dcrat | 0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e.exe
Size

1.3MB
MD5

7183fc2747e430f82cfdf0c321a27f20
SHA1

437a6155f6a5bd70ae666bfee64157978ec22c30
SHA256

0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e
SHA512

74fdc1c8655e2883f96906cee170a8f171509bb4f232ebf6f3b2fc6909ffda192e033ff3c54a519cf9a4e68b1f20b4215e060fd1f593ecff937785dab85f16ba
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2280	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2544	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2544	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cec-9.dat	dcrat
behavioral1/memory/2816-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/1580-86-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/2672-559-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/2924-619-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/1656-680-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2912	powershell.exe
2492	powershell.exe
2408	powershell.exe
2052	powershell.exe
408	powershell.exe
2264	powershell.exe
2640	powershell.exe
1956	powershell.exe
884	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2816	DllCommonsvc.exe
1580	explorer.exe
2400	explorer.exe
2792	explorer.exe
2828	explorer.exe
1472	explorer.exe
1324	explorer.exe
2648	explorer.exe
1844	explorer.exe
2672	explorer.exe
2924	explorer.exe
1656	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
3064	cmd.exe
3064	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
36	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\cmd.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\de-DE\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\smss.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe
2644	schtasks.exe
2120	schtasks.exe
780	schtasks.exe
2860	schtasks.exe
2344	schtasks.exe
1592	schtasks.exe
612	schtasks.exe
2404	schtasks.exe
2104	schtasks.exe
2440	schtasks.exe
288	schtasks.exe
1912	schtasks.exe
2604	schtasks.exe
2960	schtasks.exe
2232	schtasks.exe
1332	schtasks.exe
1324	schtasks.exe
2352	schtasks.exe
284	schtasks.exe
2368	schtasks.exe
2280	schtasks.exe
1512	schtasks.exe
1976	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2816	DllCommonsvc.exe
2816	DllCommonsvc.exe
2816	DllCommonsvc.exe
2816	DllCommonsvc.exe
2816	DllCommonsvc.exe
2408	powershell.exe
1956	powershell.exe
2264	powershell.exe
2640	powershell.exe
2912	powershell.exe
2052	powershell.exe
884	powershell.exe
2492	powershell.exe
408	powershell.exe
1580	explorer.exe
2400	explorer.exe
2792	explorer.exe
2828	explorer.exe
1472	explorer.exe
1324	explorer.exe
2648	explorer.exe
1844	explorer.exe
2672	explorer.exe
2924	explorer.exe
1656	explorer.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	DllCommonsvc.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	2052	powershell.exe
Token: SeDebugPrivilege	884	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	408	powershell.exe
Token: SeDebugPrivilege	1580	explorer.exe
Token: SeDebugPrivilege	2400	explorer.exe
Token: SeDebugPrivilege	2792	explorer.exe
Token: SeDebugPrivilege	2828	explorer.exe
Token: SeDebugPrivilege	1472	explorer.exe
Token: SeDebugPrivilege	1324	explorer.exe
Token: SeDebugPrivilege	2648	explorer.exe
Token: SeDebugPrivilege	1844	explorer.exe
Token: SeDebugPrivilege	2672	explorer.exe
Token: SeDebugPrivilege	2924	explorer.exe
Token: SeDebugPrivilege	1656	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3024 wrote to memory of 2884	3024	JaffaCakes118_0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e.exe	31
PID 3024 wrote to memory of 2884	3024	JaffaCakes118_0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e.exe	31
PID 3024 wrote to memory of 2884	3024	JaffaCakes118_0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e.exe	31
PID 3024 wrote to memory of 2884	3024	JaffaCakes118_0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e.exe	31
PID 2884 wrote to memory of 3064	2884	WScript.exe	32
PID 2884 wrote to memory of 3064	2884	WScript.exe	32
PID 2884 wrote to memory of 3064	2884	WScript.exe	32
PID 2884 wrote to memory of 3064	2884	WScript.exe	32
PID 3064 wrote to memory of 2816	3064	cmd.exe	34
PID 3064 wrote to memory of 2816	3064	cmd.exe	34
PID 3064 wrote to memory of 2816	3064	cmd.exe	34
PID 3064 wrote to memory of 2816	3064	cmd.exe	34
PID 2816 wrote to memory of 2492	2816	DllCommonsvc.exe	60
PID 2816 wrote to memory of 2492	2816	DllCommonsvc.exe	60
PID 2816 wrote to memory of 2492	2816	DllCommonsvc.exe	60
PID 2816 wrote to memory of 2408	2816	DllCommonsvc.exe	61
PID 2816 wrote to memory of 2408	2816	DllCommonsvc.exe	61
PID 2816 wrote to memory of 2408	2816	DllCommonsvc.exe	61
PID 2816 wrote to memory of 2640	2816	DllCommonsvc.exe	62
PID 2816 wrote to memory of 2640	2816	DllCommonsvc.exe	62
PID 2816 wrote to memory of 2640	2816	DllCommonsvc.exe	62
PID 2816 wrote to memory of 2912	2816	DllCommonsvc.exe	63
PID 2816 wrote to memory of 2912	2816	DllCommonsvc.exe	63
PID 2816 wrote to memory of 2912	2816	DllCommonsvc.exe	63
PID 2816 wrote to memory of 884	2816	DllCommonsvc.exe	65
PID 2816 wrote to memory of 884	2816	DllCommonsvc.exe	65
PID 2816 wrote to memory of 884	2816	DllCommonsvc.exe	65
PID 2816 wrote to memory of 2264	2816	DllCommonsvc.exe	68
PID 2816 wrote to memory of 2264	2816	DllCommonsvc.exe	68
PID 2816 wrote to memory of 2264	2816	DllCommonsvc.exe	68
PID 2816 wrote to memory of 2052	2816	DllCommonsvc.exe	69
PID 2816 wrote to memory of 2052	2816	DllCommonsvc.exe	69
PID 2816 wrote to memory of 2052	2816	DllCommonsvc.exe	69
PID 2816 wrote to memory of 408	2816	DllCommonsvc.exe	71
PID 2816 wrote to memory of 408	2816	DllCommonsvc.exe	71
PID 2816 wrote to memory of 408	2816	DllCommonsvc.exe	71
PID 2816 wrote to memory of 1956	2816	DllCommonsvc.exe	73
PID 2816 wrote to memory of 1956	2816	DllCommonsvc.exe	73
PID 2816 wrote to memory of 1956	2816	DllCommonsvc.exe	73
PID 2816 wrote to memory of 1580	2816	DllCommonsvc.exe	78
PID 2816 wrote to memory of 1580	2816	DllCommonsvc.exe	78
PID 2816 wrote to memory of 1580	2816	DllCommonsvc.exe	78
PID 1580 wrote to memory of 1644	1580	explorer.exe	79
PID 1580 wrote to memory of 1644	1580	explorer.exe	79
PID 1580 wrote to memory of 1644	1580	explorer.exe	79
PID 1644 wrote to memory of 2092	1644	cmd.exe	81
PID 1644 wrote to memory of 2092	1644	cmd.exe	81
PID 1644 wrote to memory of 2092	1644	cmd.exe	81
PID 1644 wrote to memory of 2400	1644	cmd.exe	82
PID 1644 wrote to memory of 2400	1644	cmd.exe	82
PID 1644 wrote to memory of 2400	1644	cmd.exe	82
PID 2400 wrote to memory of 2728	2400	explorer.exe	83
PID 2400 wrote to memory of 2728	2400	explorer.exe	83
PID 2400 wrote to memory of 2728	2400	explorer.exe	83
PID 2728 wrote to memory of 2568	2728	cmd.exe	85
PID 2728 wrote to memory of 2568	2728	cmd.exe	85
PID 2728 wrote to memory of 2568	2728	cmd.exe	85
PID 2728 wrote to memory of 2792	2728	cmd.exe	86
PID 2728 wrote to memory of 2792	2728	cmd.exe	86
PID 2728 wrote to memory of 2792	2728	cmd.exe	86
PID 2792 wrote to memory of 868	2792	explorer.exe	87
PID 2792 wrote to memory of 868	2792	explorer.exe	87
PID 2792 wrote to memory of 868	2792	explorer.exe	87
PID 868 wrote to memory of 2752	868	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e9cb8a660b09dcd0a9c0c64c71a265b565398061eba6bd89599f2344d36e68e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3024
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2092
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2568
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2752
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat"
        12⤵
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1624
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        14⤵
        
        PID:288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1152
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
        16⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2020
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat"
        18⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:960
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat"
        20⤵
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:348
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat"
        22⤵
        
        PID:2472
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2492
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat"
        24⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2980
        
        C:\providercommon\explorer.exe
        
        "C:\providercommon\explorer.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Mail\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d61e54c2ff1334c99f7e6e4b32dda1e

SHA1
b7dfaa6129a01d563a661fe2773eb189d4a9cd00

SHA256
964eb76f13c7b285973d72fbe7f292588c0a1c2192dc3d907b635e2568e07cfc

SHA512
f76ccd60fbc977c88057ab6fc0fc424eb924d8163034712a4ba4a2a5aef8d6edba57b857bc376f157040e8ecf17ede613425d43834c61fe8a214ebb75abc2273

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3a1839becc8480b8d2592766c07474d

SHA1
52c48ab0945b0f2866d21d942c8bb48853f420d7

SHA256
04f8dbfa023d3a649c957b7b6a0fa3c8c0072418603ad99158700af5db551aca

SHA512
381a8befa4d5f8c45d5ddf2503aa1f113685824df7e17e47105f13abf89fdff9a8d7890473ec6b5d8459b768f484068845f0d9a61be233207be5de71d45a2d8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05683c076579b0e5ca99c38db3d83c81

SHA1
6300dcd2cd7d47c2ace688be2d2b07808bdbedb4

SHA256
66112b9aaa5fb8916a1b32ed1752f6a8ba6fd96f46c3cee116307a0ca08cd7fa

SHA512
02d13e302cb5d9c6657e24581f836c41ba10c686bd98b9044dc53860906cccfc5fdd7d5f5e4d945b547ade54da43aad9eae03668231ba0d516d7fef25ba64cef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dce635b88ade5e35a49079ea58a3bcdc

SHA1
a7082ed33557966d77e1a647f311c79f5362855d

SHA256
610bd6153dcea2c3344b641f2a60c4061d9b53cfb2144404a6d06e010022d6a3

SHA512
ec26eefd90c83921746bc5a6a81a22b4cc6bb6867d073cb9dbd1434ba4deb7b811a46cba8e976ca4e607a09b103065d2203b48e882f3cec391970acbc1b4a536

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a78c6a5f04fdcb6815ff838bb12f80bd

SHA1
908e50e898ae6e69152c070840dfa597aee79e54

SHA256
490d4094a8f382a7e3a006a87f11923e015a5da286fc17867f54ee4f24806ef4

SHA512
ca48ad4fb3f1e5b52eec4fc146ab7e6ae476c8a7fc4e8c55663534e3961b1a0b3a3909cd892e025e851b0ce092c2a09512bda843f13d85b548cd2f6590df5d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7e45ff8292846c82f3c306d8790b9a6

SHA1
6512766d81781213fe93eb0fe5d27b598d412a3b

SHA256
2eba18a5c28876fd6c8db0f6c6f8f3a138eaec5164207e9019757c64d1797d5e

SHA512
34e2232a2e4952e8011c1a6735ffa5c77ddbaedcdd3c8c8664578cb44d815bc1c0edc053e2edc9cf3dc44dd2ba6baf2e2038c03cc25407c815f3a4d0782a3fe7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
569a25d98ace82bcb73cd5397c47f191

SHA1
25eb4a44a79f6130903075714aaf93d8cdf440f8

SHA256
ca879623a1fb24c4da4a0e3519d285c0b4f6d4ec818f00f93131e5fc321efa1f

SHA512
26eef7daded4b79c953a3c9904f62adde93b2631422932db68c3e6743533fbaf2c150e9eb6f528f74325521b7f65917a8cc16ec2b171c701507d3712475d01ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6255c5783ec98db8f7ccaa83d6bf99b3

SHA1
39e8d4afab6e1e29f05a06a9624e71fe246b276e

SHA256
df04150c6cf80d1cd065eebd6a4843f76d5d3a75eedc1da29043e2d26c3505b5

SHA512
f4ab1433346f7882b6bdb8a97c53d7f2cbe4551e74f48732093756716177789ffa2965a6f3b273cc648aaec8296a1aafecced40742587eae28e61024f07ab94f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a76f9b83120e8ce95136e698138ea87c

SHA1
ee067bec6a64619931553e2d1c1f4d64e2ba3f82

SHA256
e54420b2afcc65cc669c547ae1ffffb1d9fa35b99df1423a428fdad5d94b9fd4

SHA512
08f97fb792f0e656dd63314c108e4d4243d3be178204e12ddf6e4975ebdd2b19e08c17d0b7e18ddda530f7a6d9d55d5b83c202cc3b1a7b70822d072f28c68397

Download Submit
C:\Users\Admin\AppData\Local\Temp\5AjNu1Vgdj.bat

Filesize
195B

MD5
a6e3d714aa9b26f60f623caf5adae55d

SHA1
33bfefed731b25ab0057f16eb8eee7f1736ab79e

SHA256
685545b1fd7a110f1087f59322037f692d4dde34baf4bc19f1a6a6748cdfd53f

SHA512
72cef092763c0fa8d2f9145a1f15f316d925cdd362edb96174b9f727798d9fe148e39af5d26287dde1cedd9c38061b2555e525e3bd96e18a9354023198277306

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2722.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
195B

MD5
98680afba96c0263a41f44d80df4fe1d

SHA1
a92bf4b7a048c25dc59422e598edd19d3971ad99

SHA256
2e3b129b4900937152f02a87d10593f4fe8787b69a4ec98b3de3de368fbeaaf0

SHA512
64d1210c6aaed5ca687548cd28236e22a9313ad1082e23d0856aa64fbef6d983534b3f74921584f94249d4ef798daf0c87c4ea338252eb06cf274fe10bbb6751

Download Submit
C:\Users\Admin\AppData\Local\Temp\QRlBHoY6P9.bat

Filesize
195B

MD5
3cccb05f8efa254ec24d053178247c43

SHA1
45dfbe003967cca578a88c072cbbc83d57c4ed9b

SHA256
7a1cee123b60bd9ec4f277bb535bc11f9f0853289c32c0b7365f80ff2cb73df9

SHA512
7aec33d00e921d93bd7789cfce70c3ba2e89149b834d2c9b9f284b8f7cf1c569031c95a0a90c2b16bbb1f45cc318e8cb8f95e3749702910a3b4866639bff5bea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2735.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
195B

MD5
505e3a6d9c9d67296e419d5f6247a674

SHA1
c166a8192949b74a660004ba6a5de6f4f709237e

SHA256
e4a535cea607525b1f4b23c3d095e544bcd913fc8904f68aec2301a33f9fb444

SHA512
babe4b4d02e58049c2b93dbaadacb88de9aaddb48408d86c85c7fbffe01c1220a2b90a3cca06a40105511920d4cd7deab146abefbc9e660a997ad95b7e016624

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0ZYbu3Enn.bat

Filesize
195B

MD5
97d9729c57c44a0926ad197caf206f24

SHA1
ad3eb3607e38bc56033d276cab06c1ee4b086ab5

SHA256
3a62503667ecf714a67fba9afd8e478201d42c08fbf427d1405f49e007bb1a74

SHA512
9bcd9e1c2a613ea32c856b51ecfb2b512f5a8e7635649182973b0a9bae519c1f4a26f0086fe4cfe5e1d31890cb84c846a30e11f2366cc91f9fffa27c37b38d47

Download Submit
C:\Users\Admin\AppData\Local\Temp\cOf3pucYXi.bat

Filesize
195B

MD5
b6c2ebfb5b6a8a1635f74cfc86848040

SHA1
c4ff0feae0bdd804ec3f33ac6678653b07751e3e

SHA256
868fc3777df5cfc127131db5fca1b797db20bc0828b4b14066a83ed6d2027529

SHA512
ee74e7c4f7f6c962d0a8b3be5aee548c36294bb23cf1a7615cd3b2de475ce15bc779ff0b4bdb827ff49d58014a4225aa37862f82a49981ae17fe3356d7e26c29

Download Submit
C:\Users\Admin\AppData\Local\Temp\onYrHPGvDe.bat

Filesize
195B

MD5
057365bc1358ab47cf39948a232e6b91

SHA1
3bb9b39aeceb77297e43d987212f6e9e9076e009

SHA256
4fc732383309596b5e1450fde74d9988e245601b3d72d1514bf16a18e66c5546

SHA512
cd36256cf14b0f4f6b488cc4536ffe17b67ed979fe50725c459fe90aba096ab1a3f37d9714362153b03304ec0bd4ce119087bc124b748af844d2a573703cbd0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat

Filesize
195B

MD5
857ee532b5ee86754e062f0fea704da4

SHA1
a16ef473f25cdaff5fd061728df85f28efe2aadc

SHA256
b0afed25643cca8964e18f606fc7e249b23dc0a4a0991d51285b3484263d883d

SHA512
70cfbb3ae2900d25343779fdea3d153836a7a5c2de4afbf3ba67d34fa1c52aadcfcb213003a5f233c31d6a0806fe7eabb64aa48ee71a20b1024875b67998b016

Download Submit
C:\Users\Admin\AppData\Local\Temp\vhtd8auDHa.bat

Filesize
195B

MD5
60f95b5815e9342532893d450b8e5cce

SHA1
31c1e35f92387d23d480e74e98c786b7249d3f54

SHA256
ac7c8163fd005579a0170732f46021bf7cef74575adcbccf4ff33d79f05998b8

SHA512
34db8dcdfb8e7b3667a8a7fb689eb045f36607a612489cf2733b47d5f046987f1a33ef4945453ac6152a7bc94200ec458c43e7511b9d39163f3955f57cc546ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

Filesize
195B

MD5
5bf26f3cdc426d3c6b41d39f2908e7a0

SHA1
39f3bb28976f65a4c09ece99f6f3b9f29c580b1d

SHA256
a500ac699762e40aec622f5660a20a0672f8d8e26c60f6d2d7ad50642d625d34

SHA512
439de057228a253487d4aba7536d44d7940b20c520807ee05be1f338ee2fbbe9e57ba465639c8569bb0101080d37e81c82166295b102ab0ebe571af75a944991

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6d0de08c3e131e41eaa37123d40fcd2c

SHA1
21c71bc9acaec03c7be837421049cf902b1e489c

SHA256
e376b88e792b8c593665317f7312447177649767d1a17574ee8aab2e0811447c

SHA512
3617ae1c8db106131b03aa6450e90c43f2d19d9f1005e8905a0d107a9a6404634090794ef5a9392c54fe232b8bdbf9e7949347ccc8d1068d7fac15de5b051614

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1472-322-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/1580-86-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/1656-680-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2408-40-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2408-44-0x00000000003C0000-0x00000000003C8000-memory.dmp

Filesize
32KB

Download
memory/2672-559-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2816-14-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2816-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/2816-17-0x0000000000B80000-0x0000000000B8C000-memory.dmp

Filesize
48KB

Download
memory/2816-15-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2816-16-0x0000000000A00000-0x0000000000A0C000-memory.dmp

Filesize
48KB

Download
memory/2924-619-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2924-620-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download