6809ee508deabecc1f06dbfae2eb8095f1ba67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93d33f9b4a28756faf07b775a4951846

SHA1
78527424b47a5e42b0ad7793130b9af9a9e18f31

SHA256
518d43dc05e85f4a1ceff9287f044e91d0582edc08f50a7b12e96213498ad3b5

SHA512
9041489113796240118fbda56ee24e0de264bf0281e3bb0fca822105079542461d954cc8ebb65cb7d97161414fe4e00b7b2057b92510fa9c3a13f6b406de0021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bc01d9d2e5fde6e9947224e14393e7a

SHA1
60c5645ba451986ddb3d33683c6b8c6c0daeeaf3

SHA256
a015b044693528c12a484ba25337d8df23c8f2b1f7d8752ef7ec579280ee33e4

SHA512
60b941617417028bee98970a71c7e03115a67f3c5c2f1f9006516fdc271fc1af5f3418d171e1daf043e710910e34a086c43477515120938278b9d52618f295da

Download Submit
C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat

Filesize
201B

MD5
3f2bf8472e4e5e939c3357184f45ec44

SHA1
3b6256058046ab4b799ad3a681ab4dc46bf39f99

SHA256
cdf152f4e5a60398a7683f5412b74a982a969119644efb1fccbff17f7002f9d1

SHA512
6784bf1568ecc87872206afe4577156906f553ba7c776b9f8c32e904e84f83cd8b04b694f7dd1786de1730b8697dfd3b40fb5cc39c38ea24a534897a8a819c46

Download Submit
C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

Filesize
201B

MD5
f850657c330a89d3b125ff00b89ea410

SHA1
eb721796249bf0f3ba6708cd96cb7ac78955cc73

SHA256
0cb88f2ba75542b6837c05cc596bb4629db225139d422d94ebef13b4d13adf01

SHA512
30670460f4bce25de0e1d4785b30ba56a3a41acb66e3fe3193bd6db74100317e372aeb168257d3937bfeb15e44e02bb38dc059709c1a171e32a6d82f972ff401

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
201B

MD5
9a3ccceee4bc4ee367a64d115d1fae50

SHA1
b673e1261a8be349b622d140f814b813573c1386

SHA256
fbdf0ebfb7f448379ecfbbf6fcefcd9c1986f7f45e137bb07d22336de0b887c5

SHA512
ba5df93e6dac726512beac861961570f376af345b4c10acb4447c4a6613da84b635a9314fdf8c4f1c20ebbc9607e4c05e6b6587391ccde61785ecfd97f27fe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9B96.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9BE7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zlmto9DLwM.bat

Filesize
201B

MD5
e3ec1a29415721d68a4de6a40f3ea9db

SHA1
c75aa640a8b9f723d30ac2df58035ff739e8a438

SHA256
7aed057a2395bf68b31ffc266fca11ec1d85a085081e3c5c82796f5a94822db0

SHA512
027b5146c8c1fed5186e262a4643e95d8c5c3a063f605fb9735ef919e7f5fc2dc212fe7e5f128ffa30d3097bfe60c6393929ddf2de184f6ad89ec627e728913f

Download Submit
C:\Users\Admin\AppData\Local\Temp\bYn7JG6kRk.bat

Filesize
201B

MD5
7d96b09083a7b91be1dd5114ec938456

SHA1
f05a2474ae0f39af6a26ea6a832f725789e91422

SHA256
26f167b45d3eedaaa3aff1347ccc188a2f76af1905f934be65756a37ecf69f16

SHA512
ccffc2d8b83ae06b5315dd69b67549a4f09f151d26d6829b67fc3bb1128303ed1af247da19ca743f5331ace3cb3ed3eb5d11683cd060d7e2625f7e44ad1e6226

Download Submit
C:\Users\Admin\AppData\Local\Temp\cYhs0sn2L6.bat

Filesize
201B

MD5
ae10297ea249b8113234915a69c17a3b

SHA1
e12b5286af60c3a49a4b9626e4a9aea50132a1c7

SHA256
62192c67522de9b71f7e0ae154d5eb5ba610584356d33ed90f55a286f68ddc26

SHA512
dad299c28fcc22683a70770ad1ce72dcbbd556d2d4d48bcdb776bf6a7d325064c9e3a6035d2d3cc76ca0223be14c38d3c0920f0fb42bee59a3de9e97eb341bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

Filesize
201B

MD5
c4f7ce39fbc9aceaa803c8aa0ea3d00e

SHA1
f2e02509d93a5d7d07338edde6503251e8425435

SHA256
056b5e8a093aae2b847a2135fa9440f0368b9d1467a328b2dcf9542530f9b701

SHA512
41a073846b52cd3458bcd708e88a8be1b584a33c7733969794f2f56269734c8d56849cf623d69ac9e899e7eff2ff5b1e3de5d96d828366258548f13c5d68991b

Download Submit
C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

Filesize
201B

MD5
17821da77be4d78f81806da295a88f5d

SHA1
cd43f6e63e6c18b423bbcfebdd59923ae295a868

SHA256
9e9f1d38c2b073f8e5ee6f9b84521fded3b0cc9e26efe744d6ce0a5389a0df71

SHA512
a0eede36c7d488c1d1382b1332ece5f59f324bfa2048cf84c229c09b0ab4af39e07c9fca8644950cbd10647156e9ff1804ce8f50b0bd5d3392dc08378bc60497

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

Filesize
201B

MD5
f47481da1e01771f88ca2f1bf7cfafac

SHA1
06847290ad413c1ff611b9625e7acf27a286ed57

SHA256
6c525123bf3db219a0e671a7b1e0ec19d6749901745c3cc81f9406075e48aaba

SHA512
465a2590e5adb8ab53882f6751e71a2aa8e1f1468bfb42d1380f737bf4ec1f46d9aca4a34833786e4b87e3c2864cf5a867d627062501221c2a10046245267bfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

Filesize
201B

MD5
fb7d0295712ea8dad572929527da0170

SHA1
f59986dc15351b7aa6699f32895c63f56182bac0

SHA256
0bc1561884d261e70630b01d05f7ea69a18c251d2405649be62fedf79184aa2b

SHA512
aac8b8cc8187732bbb1b782f23e6c3b338a9322e2ceca1ac8173d189d4af22e73b2c7f69acf5a21e759e25b07583c7a7ab550b8eea9af6d08e353f79d35c5601

Download Submit
C:\Users\Admin\AppData\Local\Temp\xQtK96VToy.bat

Filesize
201B

MD5
e782e189d9f94e96727948b6bbb90acb

SHA1
a211fa3dbd1d93fc5b1f6f7cced2606bc5decafe

SHA256
b060e88decde5bf05622b47099c2628557323e7493cd9c1f56e69edd52e26ffc

SHA512
6e41230d839ee373e20fffbc00e423794e59ba9c899d2c80aa9f55900f49beaf539a43e2efadaf37bd8e4733e22e91d611da9d143bdbd9be2247b98620c255d6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FYC44JBSN808FHC2A9CA.temp

Filesize
7KB

MD5
432409dffda0f8a61456b20faa723613

SHA1
2cd54c67c9059f7cab024b62a3af433e61383be7

SHA256
b9fcbd9eaffd8f7268dc4de6da29eb333a5ef25f12a3030fcad96751c511257d

SHA512
09d5129d840f91067bebcc3bd3e3528f130e4eef4baa18cbe288b5ced7f7e77793195043951eb24c8c12c8dede5c8dad44cca159b364c5243cb69028e5e6d666

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/520-631-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/1308-92-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1308-91-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/1332-272-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1332-271-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/1676-62-0x0000000002280000-0x0000000002288000-memory.dmp

Filesize
32KB

Download
memory/1676-60-0x000000001B270000-0x000000001B552000-memory.dmp

Filesize
2.9MB

Download
memory/1824-333-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1824-332-0x0000000000890000-0x00000000009A0000-memory.dmp

Filesize
1.1MB

Download
memory/1940-211-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2508-393-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2748-151-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2768-453-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2932-17-0x0000000002120000-0x000000000212C000-memory.dmp

Filesize
48KB

Download
memory/2932-16-0x0000000002110000-0x000000000211C000-memory.dmp

Filesize
48KB

Download
memory/2932-15-0x0000000000640000-0x000000000064C000-memory.dmp

Filesize
48KB

Download
memory/2932-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2932-13-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download