dcrat | acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365

Analysis

max time kernel
145s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 17:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365.exe
Size

1.3MB
MD5

d6e3101e99d7a899c4b85fca6f08159e
SHA1

88863d9fa6a400ace70e4c3a6d397642f1e6243e
SHA256

acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365
SHA512

c99353db213f3d588c0c1c718c8be15459a93b94b6035fe14d47ec818a8e07b5e979f2763302f05d2d07536530d083a52cc62cd5fa7b0a2a7fc37f85e47137b7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1200	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2396	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2396	schtasks.exe	32

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016689-10.dat	dcrat
behavioral1/memory/328-13-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat
behavioral1/memory/2080-40-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/1336-204-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/2852-265-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2576-325-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2900-385-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/1508-445-0x0000000000B60000-0x0000000000C70000-memory.dmp	dcrat
behavioral1/memory/1680-505-0x0000000000CC0000-0x0000000000DD0000-memory.dmp	dcrat
behavioral1/memory/2068-565-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/2336-625-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2688-685-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2772	powershell.exe
2788	powershell.exe
2632	powershell.exe
2852	powershell.exe
2812	powershell.exe
324	powershell.exe
2872	powershell.exe
2804	powershell.exe
1232	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
328	DllCommonsvc.exe
2080	Idle.exe
2900	Idle.exe
1336	Idle.exe
2852	Idle.exe
2576	Idle.exe
2900	Idle.exe
1508	Idle.exe
1680	Idle.exe
2068	Idle.exe
2336	Idle.exe
2688	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2924	cmd.exe
2924	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\de-DE\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2716	schtasks.exe
2816	schtasks.exe
2592	schtasks.exe
1612	schtasks.exe
3040	schtasks.exe
1200	schtasks.exe
1044	schtasks.exe
660	schtasks.exe
2600	schtasks.exe
2684	schtasks.exe
2560	schtasks.exe
2228	schtasks.exe
1940	schtasks.exe
1836	schtasks.exe
532	schtasks.exe
2728	schtasks.exe
2456	schtasks.exe
2476	schtasks.exe
2532	schtasks.exe
1676	schtasks.exe
2732	schtasks.exe
2648	schtasks.exe
800	schtasks.exe
1500	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
328	DllCommonsvc.exe
2872	powershell.exe
2632	powershell.exe
2804	powershell.exe
324	powershell.exe
2772	powershell.exe
2788	powershell.exe
2852	powershell.exe
1232	powershell.exe
2812	powershell.exe
2080	Idle.exe
2900	Idle.exe
1336	Idle.exe
2852	Idle.exe
2576	Idle.exe
2900	Idle.exe
1508	Idle.exe
1680	Idle.exe
2068	Idle.exe
2336	Idle.exe
2688	Idle.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	DllCommonsvc.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2080	Idle.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	2852	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2812	powershell.exe
Token: SeDebugPrivilege	2900	Idle.exe
Token: SeDebugPrivilege	1336	Idle.exe
Token: SeDebugPrivilege	2852	Idle.exe
Token: SeDebugPrivilege	2576	Idle.exe
Token: SeDebugPrivilege	2900	Idle.exe
Token: SeDebugPrivilege	1508	Idle.exe
Token: SeDebugPrivilege	1680	Idle.exe
Token: SeDebugPrivilege	2068	Idle.exe
Token: SeDebugPrivilege	2336	Idle.exe
Token: SeDebugPrivilege	2688	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2432 wrote to memory of 1540	2432	acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365.exe	28
PID 2432 wrote to memory of 1540	2432	acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365.exe	28
PID 2432 wrote to memory of 1540	2432	acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365.exe	28
PID 2432 wrote to memory of 1540	2432	acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365.exe	28
PID 1540 wrote to memory of 2924	1540	WScript.exe	29
PID 1540 wrote to memory of 2924	1540	WScript.exe	29
PID 1540 wrote to memory of 2924	1540	WScript.exe	29
PID 1540 wrote to memory of 2924	1540	WScript.exe	29
PID 2924 wrote to memory of 328	2924	cmd.exe	31
PID 2924 wrote to memory of 328	2924	cmd.exe	31
PID 2924 wrote to memory of 328	2924	cmd.exe	31
PID 2924 wrote to memory of 328	2924	cmd.exe	31
PID 328 wrote to memory of 324	328	DllCommonsvc.exe	57
PID 328 wrote to memory of 324	328	DllCommonsvc.exe	57
PID 328 wrote to memory of 324	328	DllCommonsvc.exe	57
PID 328 wrote to memory of 1232	328	DllCommonsvc.exe	58
PID 328 wrote to memory of 1232	328	DllCommonsvc.exe	58
PID 328 wrote to memory of 1232	328	DllCommonsvc.exe	58
PID 328 wrote to memory of 2788	328	DllCommonsvc.exe	59
PID 328 wrote to memory of 2788	328	DllCommonsvc.exe	59
PID 328 wrote to memory of 2788	328	DllCommonsvc.exe	59
PID 328 wrote to memory of 2852	328	DllCommonsvc.exe	60
PID 328 wrote to memory of 2852	328	DllCommonsvc.exe	60
PID 328 wrote to memory of 2852	328	DllCommonsvc.exe	60
PID 328 wrote to memory of 2872	328	DllCommonsvc.exe	61
PID 328 wrote to memory of 2872	328	DllCommonsvc.exe	61
PID 328 wrote to memory of 2872	328	DllCommonsvc.exe	61
PID 328 wrote to memory of 2632	328	DllCommonsvc.exe	62
PID 328 wrote to memory of 2632	328	DllCommonsvc.exe	62
PID 328 wrote to memory of 2632	328	DllCommonsvc.exe	62
PID 328 wrote to memory of 2812	328	DllCommonsvc.exe	63
PID 328 wrote to memory of 2812	328	DllCommonsvc.exe	63
PID 328 wrote to memory of 2812	328	DllCommonsvc.exe	63
PID 328 wrote to memory of 2772	328	DllCommonsvc.exe	64
PID 328 wrote to memory of 2772	328	DllCommonsvc.exe	64
PID 328 wrote to memory of 2772	328	DllCommonsvc.exe	64
PID 328 wrote to memory of 2804	328	DllCommonsvc.exe	65
PID 328 wrote to memory of 2804	328	DllCommonsvc.exe	65
PID 328 wrote to memory of 2804	328	DllCommonsvc.exe	65
PID 328 wrote to memory of 2080	328	DllCommonsvc.exe	71
PID 328 wrote to memory of 2080	328	DllCommonsvc.exe	71
PID 328 wrote to memory of 2080	328	DllCommonsvc.exe	71
PID 2080 wrote to memory of 1644	2080	Idle.exe	76
PID 2080 wrote to memory of 1644	2080	Idle.exe	76
PID 2080 wrote to memory of 1644	2080	Idle.exe	76
PID 1644 wrote to memory of 2020	1644	cmd.exe	78
PID 1644 wrote to memory of 2020	1644	cmd.exe	78
PID 1644 wrote to memory of 2020	1644	cmd.exe	78
PID 1644 wrote to memory of 2900	1644	cmd.exe	81
PID 1644 wrote to memory of 2900	1644	cmd.exe	81
PID 1644 wrote to memory of 2900	1644	cmd.exe	81
PID 2900 wrote to memory of 2404	2900	Idle.exe	82
PID 2900 wrote to memory of 2404	2900	Idle.exe	82
PID 2900 wrote to memory of 2404	2900	Idle.exe	82
PID 2404 wrote to memory of 296	2404	cmd.exe	84
PID 2404 wrote to memory of 296	2404	cmd.exe	84
PID 2404 wrote to memory of 296	2404	cmd.exe	84
PID 2404 wrote to memory of 1336	2404	cmd.exe	85
PID 2404 wrote to memory of 1336	2404	cmd.exe	85
PID 2404 wrote to memory of 1336	2404	cmd.exe	85
PID 1336 wrote to memory of 980	1336	Idle.exe	86
PID 1336 wrote to memory of 980	1336	Idle.exe	86
PID 1336 wrote to memory of 980	1336	Idle.exe	86
PID 980 wrote to memory of 1692	980	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365.exe
"C:\Users\Admin\AppData\Local\Temp\acf103c7f92a768be5d3630595a862d5cc622e02815af5f0456abcd04cdf0365.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2432
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2020
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:296
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vXy3H03RZr.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1692
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        12⤵
        
        PID:1904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2868
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat"
        14⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1948
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat"
        16⤵
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2216
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat"
        18⤵
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:344
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
        20⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2128
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        22⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:404
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat"
        24⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2644
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Speech\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82488afa45331804224f5aa1daabebfb

SHA1
936cb2e433e9b440514ffcfe85fb45e574419e67

SHA256
201c8d6dfe61cf4bc354a0829a362db6c607b0ebbd8e34b200d05aaa317627bc

SHA512
e502a0439e537f3f296248455b2d44993b658f84cd840b97a2cec0a188b604df438aaab5e919c10a4c2e6770245780a10c4570ab81624dd784172cfc3e558ec1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6de0d7d6b8054dda8173948839376ef5

SHA1
d77067b79a79b942ec643aa94d4b8395d9bd6a88

SHA256
2814c21107b9348b4e1e3d7e119e0b9d670b9f588f974273beb30f3d44c447cc

SHA512
5871b9ab65a846dfccc7b70ed6a984aa6ed8e6487edb146ce5c37556d58ec13d08abe1b65c9662d83ca7f867326549f6f0d045d48bc426ab9668074ab8ea47b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51f5919071d055093e853aaa7850c07e

SHA1
245333eae2b4c6ed095e06fc81091283265244fd

SHA256
35d011b39c4f2c461034de338ea27b444ed7ca78e450f920e2b3b8743a9ad97b

SHA512
92a2c9f90b9341b1ab2788bcaef481e93770edcf1f80c42824c96385ca361dca9e2140dad455dad33e376c4baf2446c0983a3d89f468764c4a302b2b819a29d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6c342c982ed5c1f20f48e6f34a02839

SHA1
6512f8306e4d7f4852ca9dc224ba0eb0167a9af3

SHA256
05791c344b82288779bebb486fbe21f36c2a8396a560266eaa91b5363c8eb932

SHA512
2c39e5bccf6d8b8e79a3a0fae1a20c1b07e3c635595a49ec1007803e26c00b2641432980d98975e883d18d386f062f0cf7c5c7b4940facd28485678f2597dbcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5022cb0595fd4a81a60df72046821ff0

SHA1
8686ccf2eb3afaaeb4887de16d74981780468522

SHA256
915caeeaef8c0695c6c94807c529f074211b8586b3fee2b9ef9a2a5e7e2af7ff

SHA512
a61ffb4c7d368d7d37c91b6a13c2ab8eb4e20aa98b2650effbc3d1ad80a9312ded9c50eadcc10c25955eb0d5063ba4eba220da316ab78f5e65c975277ad00509

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
028d6e2c11d3ca6fc47bea3d8146e3f3

SHA1
b774964e065ec22f25266f5fb6c7ec6aed6b4393

SHA256
c3ddca93e9b5aac229d6b35cc5a1c87cf639d6eeb5c666a2c3bbd258b01f3f15

SHA512
bface23baa359a80b47f3f3f069574940eeb648344c2963d5ef198adcf0a41f1d81b628df4399f68622a55ce4adc5d5c3937a777e3072bd336f010c30b9a609d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2df996958ec6a1c9c283011427de05c

SHA1
2ffd2e02b099ccf7553d052216e9284c2ba13452

SHA256
0feb4925a565edd50e7a19c03c89ea31c49a994c5140743309f872c5d175503a

SHA512
1a2093d770d3f8fd4a8d362944392a3290dad8b022e73a096ba26cec5702c0cff5fbfe50717e50888d84d18f4c572da78f6f9880766569e2183184a8393cd682

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e365ffcadfd09302f9155a290154e757

SHA1
d14e602d41ee453641a2988d50092696427f6c9c

SHA256
40abf048bd659f6227ba2229c55660c0788974e2ca23496be5c254e9aaef1578

SHA512
534b6e7f5943452b0cb861c21448ca3d8a3236f5ef4c7136c72d975a7e51958d6627800dfce54c486cdb207ded48f8f426f4c0e908d400d91e30aa1fb2043e50

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9189ab7d4530fc1c0868bdd62abd4161

SHA1
aa2a4a64742fe8f4d7a0b644aaf4c87d01af618c

SHA256
9b5349e25e046c5496d3f0b8925a27e70fae3e56dc95137bd39ae3e81e54c1fa

SHA512
cb1800868bea50407409c2e5ee4154a0d7523fd5e68b5f5352e5d517f07a078720f537edff8f578b1914c3a0a162afff8bf69cb9b50e40616e1fcad7ecd0dd67

Download Submit
C:\Users\Admin\AppData\Local\Temp\4oJokgKWVw.bat

Filesize
219B

MD5
789dd7f55449956c250e23c0772efa6e

SHA1
964d6d19d07882fbf24ebfe9153d5f2276bdacf7

SHA256
d5a3565b2ae5ba11b405832ae5cab96ce2307d549c4d7605b6df8d68de8e3b90

SHA512
36aa87224bb1d71a3cb92d1ba0b25de25d07e2dede608fec56520ce07742da56de4356aa5cacdaa4869cc6f199766b12729d4f341605cf97d4946e1df8634711

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC65D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DC0SKfNvdG.bat

Filesize
219B

MD5
bb9e19f62a9ac55d33153ca2aa3ef516

SHA1
5306f86163fd45d445f61af39b2855562e8918c0

SHA256
92679d96d7faca9483d61d25bb1ba0a2afbb328ef80a07d88fbabdbc711e92e8

SHA512
f6f3d80584ffc2c575cfd8db8010faa43b42cb2a987f9a007ca6393ee4b3ea8da0db68c9d15fd9a2aba8724b8e6d29d8ee20f2dbc2306fc74574d040e684dd22

Download Submit
C:\Users\Admin\AppData\Local\Temp\J91AFVPMIK.bat

Filesize
219B

MD5
5d4f008d6beff69b1323cd2cf18e2839

SHA1
e2f7cf80ae27bfb7a8d9405cd41c1fde7fe92d43

SHA256
7e36c7b7b789e1624966d7dc7642de5a0705f434d3ad531ae20c2af0bed9465c

SHA512
3b3c71f39e0e1478249bf31e75e962213a5f708087d22ef87488d88c8976741ed1356cfe1d1860331c7199e51b97b5dd1a37cf9f70357e99906813353d9a6bab

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC670.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XIXHPi7vyc.bat

Filesize
219B

MD5
669a6df1bcc2fba8576862004a304e43

SHA1
cd05c630aee036986879b439d8ecbe051a666ff1

SHA256
57f448fafb95a9b5d50acda9138cb785cb482ac58a9aec842337e2f6a9633d1b

SHA512
5c69dc24ca8faaabf9e8ea8826f39b7fd492fcc88b35c8e679d39279c2cecd7897e733b7966f0c93430f823c5768522338ca10e033c27a04be79ff9fe895033c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
219B

MD5
a809e437521df901790f102c46866066

SHA1
70172cb1ace124cb2d34d1aaf702f3e6cc06064e

SHA256
b3f2e9ce38508cd4abeba28c80361c343135ff43774ea36c545c812013a5ef51

SHA512
6baefd4e1812ebd1f7fc145686db470414f925260abe36d63ebaa6acacbddc9d70130b37fff11176eeabc4cb19352fc948d5ff8a7346aa995b58b0c41c3f4ce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

Filesize
219B

MD5
3cd5e2462589f6bc816d9adb8a7d3167

SHA1
3b61a097c35af4fc9f9ce67607b550067a8af32e

SHA256
a83713a3404fa386ca4a18180da130730b46f6c29636fcc0d704d0e307d92d07

SHA512
67671261586164b97edffcfd9b0782c2c696e95d17194104aec481abbb48b60bdf4ce7f70f3c3000928bd6281c5203291973e89160425a81644d95a8f3238b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\vXy3H03RZr.bat

Filesize
219B

MD5
77b8bd0844c999123b951a1bb84dda6c

SHA1
4c333a10d711dba5461cee9de37235ebe77b2ae6

SHA256
980f2546b9e0117050f36a82322e65b66a4fcbc6183c95b312a520b6dd76359f

SHA512
256d985b17145f0636bbcce8ba7d0b817226a3e337d32710dfa34166946ce6e7b7dafb870b20af3dc8098e3b59dd61cd2da804b05b6c5bbde45c4f91c6f3c72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
219B

MD5
ede38628f6ed384631f67d528f1d1926

SHA1
4ea05645da1f639b528795d6f7c65e22936dac23

SHA256
ec0ca5450f6f218277bb34c98ec25b68856b4413998d390ca304e11d0df0531f

SHA512
cafcda046fa2cf2b4f4dcdbbd36f004533f9f7e170ab4e88eab2887e85f1288da467187eb2a1e3663dcb2aba2a9bcc3aeef309b7691fe634455f01799806f083

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
219B

MD5
b2c10fec8a5c92444f6730e1920849a0

SHA1
ad0686f1bf6106c7409f6b68b5904b8619470cd8

SHA256
17af35913be5d704525fe7e69f974a394a07e3b7b6a41100e99270fb3012035d

SHA512
978818d21896d309e257446bb09326f983422dea124a1fa11c18d374d96474e6e8b6544e2e44c3901f6cdda839e5bedaa3ee07cee1ab985c1a4078267c49625d

Download Submit
C:\Users\Admin\AppData\Local\Temp\z7AIE64VZ5.bat

Filesize
219B

MD5
8289f4460c1724d10845df4746eea68d

SHA1
383cfc9f884ed1442d830c2a70f8157f0b3b5ca0

SHA256
9afb5b074dd86303c97703e382255f768e79f26fab31ed2be7043f889f4437b8

SHA512
f657e508df994fd30641eedfd771896bfe72fe51289cddeaf902dcd361a05f3b78507a1be1dacc71260569f6f5448c92d47576f4539fa175c553e77b11955a13

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\BAYVI4BCXUTKYGD2T31U.temp

Filesize
7KB

MD5
666351cf523af15dda306ee33b7f0018

SHA1
1bae194a59a8e9dc2b73e7c1d0f93ae5aa47f866

SHA256
9c02e925eea48545aa8e956dbbb2e1d4673ee79191e529994fa7798179cbfbfe

SHA512
368f8a1adee40a5200e03d05882b2e372568f2ebef4467a127181beb63ba08396f9a680d0f082adcf9930e00a2bdeb6079e0ca0ed24fe6efee926f9350b2c941

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/328-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/328-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/328-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/328-13-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download
memory/328-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1336-204-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/1336-205-0x0000000000AD0000-0x0000000000AE2000-memory.dmp

Filesize
72KB

Download
memory/1508-445-0x0000000000B60000-0x0000000000C70000-memory.dmp

Filesize
1.1MB

Download
memory/1680-505-0x0000000000CC0000-0x0000000000DD0000-memory.dmp

Filesize
1.1MB

Download
memory/2068-565-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2080-40-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/2080-67-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2336-625-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-325-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2688-685-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/2852-265-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2872-64-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/2872-65-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2900-385-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download