dcrat | ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902.exe
Size

1.3MB
MD5

4c1c3ff3d9b065d0bd43ae34c4e00378
SHA1

2293feb138ad72454f6e5f61a33456273aca7f4b
SHA256

ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902
SHA512

5208f29d3c466d06907e3f6125f7b7534bfb06d0a17bf7ef43266e6dcd52c9588bb690906868181026bf3057164363fb087d530d5ecfbc9683828b39db3e7838
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2560	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015e25-9.dat	dcrat
behavioral1/memory/2632-13-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/1668-47-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2664-152-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/568-333-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/1596-393-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2204	powershell.exe
1608	powershell.exe
1076	powershell.exe
864	powershell.exe
444	powershell.exe
1532	powershell.exe
1376	powershell.exe
2372	powershell.exe
1364	powershell.exe
2344	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2632	DllCommonsvc.exe
1668	smss.exe
2664	smss.exe
2808	smss.exe
892	smss.exe
568	smss.exe
1596	smss.exe
2512	smss.exe
2780	smss.exe
1552	smss.exe
616	smss.exe
3040	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
1272	cmd.exe
1272	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
40	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\de-DE\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\de-DE\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Landscapes\System.exe	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Landscapes\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2876	schtasks.exe
1980	schtasks.exe
768	schtasks.exe
804	schtasks.exe
2540	schtasks.exe
2944	schtasks.exe
2104	schtasks.exe
2864	schtasks.exe
2936	schtasks.exe
1496	schtasks.exe
2036	schtasks.exe
2084	schtasks.exe
1968	schtasks.exe
2060	schtasks.exe
2424	schtasks.exe
580	schtasks.exe
2964	schtasks.exe
1424	schtasks.exe
2768	schtasks.exe
1676	schtasks.exe
2168	schtasks.exe
1936	schtasks.exe
2260	schtasks.exe
1444	schtasks.exe
884	schtasks.exe
3000	schtasks.exe
2992	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2632	DllCommonsvc.exe
1608	powershell.exe
1532	powershell.exe
864	powershell.exe
1376	powershell.exe
1076	powershell.exe
2344	powershell.exe
444	powershell.exe
1364	powershell.exe
2372	powershell.exe
2204	powershell.exe
1668	smss.exe
2664	smss.exe
2808	smss.exe
892	smss.exe
568	smss.exe
1596	smss.exe
2512	smss.exe
2780	smss.exe
1552	smss.exe
616	smss.exe
3040	smss.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2632	DllCommonsvc.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	1376	powershell.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	1668	smss.exe
Token: SeDebugPrivilege	2344	powershell.exe
Token: SeDebugPrivilege	444	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2664	smss.exe
Token: SeDebugPrivilege	2808	smss.exe
Token: SeDebugPrivilege	892	smss.exe
Token: SeDebugPrivilege	568	smss.exe
Token: SeDebugPrivilege	1596	smss.exe
Token: SeDebugPrivilege	2512	smss.exe
Token: SeDebugPrivilege	2780	smss.exe
Token: SeDebugPrivilege	1552	smss.exe
Token: SeDebugPrivilege	616	smss.exe
Token: SeDebugPrivilege	3040	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2840 wrote to memory of 2808	2840	JaffaCakes118_ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902.exe	30
PID 2840 wrote to memory of 2808	2840	JaffaCakes118_ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902.exe	30
PID 2840 wrote to memory of 2808	2840	JaffaCakes118_ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902.exe	30
PID 2840 wrote to memory of 2808	2840	JaffaCakes118_ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902.exe	30
PID 2808 wrote to memory of 1272	2808	WScript.exe	31
PID 2808 wrote to memory of 1272	2808	WScript.exe	31
PID 2808 wrote to memory of 1272	2808	WScript.exe	31
PID 2808 wrote to memory of 1272	2808	WScript.exe	31
PID 1272 wrote to memory of 2632	1272	cmd.exe	33
PID 1272 wrote to memory of 2632	1272	cmd.exe	33
PID 1272 wrote to memory of 2632	1272	cmd.exe	33
PID 1272 wrote to memory of 2632	1272	cmd.exe	33
PID 2632 wrote to memory of 864	2632	DllCommonsvc.exe	62
PID 2632 wrote to memory of 864	2632	DllCommonsvc.exe	62
PID 2632 wrote to memory of 864	2632	DllCommonsvc.exe	62
PID 2632 wrote to memory of 2204	2632	DllCommonsvc.exe	63
PID 2632 wrote to memory of 2204	2632	DllCommonsvc.exe	63
PID 2632 wrote to memory of 2204	2632	DllCommonsvc.exe	63
PID 2632 wrote to memory of 1608	2632	DllCommonsvc.exe	64
PID 2632 wrote to memory of 1608	2632	DllCommonsvc.exe	64
PID 2632 wrote to memory of 1608	2632	DllCommonsvc.exe	64
PID 2632 wrote to memory of 1076	2632	DllCommonsvc.exe	66
PID 2632 wrote to memory of 1076	2632	DllCommonsvc.exe	66
PID 2632 wrote to memory of 1076	2632	DllCommonsvc.exe	66
PID 2632 wrote to memory of 444	2632	DllCommonsvc.exe	67
PID 2632 wrote to memory of 444	2632	DllCommonsvc.exe	67
PID 2632 wrote to memory of 444	2632	DllCommonsvc.exe	67
PID 2632 wrote to memory of 2344	2632	DllCommonsvc.exe	70
PID 2632 wrote to memory of 2344	2632	DllCommonsvc.exe	70
PID 2632 wrote to memory of 2344	2632	DllCommonsvc.exe	70
PID 2632 wrote to memory of 1364	2632	DllCommonsvc.exe	71
PID 2632 wrote to memory of 1364	2632	DllCommonsvc.exe	71
PID 2632 wrote to memory of 1364	2632	DllCommonsvc.exe	71
PID 2632 wrote to memory of 2372	2632	DllCommonsvc.exe	72
PID 2632 wrote to memory of 2372	2632	DllCommonsvc.exe	72
PID 2632 wrote to memory of 2372	2632	DllCommonsvc.exe	72
PID 2632 wrote to memory of 1376	2632	DllCommonsvc.exe	73
PID 2632 wrote to memory of 1376	2632	DllCommonsvc.exe	73
PID 2632 wrote to memory of 1376	2632	DllCommonsvc.exe	73
PID 2632 wrote to memory of 1532	2632	DllCommonsvc.exe	74
PID 2632 wrote to memory of 1532	2632	DllCommonsvc.exe	74
PID 2632 wrote to memory of 1532	2632	DllCommonsvc.exe	74
PID 2632 wrote to memory of 1668	2632	DllCommonsvc.exe	82
PID 2632 wrote to memory of 1668	2632	DllCommonsvc.exe	82
PID 2632 wrote to memory of 1668	2632	DllCommonsvc.exe	82
PID 1668 wrote to memory of 2992	1668	smss.exe	83
PID 1668 wrote to memory of 2992	1668	smss.exe	83
PID 1668 wrote to memory of 2992	1668	smss.exe	83
PID 2992 wrote to memory of 2144	2992	cmd.exe	85
PID 2992 wrote to memory of 2144	2992	cmd.exe	85
PID 2992 wrote to memory of 2144	2992	cmd.exe	85
PID 2992 wrote to memory of 2664	2992	cmd.exe	86
PID 2992 wrote to memory of 2664	2992	cmd.exe	86
PID 2992 wrote to memory of 2664	2992	cmd.exe	86
PID 2664 wrote to memory of 768	2664	smss.exe	88
PID 2664 wrote to memory of 768	2664	smss.exe	88
PID 2664 wrote to memory of 768	2664	smss.exe	88
PID 768 wrote to memory of 800	768	cmd.exe	90
PID 768 wrote to memory of 800	768	cmd.exe	90
PID 768 wrote to memory of 800	768	cmd.exe	90
PID 768 wrote to memory of 2808	768	cmd.exe	91
PID 768 wrote to memory of 2808	768	cmd.exe	91
PID 768 wrote to memory of 2808	768	cmd.exe	91
PID 2808 wrote to memory of 2872	2808	smss.exe	92

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ddabab58595d93a3defd6d065ebe6e4dcf870d1d32dd0bb8ea11d30bb4bdd902.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\de-DE\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Landscapes\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1668
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2144
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:800
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat"
        10⤵
        
        PID:2872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2772
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat"
        12⤵
        
        PID:1312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2248
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat"
        14⤵
        
        PID:2812
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1804
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
        16⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2968
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
        18⤵
        
        PID:2192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:556
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        20⤵
        
        PID:612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2172
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        22⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:444
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat"
        24⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1476
        
        C:\Program Files\Windows Mail\de-DE\smss.exe
        
        "C:\Program Files\Windows Mail\de-DE\smss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat"
        26⤵
        
        PID:584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\de-DE\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Windows\Web\Wallpaper\Landscapes\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\CrashReports\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc026b6a27cd29f0375bd02889437719

SHA1
7c78abbe92c6c03820938b6b245591e40825a309

SHA256
46dbb3ec1afd6e5a83834e4e560a67b3f24a926827933d3440a9d9bb5980a91a

SHA512
e31c7d09b9b6d0a564a50030bb4e01c7b22389bf7933d65f3b1d829bf7e334d82ffea3f9c1c5309631d684f2bed2d8d3eb94f999f5da1a5a181ee12479dd011d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fa4dc598ff65a6b27774522c7c6bef8

SHA1
adcbe9b130117f87c403982f2baf4c9ad3d898b2

SHA256
41346f113bd41f5783dc768a2d8f27b26ff541bd64840b79d03ab04d8806c9e4

SHA512
f739f95400473981f033f364a1ee1c748f38e3a8633944bf8125750e47ab67578c4ed24d6b3f6cfddbb4f957af00c0edb2bb049e0d89121c0981daa04289c984

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2fffb3e2ce1f257fc8c5fc10e46f83e

SHA1
ad2a6bb0a9f9d1ba4c5f4ca037e2beda91bf6fdd

SHA256
5de19db71957eac3de6b22df07da65738d52d9de6747af08919681fff5718f15

SHA512
79850996215da76d49bb305fa78bcd79c59a664da20221bb4210faa446bfa8921eb859df9b0294fd5fd64ec35d0d204fe99a9f8ebd5067b48f0ceff69f2fa0fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c92cf73b089cf189b6575a822885e1d

SHA1
50e2133c1a2ee6edb993c4d5d3d2ea0c4534f31d

SHA256
d4230db35dc51dec39c914ac1375a147a88f9e6ef4502aa087d9d5d58a280245

SHA512
ada5d68a5a075d4ae1d0ee252bd69b2761ebb7ee63c6f06622d0af8526fd91eccb9c03c15c5963c94aae86fba4f9f5e9811d2d8517546883f5a1c9e59834bddd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ae00717db054695c5f8958f1b6f95d8e

SHA1
5e3a9eaceb8e71a917601f872b40a07b587a6308

SHA256
6d1bf815829c2267dcc16634e3c076a96d4ecd07bc2d3d48305359845cb24879

SHA512
ede5ef862542dd1fefdfb3ae19b6256768453fea21eb4d32b4bae35d417f938bbcf8b10cd3e383923790ee2c600c3189a32eae232c193f15989baa938c3bfb20

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
36b807754cb77305f82650af8802bf71

SHA1
81df9596f34952e6a47dba7aa53e284ac7f3ea68

SHA256
903b61e619aa5b64179f38bb5b9021cf32fdad4c1cfb4edadc4b9835be80d222

SHA512
b2bba24dc92ecfd3599fcc2944aba4dff2961406afdaea3e28d78b33303a647bd32774ba318d1ccfeb9658ba7b08915a339d03a11f36d61249d64762d7fc7bb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
859edc8d4a350e3da3824fd40624e591

SHA1
a86db56760dbdcd8d71b1adb71c9a53526806011

SHA256
94e26e0207353cad50fa8f07a611425f1dd2628f24a4efa87a434a99f5dc3a31

SHA512
ccd14ca856fbcb05f58b0110dffcec0097622c007b30653aae5a6c49810e9ba8dc8b9e1e140c6606d0855164fe361075005c6f4881dadc96f2a65b5846f6c8de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8742c61dbf94b8cc106feccaf128f2c2

SHA1
5ebf5fbc759b51496f08f19142b80d3d6736603d

SHA256
7333f8a7d6ca82fcce628b8e00b2ea3fdfbf99f3ced213bed860a4c0b89477c9

SHA512
9232e9b5e91ca5286960e0f9b60e88d87b83d3b0f4785231e76a6c1db44ee520ce6686452dcba95e80225bd33c6ca28f9a23a0821afe0f216b7b60c80865c55d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8e485cad643d4b8433822127c154cdd

SHA1
c4148b3a89abddcdf2cf16bce14cf3814655ee37

SHA256
372844a42840c069fb70f6180e8598489da4347985a6a7f22608d3643f655c58

SHA512
0be93c2069e5b484f58931d90ab82236b7000fe90b2f23121c7bf97e942a454c3a9c3e645d6e672a9e49043e70d44704a24c2ef344d5c1ca4c8f807e42df378e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
948903bf7f44922f17b29b905e8fa8e6

SHA1
65dd54863c5f364dfb8f9423bac41350ddccca84

SHA256
e21bd65bdd2b97c3a34b1473b1e87e54e7bdea692d4cb3549352e92be5e1acd0

SHA512
cd3ef0af7e1e293aecc92d7addad265abe7d49cc76bf6d01d32125d2da8cabf75ede6c1d14d0306355c6879944d4427193ff56bd675c4cb450cb22f72dd458d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

Filesize
209B

MD5
6ff91e2e9fce5eb9ae25fa95f388c2f5

SHA1
94139263cf9e3626878366ca4c809c2f5637f34e

SHA256
9893da63dfdb51f4144b9cb464cbbc956bafafa1fd95dc0c4bb7a8125208fcf9

SHA512
34d79548964bcf9a30808e36e24d4758fea52a8de7d3fefa504aef8b1f360adee2f3a82e5803d5d94a324b76d4c8fe9baabfc79313f37207c1df4e3481ea75a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA556.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
209B

MD5
3fe9262da3c6ac610cfca692f27076de

SHA1
bd3f4d8c95a86149a51a957fab862179469705d9

SHA256
87bc4698fa2a8f926e0bff93f8b8f9007c4bec625ea2ece9244b66d8954887a9

SHA512
4ccff382d1904474773b1d9071d6dc02abe8e1b3477dd8f2befc3bbb7c9e629bc212aff52e7cbb992e6727a07ce2788db713e749dc5a0ba4d771f42706156482

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
209B

MD5
a2b8d49742c24b775fafe98b3c86339a

SHA1
08ff3ef428378e4252551a1e4d874c7fd9bee9b0

SHA256
956be3374c306ac5af950155a67872281d4347c5dfc6c608e7b0908b684d225e

SHA512
eccadc17d2a4567f569f8f1fc4eb65e31c27917175f033f3cb54d6fae81134b29ccd2523f93e33f9de0cedef3a3d8004a0959ac87591bf4448c6ce96acda4cad

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
209B

MD5
969237c82e513326e002c2b47eb12b58

SHA1
f260731eb0b94e7af36971f30a02c433722f0e0f

SHA256
f2efe0a24c3f89fcf233d9d9b96d4af811df8094e17e9954e37a33db337f4d6e

SHA512
c6b1640de37f39bf6b8d43688c80f45904373c6c9393b183fdb1c6be6ec7329e602f285c4a58017a2b68d83a51968756a0f8f7e7d410972b3374faecc3865f64

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA568.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\U04fYIssV3.bat

Filesize
209B

MD5
88670bbbeb1732384a1302db96923074

SHA1
c17f8d55bceea61fd1edd75608bee7cbccc14e4c

SHA256
8b2f8bbbdc1e868f1ff613ef877aef8420649da705fadfd0761894039c7cab0e

SHA512
df3ec046d1844d1bb60176f4110fdbc537e25b4e49e2f29eab27149a70e3d92ecbb8f266d25abdcb12dc4ba17be99369dd0b5cda5091e02a2333951a9220d560

Download Submit
C:\Users\Admin\AppData\Local\Temp\WOs9W2tFAs.bat

Filesize
209B

MD5
fbca80f7608e1335fc3a90e16c7bab47

SHA1
6f409243aee140b7da4f432b25b3d10935cff103

SHA256
06254f9824883bfb277d2228b6b168aaaea458d12a576bba35d2ca1f5ea1d947

SHA512
088f655cf45a085fa8c58cb7fd2375c7ac851ab4746a8c7604435b012cfdbdd3d33384758baaeb4bf04d6f83a3ee930a195b05a54c8f9cf3e971db410eeb4ad1

Download Submit
C:\Users\Admin\AppData\Local\Temp\YzNOjOTGFC.bat

Filesize
209B

MD5
c8e886fa50ca88fdc9a826af6f1c4ece

SHA1
c89408b9d80b58d0d07eb6aa511c6c0f783b3567

SHA256
fc0fbea6eb70b80e7c583678532aa54d367cb3e1ba63486bc7742d837730dbf7

SHA512
47d7886712ed454e9c3199eef6aaa912ab0eeaecd8238d6879419b09ccbbde2d08b6db8145e5afd91f66fd37c035521a03c2be4468214f4c247c8d85796a2b66

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
209B

MD5
5e7c195b00c08aaa5a94a5f4cb96c2e8

SHA1
0ffe0fffe88e68519532cd70f993d98629d1217b

SHA256
150d26bc157e50d5fa6ad07dd97d39a458d1fd2aee9e7ec059850cf280d2c44f

SHA512
4b211155ce253380230c0c6fcf6512447b959e5fc0b1821f9e9352cb1ac8f16600765afb7e6f75cceb9bd13ecd15b4719a6e7b8d5f11bb28eef711a930fc5e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

Filesize
209B

MD5
d70b9bea3ab3a947eb93e06e6f4e31f6

SHA1
6991c92d19daf51cb42a8422b6a4c1021d191b2c

SHA256
3517814e1fdb630871ce4678ac25b5f65835a6cf6beb213a6f40b71207e7d297

SHA512
0ee298c6ea2f7c54610bc7a5cb36ea3118e519db9a91f8c26eefc9dad7742ba5eb420a2a77692a81c416019076a9be4a9a9fcf1df47ed6f612fe1a8d555b56c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\unLkZH0FaU.bat

Filesize
209B

MD5
f706030d90a4645d20e3a475291a0d4c

SHA1
3d92b7c2cdca95e4d3301fa1f9a7eef5070a6424

SHA256
0e1446cecced9b7a3c37af26fc682c6a7ccf045d7e3924dc6bae857988596070

SHA512
bf7f0e4a7350edb38b95b2ac4585705af98b3a6981b794d1e0f01152293589e92888d96366b06030cfa28b2316cdaea3eb1bb31d5ae91b7163a2400ea93a2edb

Download Submit
C:\Users\Admin\AppData\Local\Temp\xm2kK1SIVO.bat

Filesize
209B

MD5
b49f3250b02ee949de795417d7344dbe

SHA1
ce87ba02f93d3eabcf608bc0a2f381b808c3c0d4

SHA256
58a90527e9eebe0de9cb2fdf3b1715f640cfcd7089c0f2b79b00347747786701

SHA512
358b33d144f856344df2d4902f6bf96aff36605ad0803135cae95fb2eae4af6140ad8732f9627e1a695307288687067220f2fb42eb1070351fe6890aee726801

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3e1877aa0fd2726d9820b18d4d4098a8

SHA1
a3afc90158a52a7f563d619b57b1202f9620953a

SHA256
bd304ad0439eb2a809c17126bf6620e76c153c3af7c4889b224ec6cd3927d894

SHA512
a45b48e13b8cfe374e84b224337979d660b7953f6a012548ae1f0346dbe132a75d19e271edd63c6744c3355310defc80f49b6a582b49385e21eff3502802418d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/568-333-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/892-273-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1596-394-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1596-393-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/1608-46-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1608-49-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

Filesize
32KB

Download
memory/1668-47-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2632-15-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2632-17-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2632-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2632-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2632-13-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/2664-152-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2664-153-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2808-213-0x0000000000760000-0x0000000000772000-memory.dmp

Filesize
72KB

Download
memory/3040-690-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download