dcrat | 9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0

Analysis

max time kernel
148s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0.exe
Size

1.3MB
MD5

3c096f14d7dcbb38d35bc5e676639ed7
SHA1

ca9e4220a32eff4e88cb9805fa348121ec064dd9
SHA256

9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0
SHA512

9e0279ecb9819277e085ad8c4b20391040de2d0eecb4415f4a375b73c108333ff7a8b49454fd9bb2f4627803cfd68824aa635dc9c1635055e4749f33bba87a55
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	276	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2756	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2756	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001932a-9.dat	dcrat
behavioral1/memory/1712-13-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/1480-101-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/1656-160-0x0000000000DF0000-0x0000000000F00000-memory.dmp	dcrat
behavioral1/memory/264-280-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2704-399-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2584-459-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2568-519-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/1436-579-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/968-698-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1504	powershell.exe
2368	powershell.exe
1600	powershell.exe
1268	powershell.exe
2028	powershell.exe
1596	powershell.exe
1360	powershell.exe
1744	powershell.exe
616	powershell.exe
1800	powershell.exe
1976	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1712	DllCommonsvc.exe
1480	smss.exe
1656	smss.exe
1268	smss.exe
264	smss.exe
1776	smss.exe
2704	smss.exe
2584	smss.exe
2568	smss.exe
1436	smss.exe
808	smss.exe
968	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
1952	cmd.exe
1952	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\fr-FR\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Uninstall Information\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\fr-FR\dwm.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\smss.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2080	schtasks.exe
1032	schtasks.exe
2940	schtasks.exe
2772	schtasks.exe
2248	schtasks.exe
2144	schtasks.exe
2304	schtasks.exe
2780	schtasks.exe
2644	schtasks.exe
1920	schtasks.exe
2664	schtasks.exe
2920	schtasks.exe
2668	schtasks.exe
1816	schtasks.exe
2656	schtasks.exe
276	schtasks.exe
1324	schtasks.exe
2908	schtasks.exe
2196	schtasks.exe
1420	schtasks.exe
1796	schtasks.exe
2968	schtasks.exe
404	schtasks.exe
2580	schtasks.exe
2612	schtasks.exe
808	schtasks.exe
552	schtasks.exe
1416	schtasks.exe
2056	schtasks.exe
2180	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1712	DllCommonsvc.exe
1712	DllCommonsvc.exe
1712	DllCommonsvc.exe
1976	powershell.exe
616	powershell.exe
1600	powershell.exe
1596	powershell.exe
1504	powershell.exe
1268	powershell.exe
2028	powershell.exe
1800	powershell.exe
2368	powershell.exe
1360	powershell.exe
1744	powershell.exe
1480	smss.exe
1656	smss.exe
1268	smss.exe
264	smss.exe
1776	smss.exe
2704	smss.exe
2584	smss.exe
2568	smss.exe
1436	smss.exe
808	smss.exe
968	smss.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1712	DllCommonsvc.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2368	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	1744	powershell.exe
Token: SeDebugPrivilege	1480	smss.exe
Token: SeDebugPrivilege	1656	smss.exe
Token: SeDebugPrivilege	1268	smss.exe
Token: SeDebugPrivilege	264	smss.exe
Token: SeDebugPrivilege	1776	smss.exe
Token: SeDebugPrivilege	2704	smss.exe
Token: SeDebugPrivilege	2584	smss.exe
Token: SeDebugPrivilege	2568	smss.exe
Token: SeDebugPrivilege	1436	smss.exe
Token: SeDebugPrivilege	808	smss.exe
Token: SeDebugPrivilege	968	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 2352	1036	JaffaCakes118_9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0.exe	30
PID 1036 wrote to memory of 2352	1036	JaffaCakes118_9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0.exe	30
PID 1036 wrote to memory of 2352	1036	JaffaCakes118_9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0.exe	30
PID 1036 wrote to memory of 2352	1036	JaffaCakes118_9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0.exe	30
PID 2352 wrote to memory of 1952	2352	WScript.exe	31
PID 2352 wrote to memory of 1952	2352	WScript.exe	31
PID 2352 wrote to memory of 1952	2352	WScript.exe	31
PID 2352 wrote to memory of 1952	2352	WScript.exe	31
PID 1952 wrote to memory of 1712	1952	cmd.exe	33
PID 1952 wrote to memory of 1712	1952	cmd.exe	33
PID 1952 wrote to memory of 1712	1952	cmd.exe	33
PID 1952 wrote to memory of 1712	1952	cmd.exe	33
PID 1712 wrote to memory of 1504	1712	DllCommonsvc.exe	65
PID 1712 wrote to memory of 1504	1712	DllCommonsvc.exe	65
PID 1712 wrote to memory of 1504	1712	DllCommonsvc.exe	65
PID 1712 wrote to memory of 2028	1712	DllCommonsvc.exe	66
PID 1712 wrote to memory of 2028	1712	DllCommonsvc.exe	66
PID 1712 wrote to memory of 2028	1712	DllCommonsvc.exe	66
PID 1712 wrote to memory of 616	1712	DllCommonsvc.exe	67
PID 1712 wrote to memory of 616	1712	DllCommonsvc.exe	67
PID 1712 wrote to memory of 616	1712	DllCommonsvc.exe	67
PID 1712 wrote to memory of 1360	1712	DllCommonsvc.exe	68
PID 1712 wrote to memory of 1360	1712	DllCommonsvc.exe	68
PID 1712 wrote to memory of 1360	1712	DllCommonsvc.exe	68
PID 1712 wrote to memory of 1600	1712	DllCommonsvc.exe	69
PID 1712 wrote to memory of 1600	1712	DllCommonsvc.exe	69
PID 1712 wrote to memory of 1600	1712	DllCommonsvc.exe	69
PID 1712 wrote to memory of 2368	1712	DllCommonsvc.exe	70
PID 1712 wrote to memory of 2368	1712	DllCommonsvc.exe	70
PID 1712 wrote to memory of 2368	1712	DllCommonsvc.exe	70
PID 1712 wrote to memory of 1596	1712	DllCommonsvc.exe	71
PID 1712 wrote to memory of 1596	1712	DllCommonsvc.exe	71
PID 1712 wrote to memory of 1596	1712	DllCommonsvc.exe	71
PID 1712 wrote to memory of 1744	1712	DllCommonsvc.exe	72
PID 1712 wrote to memory of 1744	1712	DllCommonsvc.exe	72
PID 1712 wrote to memory of 1744	1712	DllCommonsvc.exe	72
PID 1712 wrote to memory of 1268	1712	DllCommonsvc.exe	73
PID 1712 wrote to memory of 1268	1712	DllCommonsvc.exe	73
PID 1712 wrote to memory of 1268	1712	DllCommonsvc.exe	73
PID 1712 wrote to memory of 1800	1712	DllCommonsvc.exe	74
PID 1712 wrote to memory of 1800	1712	DllCommonsvc.exe	74
PID 1712 wrote to memory of 1800	1712	DllCommonsvc.exe	74
PID 1712 wrote to memory of 1976	1712	DllCommonsvc.exe	75
PID 1712 wrote to memory of 1976	1712	DllCommonsvc.exe	75
PID 1712 wrote to memory of 1976	1712	DllCommonsvc.exe	75
PID 1712 wrote to memory of 3048	1712	DllCommonsvc.exe	87
PID 1712 wrote to memory of 3048	1712	DllCommonsvc.exe	87
PID 1712 wrote to memory of 3048	1712	DllCommonsvc.exe	87
PID 3048 wrote to memory of 264	3048	cmd.exe	89
PID 3048 wrote to memory of 264	3048	cmd.exe	89
PID 3048 wrote to memory of 264	3048	cmd.exe	89
PID 3048 wrote to memory of 1480	3048	cmd.exe	91
PID 3048 wrote to memory of 1480	3048	cmd.exe	91
PID 3048 wrote to memory of 1480	3048	cmd.exe	91
PID 1480 wrote to memory of 2968	1480	smss.exe	92
PID 1480 wrote to memory of 2968	1480	smss.exe	92
PID 1480 wrote to memory of 2968	1480	smss.exe	92
PID 2968 wrote to memory of 1964	2968	cmd.exe	94
PID 2968 wrote to memory of 1964	2968	cmd.exe	94
PID 2968 wrote to memory of 1964	2968	cmd.exe	94
PID 2968 wrote to memory of 1656	2968	cmd.exe	95
PID 2968 wrote to memory of 1656	2968	cmd.exe	95
PID 2968 wrote to memory of 1656	2968	cmd.exe	95
PID 1656 wrote to memory of 1740	1656	smss.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9dd9e319af00659f8ce25bed5b821ee8a981116fe85929f081758fafc87b68b0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\fr-FR\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DDzhwswFsH.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:264
      - C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1964
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat"
        9⤵
        
        PID:1740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2352
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        11⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1744
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat"
        13⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:660
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        15⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2324
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
        17⤵
        
        PID:1252
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:596
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        19⤵
        
        PID:1036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2372
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat"
        21⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2512
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        23⤵
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2420
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat"
        25⤵
        
        PID:2884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1688
        
        C:\Windows\de-DE\smss.exe
        
        "C:\Windows\de-DE\smss.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Mail\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Start Menu\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Music\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Music\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Music\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\SendTo\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e71e9cbf2d2cad646d2dcf06fb5c0ab

SHA1
753235ef7d390ad344e0e9fc4d17db885205a670

SHA256
b555ca307e8fc67abb718496dcb0f82b000bd6413d9d45484783a34617eb2533

SHA512
efde38d58e93d7b6869fbdb26809ffcdf8a5b4bfd35613452a86e070ea8d2102a0002af461202666d3c90a1619263db4385a3c5c58c923b904e8450e10d369a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75472e569fa91b8e20a59939513009cc

SHA1
a2ea6eae8da936cbae1c976cd55a31e5db3e6402

SHA256
b034a41ea48dce00c3cb9afd07cd972f8bcf1f7623091daca78d142037cafd95

SHA512
42818121995c96ad6f3e67879edcb7bf8a9d4c1ad730dd1ed4d57e558bfd04e1c9c977e320d0fc79273617043be8dabc9724c1c0c7a97f8b9e484a5ce65dafc8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
13bef5aa923b6371d21ad511b0ec5786

SHA1
db459300b4ceeee60e25c58318244f43dd12cad1

SHA256
4ec3cd02f3b29aaee7e042d7be0406460e817f20ca21df08f575bb617e6281c7

SHA512
cc0cbb0ff863c17648e4e9815b82a9447cd18fa534f5af48b092057ed683032ca9f975074ea1f678905eff2b63efa70b1baa7782e357a877d31b3b1a1aeb2988

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87c5e7240743d43e897b493103ff7a0f

SHA1
967c157f9b514c42a9d22b258b30cf4b75338e28

SHA256
3fad2850570973f428e69f1a7f9100f33887a57dba43130710f1be466d75ecda

SHA512
f9ffe8d02255b6139a73517eced03a5d64b513137826447ceb951459bb7238d64bb978543a73b5996eb3c50b35770e8c42d1dcbc5c71863c32b52a2b922638a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
551f3288efc8948b890dbe1643fac8cd

SHA1
5cae0a5c5ccbb298207cce8e23807f9b1224b78e

SHA256
0112bab414faf5c7dfdf1b9a06e2954fd28748b7e17d9aa3c8cad423b5c92dbe

SHA512
0fdab96b6eeda8e909cae1dc23e237eb16cb49ccfa127963693691fc91c95d659c0be83856ef80f93037cff56be4f7e2abe875b46e1e9b83abe03fbd1b2ee31f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9cc16de8a21b0419a63191ded51a44a

SHA1
35d00f0f7f37c861b76b979ee43e8e48b579f150

SHA256
9b51b4e72c014caabe627254990770f9bdae2b440b32d454b742502576f55ce3

SHA512
cfbb0b1c96de124f46ae1016148d8f062672c820430d9d74dad1409399c219399c5134ec59d11e3b222bb7e5770be413d81941a337c26e85b9c356787d4ae096

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2b2d3c9d667cd855c0ff64042d5e3bb

SHA1
1765c0661b7869e1c359b7f1e42749a39ba475b5

SHA256
588029aec052ba33ca57aa3eb10491db61af9c70a085a22f41930e25478fcddd

SHA512
05a091d15f9f4828b5d2d330c40443d4b6b4aa51133882b43061106d2b3240a89a802d281dfc928a9d5fe89b501d822909f81a69dc8947e3f4c994b57b6d3f43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bda885cf4b9b4f2fa50a1123f6392d8

SHA1
b14e3f0a909811ee3f6ece2e69e4d287f7f9f4e4

SHA256
c70a0374704f0a9731e3a43f3ccbde7121b9bc22d1c0cf2cd7ba966651e18daa

SHA512
fbc396296ca3c15c3b75c93deb49ab7ab676f022841f1c3628a2d512c6397f1ef62e1b9e85d6b22f53f42f623596489eaff8132048e1549ef24cf3df7e3d30cc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b57480e837a0abf27e42b7d4fb14545c

SHA1
683944d67733a61ff7d3430bdad7060f204fa10a

SHA256
074c63be0cd5bc2ca081151a7bf24b73d4babd659070b50c5dcafc3c5f60ffdd

SHA512
30e9f36bc397ea35f846d24338fc32ed2d9803a0440a8d93718c7233d89416d9140b429b462fbe31c06a112e4cdda6bb420bde161cd954163f5c26bd237bed77

Download Submit
C:\Users\Admin\AppData\Local\Temp\BYj1kG62r9.bat

Filesize
190B

MD5
be58c9f8283eb871acc39b18efa4c6b6

SHA1
4189b70e2aba656062c6199937f4017cde9e6988

SHA256
50cd29956c78312cf1dd94be85f8caba19032936406844435b37a2a488ef5d31

SHA512
e6aa53ec4dcba4023782fe34bff778afba2dfffe9f0cfd9a920ce8ccfc65286f60c638e1d91603c03e7d99a1c961884c948eb82a9a90ee06674ef4a4550b19d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
190B

MD5
52b44c05701167cd7131e92de6c75556

SHA1
089032828aa7bbde02f62d3346a71c84f92b2318

SHA256
55b3f7b896c11347f5afd90db1dc97ed7364bdf548a056664d5e2cf8f25b963d

SHA512
e299a16e4515a2266dd4a783d1045f9ab9412eed6e8688514f138036b2b83c9439ca0551dc94e82c79f0bcc5e437d07c918d277cc7f90e4e8479adfd53127c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF6EE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DDzhwswFsH.bat

Filesize
190B

MD5
133843f1af9e49b1c12c7af70ff2ef6c

SHA1
c776ca2e293095184cd0142b443e8b318abe412a

SHA256
fd5e6d58167cd905e784db9ca962751b51dc5da800536cea443b818c683775a1

SHA512
b3266263f53189c17f5f764a2d691b32fd87eacccf5539baab18e090806e027e38578ac2b46ba7c25df55cadf13eb88ed7380b4d25e27baaf61b5a878235d249

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

Filesize
190B

MD5
29a4c25430551015d7140a6b47da16db

SHA1
85d33273e54617678ac52c2d43c61876277aef0e

SHA256
010482b47be09bc318866355fd30e586472d44bbfe6f55fcbe82d2f25f075a99

SHA512
d7db9a72a23de4cdbc3164ad81a4c0533c3c5461bcdf74b4456431bb8745d704b2d20e396557b2947c974c1557cd0ccefc3990ff398b84f58a16ced13bbede90

Download Submit
C:\Users\Admin\AppData\Local\Temp\QHkN6qNcbm.bat

Filesize
190B

MD5
594f2ac85cee7aeefc155facfaef0055

SHA1
2e74c716ca64fab788281e7983f42aa6307cd870

SHA256
981c973a3530f55fb2cbca2c21b3b8c53c478e680cf51a83becc1088c18ffc69

SHA512
d0f6ede8e948aff7c56fbce5d88d788fb76ae1f63bbf4ff035f4df3cc3302815a649b8da7e087c0ad509bd7642e4bd5c14f1ce28e5a0f371d5a92a2481b9230d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF711.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U4eMIZxK0W.bat

Filesize
190B

MD5
66b9de26ea03570aaedc20fd56d7764e

SHA1
67d40e9f407ca0d3bd54580b2dff2be0fe2d5fb7

SHA256
b009a38e98034c3881cecaf82b54a1126af9bf499aaf13c7b03f0fbae80f0049

SHA512
37e78381b9091db595c54164a5ee25f573d198dfe3304b11aee8bace746f785269b71e33895ee62302952caa5063f4bd9ee60bbe26b0bcf6a215f34eb145c3b7

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
190B

MD5
b467533a1dbf25ae516d3b6d89767bb3

SHA1
d179dd661b68423990fed91cde1e6db9aa869d0b

SHA256
b887082ee78eed851f8b7bf92e21529fe0fe5bf1ac1daf05be110285f9d56efe

SHA512
86a4ed7ca3ecc165793331ba43729ffe6a75abf0cc46e0b82782c788f4cd05696d9f16a8d8b97032a071fa3a410ee86da767492ac43bd4945f6086859f738921

Download Submit
C:\Users\Admin\AppData\Local\Temp\mTJ33xL03H.bat

Filesize
190B

MD5
4a95d63ceb1d0edd3c7a7221608683c5

SHA1
a3f0e26c1b66efeeaac6c61519fcd4e3abef6f82

SHA256
d62e6e1d6868907abe01fece57965616902cf67750b0d460cdf106a837358f10

SHA512
a1a2bb198e5a0308dc82152621855589af5872d57417ba9471f87746eb94c7af15dfa64fc6e33e92b7d220320a5fb6fe8a48ce68a41ceb2ccc9cd4f6bdd3566d

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
190B

MD5
66b65a0d89cfd1883c696178efaccfcf

SHA1
ba7316e40912714a7f49142fd5913abc0c76dbfa

SHA256
e8ae990baa1b085eb81c54bf91af9c8b991dfcb2c8bd677f43173b65c8bcfd9b

SHA512
d310b37ef82321ee13a4330ffb8b708c94bcb04b2dd596fff8cd27a3645549be40a469d32009ad1a561053e30e2546b7fc78f6aed34ff2abaf26807a9487a9be

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

Filesize
190B

MD5
823508fb0fc23572ce9fc7e0d5c4894c

SHA1
fa2ec701b860068ba8505abf7915d8d933e17ec1

SHA256
7c46eaaf63d4a596f09db8171964933d5edd1e7775abb334a66b89e13bb2fdf7

SHA512
ea266b30699b6f35057c77f08554dd973cde0a6c66f30b13b4eb7665d4a572f0a51906435831fd10c5ab6e079e3629de6e929f45cb4f8402093450b489ffdd3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
190B

MD5
f3d00d16af92ba3e1d8cb6cead2ed7af

SHA1
f48c8846b39d094b62e8de91acc4289e497c39b5

SHA256
738dc4c8ed0594f7b5ed660e50d888bc480a64a305d33e3487d5ba838699453f

SHA512
addb79effe2d9d020d4930daae2937f1e1c66fee039225055f764d4b21e6b2ae016c9601bc47b23785169bc61d913ea36546ef7299f7b4ab7de9542bbcc1dbd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\RQ8T0T09DAKKZW781YLM.temp

Filesize
7KB

MD5
547fd8beb12d5d8d28d7f0b370e553c1

SHA1
05ea530157205a6bbe2760952fcecf9aded1c2e7

SHA256
412604b31d1b903e6b780e893f5b44d2de8c2e4d50c469949dcdb717c818eb15

SHA512
f14d812541c6b46f1b18a7c0e8b2c0a3e5a4ffc9eafb8b142a9225ee7e020a4559bc0951efde0f037f658fb7a08a25ea5c0509a6cab25c7f165aef7c9818ac6e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/264-280-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/968-698-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/1268-220-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1436-579-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/1480-101-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/1656-160-0x0000000000DF0000-0x0000000000F00000-memory.dmp

Filesize
1.1MB

Download
memory/1712-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1712-13-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/1712-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/1712-16-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/1712-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/1976-59-0x0000000001F70000-0x0000000001F78000-memory.dmp

Filesize
32KB

Download
memory/1976-58-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2568-519-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/2584-459-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2704-399-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download