dcrat | e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 02:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e.exe
Size

1.3MB
MD5

88d45541c8ef9fbf7a7d36d5bba6f14a
SHA1

dfa5b6b7b63e3efc76c44097537df30c9aa8c86e
SHA256

e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e
SHA512

483a0b193fd1576ee8a72b7e3e51410026b6834c88d3f92c2938708c5f71d637bf898ced29742057db1be77b628d84a27d50fc8902721ae9b947f98f20bad56b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2652	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2652	schtasks.exe	32

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014bb1-9.dat	dcrat
behavioral1/memory/2464-13-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2364-72-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/1480-128-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/2440-305-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2552-424-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/1772-484-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/2760-544-0x0000000000BE0000-0x0000000000CF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2332	powershell.exe
1872	powershell.exe
1296	powershell.exe
484	powershell.exe
1476	powershell.exe
2976	powershell.exe
2744	powershell.exe
1556	powershell.exe
1728	powershell.exe
1780	powershell.exe
2764	powershell.exe
712	powershell.exe
2776	powershell.exe
2808	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2464	DllCommonsvc.exe
2364	DllCommonsvc.exe
1480	dwm.exe
1880	dwm.exe
2616	dwm.exe
2440	dwm.exe
1932	dwm.exe
2552	dwm.exe
1772	dwm.exe
2760	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2564	cmd.exe
2564	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\DllCommonsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\de-DE\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\de-DE\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\de-DE\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3036	schtasks.exe
2720	schtasks.exe
2980	schtasks.exe
1464	schtasks.exe
2008	schtasks.exe
1612	schtasks.exe
536	schtasks.exe
584	schtasks.exe
2936	schtasks.exe
576	schtasks.exe
1400	schtasks.exe
1940	schtasks.exe
1848	schtasks.exe
1900	schtasks.exe
2208	schtasks.exe
2016	schtasks.exe
2784	schtasks.exe
2024	schtasks.exe
484	schtasks.exe
2960	schtasks.exe
2724	schtasks.exe
2892	schtasks.exe
2516	schtasks.exe
284	schtasks.exe
2660	schtasks.exe
1996	schtasks.exe
1528	schtasks.exe
2672	schtasks.exe
2908	schtasks.exe
1628	schtasks.exe
1792	schtasks.exe
2732	schtasks.exe
2656	schtasks.exe
1916	schtasks.exe
1968	schtasks.exe
1896	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2464	DllCommonsvc.exe
2808	powershell.exe
2776	powershell.exe
2764	powershell.exe
2332	powershell.exe
1476	powershell.exe
1780	powershell.exe
712	powershell.exe
2364	DllCommonsvc.exe
1296	powershell.exe
1556	powershell.exe
1728	powershell.exe
2976	powershell.exe
1872	powershell.exe
2744	powershell.exe
484	powershell.exe
1480	dwm.exe
1880	dwm.exe
2616	dwm.exe
2440	dwm.exe
1932	dwm.exe
2552	dwm.exe
1772	dwm.exe
2760	dwm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2464	DllCommonsvc.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	712	powershell.exe
Token: SeDebugPrivilege	2364	DllCommonsvc.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	2744	powershell.exe
Token: SeDebugPrivilege	484	powershell.exe
Token: SeDebugPrivilege	1480	dwm.exe
Token: SeDebugPrivilege	1880	dwm.exe
Token: SeDebugPrivilege	2616	dwm.exe
Token: SeDebugPrivilege	2440	dwm.exe
Token: SeDebugPrivilege	1932	dwm.exe
Token: SeDebugPrivilege	2552	dwm.exe
Token: SeDebugPrivilege	1772	dwm.exe
Token: SeDebugPrivilege	2760	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2604	2132	JaffaCakes118_e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e.exe	28
PID 2132 wrote to memory of 2604	2132	JaffaCakes118_e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e.exe	28
PID 2132 wrote to memory of 2604	2132	JaffaCakes118_e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e.exe	28
PID 2132 wrote to memory of 2604	2132	JaffaCakes118_e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e.exe	28
PID 2604 wrote to memory of 2564	2604	WScript.exe	29
PID 2604 wrote to memory of 2564	2604	WScript.exe	29
PID 2604 wrote to memory of 2564	2604	WScript.exe	29
PID 2604 wrote to memory of 2564	2604	WScript.exe	29
PID 2564 wrote to memory of 2464	2564	cmd.exe	31
PID 2564 wrote to memory of 2464	2564	cmd.exe	31
PID 2564 wrote to memory of 2464	2564	cmd.exe	31
PID 2564 wrote to memory of 2464	2564	cmd.exe	31
PID 2464 wrote to memory of 1780	2464	DllCommonsvc.exe	51
PID 2464 wrote to memory of 1780	2464	DllCommonsvc.exe	51
PID 2464 wrote to memory of 1780	2464	DllCommonsvc.exe	51
PID 2464 wrote to memory of 2764	2464	DllCommonsvc.exe	52
PID 2464 wrote to memory of 2764	2464	DllCommonsvc.exe	52
PID 2464 wrote to memory of 2764	2464	DllCommonsvc.exe	52
PID 2464 wrote to memory of 2776	2464	DllCommonsvc.exe	54
PID 2464 wrote to memory of 2776	2464	DllCommonsvc.exe	54
PID 2464 wrote to memory of 2776	2464	DllCommonsvc.exe	54
PID 2464 wrote to memory of 2808	2464	DllCommonsvc.exe	55
PID 2464 wrote to memory of 2808	2464	DllCommonsvc.exe	55
PID 2464 wrote to memory of 2808	2464	DllCommonsvc.exe	55
PID 2464 wrote to memory of 1476	2464	DllCommonsvc.exe	57
PID 2464 wrote to memory of 1476	2464	DllCommonsvc.exe	57
PID 2464 wrote to memory of 1476	2464	DllCommonsvc.exe	57
PID 2464 wrote to memory of 712	2464	DllCommonsvc.exe	59
PID 2464 wrote to memory of 712	2464	DllCommonsvc.exe	59
PID 2464 wrote to memory of 712	2464	DllCommonsvc.exe	59
PID 2464 wrote to memory of 2332	2464	DllCommonsvc.exe	60
PID 2464 wrote to memory of 2332	2464	DllCommonsvc.exe	60
PID 2464 wrote to memory of 2332	2464	DllCommonsvc.exe	60
PID 2464 wrote to memory of 2556	2464	DllCommonsvc.exe	65
PID 2464 wrote to memory of 2556	2464	DllCommonsvc.exe	65
PID 2464 wrote to memory of 2556	2464	DllCommonsvc.exe	65
PID 2556 wrote to memory of 2768	2556	cmd.exe	67
PID 2556 wrote to memory of 2768	2556	cmd.exe	67
PID 2556 wrote to memory of 2768	2556	cmd.exe	67
PID 2556 wrote to memory of 2364	2556	cmd.exe	68
PID 2556 wrote to memory of 2364	2556	cmd.exe	68
PID 2556 wrote to memory of 2364	2556	cmd.exe	68
PID 2364 wrote to memory of 2976	2364	DllCommonsvc.exe	87
PID 2364 wrote to memory of 2976	2364	DllCommonsvc.exe	87
PID 2364 wrote to memory of 2976	2364	DllCommonsvc.exe	87
PID 2364 wrote to memory of 2744	2364	DllCommonsvc.exe	88
PID 2364 wrote to memory of 2744	2364	DllCommonsvc.exe	88
PID 2364 wrote to memory of 2744	2364	DllCommonsvc.exe	88
PID 2364 wrote to memory of 1872	2364	DllCommonsvc.exe	89
PID 2364 wrote to memory of 1872	2364	DllCommonsvc.exe	89
PID 2364 wrote to memory of 1872	2364	DllCommonsvc.exe	89
PID 2364 wrote to memory of 1296	2364	DllCommonsvc.exe	90
PID 2364 wrote to memory of 1296	2364	DllCommonsvc.exe	90
PID 2364 wrote to memory of 1296	2364	DllCommonsvc.exe	90
PID 2364 wrote to memory of 484	2364	DllCommonsvc.exe	91
PID 2364 wrote to memory of 484	2364	DllCommonsvc.exe	91
PID 2364 wrote to memory of 484	2364	DllCommonsvc.exe	91
PID 2364 wrote to memory of 1556	2364	DllCommonsvc.exe	92
PID 2364 wrote to memory of 1556	2364	DllCommonsvc.exe	92
PID 2364 wrote to memory of 1556	2364	DllCommonsvc.exe	92
PID 2364 wrote to memory of 1728	2364	DllCommonsvc.exe	93
PID 2364 wrote to memory of 1728	2364	DllCommonsvc.exe	93
PID 2364 wrote to memory of 1728	2364	DllCommonsvc.exe	93
PID 2364 wrote to memory of 1480	2364	DllCommonsvc.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e89ddc5d12f29630f697262264335478e76daf91257bf9fdc022781ce4e6ba7e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2564
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\de-DE\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:712
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I9W3ww1GNp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2556
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2768
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2744
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\ja-JP\dwm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Program Files\DVD Maker\ja-JP\dwm.exe
        
        "C:\Program Files\DVD Maker\ja-JP\dwm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        8⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1624
        
        C:\Program Files\DVD Maker\ja-JP\dwm.exe
        
        "C:\Program Files\DVD Maker\ja-JP\dwm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat"
        10⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1696
        
        C:\Program Files\DVD Maker\ja-JP\dwm.exe
        
        "C:\Program Files\DVD Maker\ja-JP\dwm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
        12⤵
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2636
        
        C:\Program Files\DVD Maker\ja-JP\dwm.exe
        
        "C:\Program Files\DVD Maker\ja-JP\dwm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat"
        14⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1908
        
        C:\Program Files\DVD Maker\ja-JP\dwm.exe
        
        "C:\Program Files\DVD Maker\ja-JP\dwm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat"
        16⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1128
        
        C:\Program Files\DVD Maker\ja-JP\dwm.exe
        
        "C:\Program Files\DVD Maker\ja-JP\dwm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat"
        18⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2516
        
        C:\Program Files\DVD Maker\ja-JP\dwm.exe
        
        "C:\Program Files\DVD Maker\ja-JP\dwm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        20⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2388
        
        C:\Program Files\DVD Maker\ja-JP\dwm.exe
        
        "C:\Program Files\DVD Maker\ja-JP\dwm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Windows\de-DE\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Office\Office14\1033\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\DVD Maker\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\DVD Maker\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc56f1622c754e2fa9856d04a20857fb

SHA1
e5da1ad1407072b24ed0b742dbc5ea6cef73f927

SHA256
2004f7b78b420832737f70398fb4882adda17d605b45d774559c8e58ed061299

SHA512
ad9a4be7c273d6a29dd80fe5a3dd154f28ed18119f975586579e5cf2772839d458296336aaf93dcd73b86092efc4dc24e1b031d16d58fdf135c64d813e8e2ca1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3fad414e5df53906000fe2edcb9b120

SHA1
e203bc0136fb388df6a5985eceb0fcfe3b57a5ec

SHA256
bd552a33b3dd1cebb2200482b6601a61db0e4acdbff29a3189adb1f321fc703f

SHA512
8b61aac64e283f20cdc95131da320a726a7a92cd0c1a48875cd03059911f59e4b0a53d9a0333db80ccc1c70664959e420ca90019ed1f0bb6d41258b25c060e35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
41126936d14f4c11ae8cb1b70e521ed9

SHA1
44b4ff6872f872440ab639b18b7ecb0c50c5be03

SHA256
e45febb0d034f9ebe6c42cb4b748ca460003ce3dfc39acd27f6acc7a889cde59

SHA512
4741912e027c1f144b304e1c0c849c0fdfa0e00ad9aa2e783f4290edc3e473880c67d1c3fff80a6162fa4fc4639a0ae605f1650f9f4fe4996cfee032d12cee19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
555f6ecb616eb25f0146ebf79eceb938

SHA1
b38b3ebeb81b3ba9ba50b7cb93f1f91854e89457

SHA256
339b9571f1d24081ab14ba993aecee9b07b838f288ac1ada20032debbf5330df

SHA512
c833271c773cc3ea65933ffefbbb5f0d6eed4978ad95d794bef2446d0dd83d20727c21e639e9173e45eaabc806216adf0190b5a7c59f46696ec1c639ae834997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14101c0cfe61fa44c91e1e7029c34505

SHA1
c7c9af77aac52e25d4a37e5eae446b35224d44a5

SHA256
a69ff21d89923ce5928500397ab1c77e801088b9c18525d818d50605fe69079e

SHA512
55d55b6ed045e7db42f68d9f9c4fc03a33e69888d8c55005b4e7302dbf57093caa101a776215e6f41e8db1e5927b075bb905aa3f23cee0112a611c7821fa3bf9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
97d547097a697174518f0ac0d5b41172

SHA1
a799a905b55796a47448c1ff44ff38bcf3e06b37

SHA256
7f95172e60eaa0e8d755bd9b6c4e41f848f2fc899065b514ddbff58193dd5013

SHA512
e54cee9c7524ec20410f255216b7f5756f625dd6f27baaa1d6a738790f95cb58eb74e92c6917f073e0e871d4d223bdc1e72a7123ea0ca39f94aa1887bd566574

Download Submit
C:\Users\Admin\AppData\Local\Temp\1e6qhBZ49x.bat

Filesize
205B

MD5
f97a381e517c6b60ddf685f200fd45d1

SHA1
e80303f0ad9392a769e495c5d49a1fb7d45d57c6

SHA256
fb2c08657a4d18698607e4bf63314881d93efd2e2971f514c674af8850883cd8

SHA512
c951b08798426cf13cd3113b963d23d5abf833c45bdeb15decd3a19b66df0b6ea2ab8116d0acfb5f9132a715adfce2e92ce5b93ae2d81b509f94cae969b03f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\6Zqs8041Oe.bat

Filesize
205B

MD5
8a35dd128ae683c4416464905b73bd21

SHA1
2031e8f61aa7904f1826bcda5b9d9e1175b51ecc

SHA256
ebd515799b069fa3f1cf343c4074618aede16927cab96e6d8a2d267a737e9630

SHA512
9b42058a14beb30140c16634cc06ab921ef807c4fa386d24630f81f0db220499007a4116d976c3c0abbfcee3edd34917c13908da03fb60672f7c151943483ce3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAC87.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\I9W3ww1GNp.bat

Filesize
199B

MD5
7b486e244fafe5c85884d48f3aa2ad06

SHA1
43353138a8889595a0d4ca05eee7b9073c27941b

SHA256
5d2cb6a40f421e4d7c0ba9c01b277b1a58718388d722fcd2d320218494cd0943

SHA512
dd2df86b935e50efdd909261145925ae9e9a422e1e57ee7ba9ee0e192bfa6eb034d3c77407aecd266a0e330057574ac5e6396056ebdc1b4ab209344b8780a293

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
205B

MD5
b654ff18ae659cb26452c6e3def397ed

SHA1
fcaaaf080d3ea2374f92a42ac92bfbcdc72584a7

SHA256
df633e32197a1b49ec5ceba92920de534a033f990f067eda567592191d68e352

SHA512
0cb1d0eb0c287467c593397055bac6649fa5c578f3bee28246a6bc4c23eac454246a99b121266607aa37b8b7134b4c5ee50a148b57fd769af5166370fccfe764

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

Filesize
205B

MD5
0b1cb486a3bb39fb22710f5da24cc17e

SHA1
33ce1ba5f350c224aa55c75e7e5bdc76638a03a4

SHA256
4d670c966b18b4d0b8de29ccbd53163c074b5d5bcb9002db37f4b1abaace3c38

SHA512
ac8f0589944154f302db1457f4775e98c1a1c1ce597117b4471ac73af20f50e48af251878a7920c10d34c5696d771a1c90a08a185a87b44918ca27b64f2e5467

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAC99.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\l7tVtcAquU.bat

Filesize
205B

MD5
f68386c0f1c2bf1839a6eeb1dd354b07

SHA1
f0a96fe63c6f25bf90a37c80a40275b2c8e3b348

SHA256
5a64116d8ceb3bdf8d110282fc55fe33dce98fa3b89eaf53732af787f2ba9885

SHA512
13cc917953c0c5154b0ffcbb85af91e3417546124e5f56aabd2a9dcc819716f5a5e217cd7b7ad962b32e984a71f1c9ff23cef28f2d14317694852280e319c515

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
205B

MD5
7a865d9243b9a5faaf9b023e3d5542f6

SHA1
ca26cfd34c1b1a785eb4e964e4e697e8104f4ee7

SHA256
3bde6a253ca79185ef6e0ca2d7cb820a3ad4b1257f1ebdc29d0ae6950fc59326

SHA512
f4df2948b044e4d037806bb1d7220ee616ed8f8d622b245f9b5afbbda2584f1735ff75a1b8c33a6c551acd36033712619f55b96b6e4e3e0b2136bdc10df44515

Download Submit
C:\Users\Admin\AppData\Local\Temp\rE1HJofSUb.bat

Filesize
205B

MD5
042ad71bc6941dc9ff43636fcc04cea6

SHA1
2829b6dc763543e31b3294b3df6256c06c7a0ee3

SHA256
746718ba1728414ebaf0da72ccbe2a507d064910c192e137fd9bdd408eb743ed

SHA512
b91bb04962f6f6a1cf9b3ec20244419028a43993ab7ee7d45c6f266a313aa37975302d2dd35dbd1fc18663af218888fe28d5377a40d4ef51abccdcb74eaad658

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
389b61af74981aacab95254a71aa949e

SHA1
7481d3afa095d645a58c999496288c79b5a733b4

SHA256
0928e53016f866efcc8684003b6f52ff7c739ab9a54b1341022fa8d5db3b3e87

SHA512
9627e5bff895627b4c2999ce0fa6935cd24aea94910bfb0c406ec0b962ae2405113d948ebfb03c0c7ecad465e69952e4c8fe658e6e124dc4ebcd4d0bf8890e19

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1296-101-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/1296-102-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1480-128-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/1772-484-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2364-72-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/2440-305-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2464-15-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2464-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2464-13-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2464-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2464-17-0x0000000000680000-0x000000000068C000-memory.dmp

Filesize
48KB

Download
memory/2552-424-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2760-544-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

Filesize
1.1MB

Download
memory/2808-48-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/2808-50-0x00000000021E0000-0x00000000021E8000-memory.dmp

Filesize
32KB

Download