dcrat | 735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e.exe
Size

1.3MB
MD5

1119fffbe6fce8d4b6ba8967790f01d2
SHA1

00dae00708bd2b1adc40bc7cacadd5fab8fc102f
SHA256

735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e
SHA512

3e1b8a98c5e2722d7c2377af6df9dcd542be1c25e946801276eb58cbf6108353d98ac4683928360a070d36b23c60bcf3c087d668d7676f0838ea58c74ed4ff9f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	3028	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	680	3028	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001949d-9.dat	dcrat
behavioral1/memory/2188-13-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat
behavioral1/memory/1512-98-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/2836-157-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/540-217-0x0000000001180000-0x0000000001290000-memory.dmp	dcrat
behavioral1/memory/1920-336-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2660-456-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2432-516-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1064	powershell.exe
1248	powershell.exe
1620	powershell.exe
1676	powershell.exe
1900	powershell.exe
1584	powershell.exe
2496	powershell.exe
352	powershell.exe
1688	powershell.exe
1636	powershell.exe
2224	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2188	DllCommonsvc.exe
1512	lsass.exe
2836	lsass.exe
540	lsass.exe
1764	lsass.exe
1920	lsass.exe
2104	lsass.exe
2660	lsass.exe
2432	lsass.exe
2260	lsass.exe
548	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	cmd.exe
2128	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\packetizer\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2944	schtasks.exe
2684	schtasks.exe
2644	schtasks.exe
2972	schtasks.exe
2180	schtasks.exe
620	schtasks.exe
2948	schtasks.exe
1992	schtasks.exe
2912	schtasks.exe
264	schtasks.exe
2880	schtasks.exe
2004	schtasks.exe
2284	schtasks.exe
1084	schtasks.exe
704	schtasks.exe
1624	schtasks.exe
2976	schtasks.exe
1512	schtasks.exe
804	schtasks.exe
2544	schtasks.exe
2676	schtasks.exe
2776	schtasks.exe
1980	schtasks.exe
2932	schtasks.exe
1804	schtasks.exe
2148	schtasks.exe
408	schtasks.exe
680	schtasks.exe
2384	schtasks.exe
3008	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
2188	DllCommonsvc.exe
1676	powershell.exe
2224	powershell.exe
1064	powershell.exe
1620	powershell.exe
1584	powershell.exe
1636	powershell.exe
352	powershell.exe
1248	powershell.exe
2496	powershell.exe
1900	powershell.exe
1688	powershell.exe
1512	lsass.exe
2836	lsass.exe
540	lsass.exe
1764	lsass.exe
1920	lsass.exe
2104	lsass.exe
2660	lsass.exe
2432	lsass.exe
2260	lsass.exe
548	lsass.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2188	DllCommonsvc.exe
Token: SeDebugPrivilege	1676	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1636	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1248	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1512	lsass.exe
Token: SeDebugPrivilege	2836	lsass.exe
Token: SeDebugPrivilege	540	lsass.exe
Token: SeDebugPrivilege	1764	lsass.exe
Token: SeDebugPrivilege	1920	lsass.exe
Token: SeDebugPrivilege	2104	lsass.exe
Token: SeDebugPrivilege	2660	lsass.exe
Token: SeDebugPrivilege	2432	lsass.exe
Token: SeDebugPrivilege	2260	lsass.exe
Token: SeDebugPrivilege	548	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 684	2724	JaffaCakes118_735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e.exe	31
PID 2724 wrote to memory of 684	2724	JaffaCakes118_735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e.exe	31
PID 2724 wrote to memory of 684	2724	JaffaCakes118_735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e.exe	31
PID 2724 wrote to memory of 684	2724	JaffaCakes118_735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e.exe	31
PID 684 wrote to memory of 2128	684	WScript.exe	32
PID 684 wrote to memory of 2128	684	WScript.exe	32
PID 684 wrote to memory of 2128	684	WScript.exe	32
PID 684 wrote to memory of 2128	684	WScript.exe	32
PID 2128 wrote to memory of 2188	2128	cmd.exe	34
PID 2128 wrote to memory of 2188	2128	cmd.exe	34
PID 2128 wrote to memory of 2188	2128	cmd.exe	34
PID 2128 wrote to memory of 2188	2128	cmd.exe	34
PID 2188 wrote to memory of 1248	2188	DllCommonsvc.exe	66
PID 2188 wrote to memory of 1248	2188	DllCommonsvc.exe	66
PID 2188 wrote to memory of 1248	2188	DllCommonsvc.exe	66
PID 2188 wrote to memory of 2224	2188	DllCommonsvc.exe	67
PID 2188 wrote to memory of 2224	2188	DllCommonsvc.exe	67
PID 2188 wrote to memory of 2224	2188	DllCommonsvc.exe	67
PID 2188 wrote to memory of 1064	2188	DllCommonsvc.exe	69
PID 2188 wrote to memory of 1064	2188	DllCommonsvc.exe	69
PID 2188 wrote to memory of 1064	2188	DllCommonsvc.exe	69
PID 2188 wrote to memory of 1620	2188	DllCommonsvc.exe	71
PID 2188 wrote to memory of 1620	2188	DllCommonsvc.exe	71
PID 2188 wrote to memory of 1620	2188	DllCommonsvc.exe	71
PID 2188 wrote to memory of 2496	2188	DllCommonsvc.exe	72
PID 2188 wrote to memory of 2496	2188	DllCommonsvc.exe	72
PID 2188 wrote to memory of 2496	2188	DllCommonsvc.exe	72
PID 2188 wrote to memory of 1636	2188	DllCommonsvc.exe	74
PID 2188 wrote to memory of 1636	2188	DllCommonsvc.exe	74
PID 2188 wrote to memory of 1636	2188	DllCommonsvc.exe	74
PID 2188 wrote to memory of 1688	2188	DllCommonsvc.exe	76
PID 2188 wrote to memory of 1688	2188	DllCommonsvc.exe	76
PID 2188 wrote to memory of 1688	2188	DllCommonsvc.exe	76
PID 2188 wrote to memory of 1584	2188	DllCommonsvc.exe	77
PID 2188 wrote to memory of 1584	2188	DllCommonsvc.exe	77
PID 2188 wrote to memory of 1584	2188	DllCommonsvc.exe	77
PID 2188 wrote to memory of 1900	2188	DllCommonsvc.exe	78
PID 2188 wrote to memory of 1900	2188	DllCommonsvc.exe	78
PID 2188 wrote to memory of 1900	2188	DllCommonsvc.exe	78
PID 2188 wrote to memory of 1676	2188	DllCommonsvc.exe	79
PID 2188 wrote to memory of 1676	2188	DllCommonsvc.exe	79
PID 2188 wrote to memory of 1676	2188	DllCommonsvc.exe	79
PID 2188 wrote to memory of 352	2188	DllCommonsvc.exe	80
PID 2188 wrote to memory of 352	2188	DllCommonsvc.exe	80
PID 2188 wrote to memory of 352	2188	DllCommonsvc.exe	80
PID 2188 wrote to memory of 880	2188	DllCommonsvc.exe	88
PID 2188 wrote to memory of 880	2188	DllCommonsvc.exe	88
PID 2188 wrote to memory of 880	2188	DllCommonsvc.exe	88
PID 880 wrote to memory of 3040	880	cmd.exe	90
PID 880 wrote to memory of 3040	880	cmd.exe	90
PID 880 wrote to memory of 3040	880	cmd.exe	90
PID 880 wrote to memory of 1512	880	cmd.exe	91
PID 880 wrote to memory of 1512	880	cmd.exe	91
PID 880 wrote to memory of 1512	880	cmd.exe	91
PID 1512 wrote to memory of 2240	1512	lsass.exe	92
PID 1512 wrote to memory of 2240	1512	lsass.exe	92
PID 1512 wrote to memory of 2240	1512	lsass.exe	92
PID 2240 wrote to memory of 3000	2240	cmd.exe	94
PID 2240 wrote to memory of 3000	2240	cmd.exe	94
PID 2240 wrote to memory of 3000	2240	cmd.exe	94
PID 2240 wrote to memory of 2836	2240	cmd.exe	95
PID 2240 wrote to memory of 2836	2240	cmd.exe	95
PID 2240 wrote to memory of 2836	2240	cmd.exe	95
PID 2836 wrote to memory of 872	2836	lsass.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_735ba29cfbb38de3e4ee0783b57f860b3f19d0c5541721e5ac077b3f7f2c122e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:684
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1248
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\VLC\plugins\packetizer\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IXUYbPgzm8.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:880
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3040
      - C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3000
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
        9⤵
        
        PID:872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1648
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
        11⤵
        
        PID:2660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2636
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        13⤵
        
        PID:2372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2368
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        15⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2412
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat"
        17⤵
        
        PID:1872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2224
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        19⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1288
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        21⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2776
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        23⤵
        
        PID:1028
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2156
        
        C:\Users\All Users\Templates\lsass.exe
        
        "C:\Users\All Users\Templates\lsass.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat"
        25⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\VideoLAN\VLC\plugins\packetizer\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\VLC\plugins\packetizer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\VLC\plugins\packetizer\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
375948e95593e28c17074964af5aec91

SHA1
c194913ffaf7d129aa6a0b34b3562a30abd209fa

SHA256
4a3606dee5d6c21d414b0ed17cd97875b1d6699d0640c547fb595a85d28437dd

SHA512
e0cd2d247a89b8a905a380860d31507bdc58fb194cde74ade48e1923823b031bee2e86479db1400005e031fad084aa05156d3940c3570b2d1342b1aba4d6cd8f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b90dd3838034988d8d4f42d1b76576a

SHA1
23cb173b96328d09a5cc5ec1a730fad7869d312a

SHA256
ecf70f8647e7d1cfa583c35037cc54550f508b5b182611e5783e31e6390cb12a

SHA512
8c0a3d3edc8db0bb076e6a5bbb465c870ea4a626af713c03b036325ae11480573d5ced201cfc693e59938314d7fa29692bc69c4ea6abb5c6fee561775b1bc807

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a96e220237c1b337e39282248b542cf2

SHA1
1b675ecbb2796bde140a4d91fdc1e018b2eb3e4d

SHA256
d18893efbb558e29d6828baad6f8d7d6c48ffa14410da09e6ccb0c46e66d50ae

SHA512
ac9c308523eb9900785dfe60553d2dbc2dfee444d934db3dbb689e6791956fa8ff805f5d6a6eb06be0606caf514fdec8a3a94ab56f625b8f580ae7786642ec6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3acb273a96aba646adc2f66d7e02bfc8

SHA1
f738661a9d8a166dd24079cdc2645bf0d1ddc019

SHA256
c25d5e9405e767951d76221a6bbde662b32797da267d11bcb1f224ea64badec3

SHA512
38aa6a6ab88245cd627268375f61965c895b23844a0d5bbf5f20413cb5ae21ffe28e8fbe64f4f243ddf6cd154bdf4a42cc46c3cc110b58f2315120ee5f8cda7f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bd57c9b87bd12c56da7ab3f46150e6f

SHA1
97dc89d4093d1a0a87b13c04a97f78ade3f10b75

SHA256
80aab20e21a034b39a605129d0b1b90eefce7bc7aa6559e07f7c1aca3b100bdf

SHA512
4255d9959e49335831060f8507dbdac04ee765654ae96b9f386441953536ed75aec133ef84915313672affc58c8e3e0ccea69a6fa374b1b9a26ebfc51b0d835a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
48091e634eefdfd4ab29478edad46721

SHA1
4c25e9bfc897e326f46bae3db13c28b7768fa38b

SHA256
7b31cb68fd86ca12786cb397a7083223b6f23531f57f53abc1d2dde8ae730547

SHA512
fd588e72f40f79c80b06395dfedbb841f027d35444bcea5e614cdb9b3446837b962e0ad4c2302dba7ebf543fd43e285117b8c66e26b0065c4053d6dfa8369e7a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6328073b90946ae9ba61d64c0aa6b2c8

SHA1
69efab801ef8743837ae44aa28fd469699795ad7

SHA256
daacc1cde6db202bec0a906bd7e4977afb74d6ad6e698ee2d4b543ec150199eb

SHA512
32d380df86ffb0a3bec7e7a36d463b2069e0b02266bc9ae8fcdb3d482c83a9e5dca01d7a6cf875658de24357e5c620724529e0f95adbd378d31b6a6a66910f07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed8d2747384fcf6ff76950e92a38a100

SHA1
20ed2bc274d8f0fc8e010bfd961b55fe350fb6cc

SHA256
6b4829e180cfbca4ff5f7e64e05e0056766929bf797d417730c2346bb11e1354

SHA512
87dbed8f9128547e5ca496351d32034fbc8aa119032070657628fb30862d4c70dbed110554a8b5fd516a16f1a4094b2d989df1cbf7f04bea95313da29a61f7df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9edf1e21fb41cf7c21294a69fb0c91f

SHA1
faf64fbc083dcbb9839b87064e5538aea23e6335

SHA256
6a46ad6712a96a3e79806a24ef622dab51523133b60bb1c6dfdd1e7f8808a9c7

SHA512
8f958d3c0209ebf9087624aa3220da526912980608c4e4315346272c48b578d453b231b6cfd804de9fbe40be093e28f2bce2583439fd08944ca998ee559abbbe

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
203B

MD5
fd7c080b702c603ab6613007d0511c20

SHA1
834edc9d1a0afcc8a121dd084b4c23ace5cbee16

SHA256
183db9838f7489a2132ed4332a41c13a58726d8d5364de54749a4641be578bb8

SHA512
3d4c59e81674914cd1934ce0e5a705edd56c1c294baeb22b975f7e0524db48e9443675b0ec11506f40a983d962fef3617cd74f0ab2ed8be1cca9cea73a6fd46d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
203B

MD5
cffd6c5d0e7ba05252fcb2f123b712fa

SHA1
2c151a9ea5adcc1ffdf7d85264536a1e7b83ce11

SHA256
f982f88b070af7d7224de6f9600146200a43c892b5fa940581cc65947adf933f

SHA512
33c9cfccee4523ed4c17deb3cac0b3cf4828038b4faa5b136fa5b646c4f8cbc68444c1f61f0fe818b27fe9924604a1439f3d6cfbd5b22fa1619ebd30b6b5e44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2129.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOJxze5tr1.bat

Filesize
203B

MD5
b54adc0dc57c31df26675071542e1f66

SHA1
6469d77cf1c5ac33e92066f143bfc00531e5ad30

SHA256
b6137170cedd385e5cbc919796d5c58adca187265157a8192fabbeb16a2be2df

SHA512
189cb8fab91456c45f0f5fb8bcaa8750229b1d0105402e19501c4e8827a704213a2158d6a2ce6730efccc818a289d1a5f22137beec779fa383393a4f9618a25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

Filesize
203B

MD5
fd5b2e55bd95e8255460421583273c90

SHA1
81b713500b850602fa570f0ac659d0864e52d79a

SHA256
b7f9ef35ff5486421f6c7e588fa6c5962e9fd5d910797dd8866f5886370252df

SHA512
74762f8fcc07c81b1ee553e33d1f43fc7a26eee5bbdafb847a100f74007fd5e0f046e337a0a282b61d6218bdc0a0b933436584efb36238b130d1dd9f1016eab6

Download Submit
C:\Users\Admin\AppData\Local\Temp\FdUsM3mSuD.bat

Filesize
203B

MD5
ae60d6522305990ecf6a0ca098ad2e44

SHA1
2ca6050a2786c30b3f810a92b0a9b3c2e62c420f

SHA256
e52ec944c73886fd006138fe8f292cd6dee80bf9dc4628b6208b01f50aa5d568

SHA512
485d74d13180f04819c4f73caa26231a1fdb707be60950ade20809ce0922ea366c0dc3e3184cb7742d7e3895cc365e836be692b45d092362cd05302eb0cb9c6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXUYbPgzm8.bat

Filesize
203B

MD5
541e27813493df2277fb36b46bac90cb

SHA1
487812869c0e490b0c2d14f2488ddd66caae6d25

SHA256
4b034684e0920687f46327190ddd98e015e11b52ad594e517a82bd9b19ef7865

SHA512
29fe62108ef4a13329c02ec4a4366a51305b5ac20cf5ab643a277fd625e065044e57565e96f60d1375ef6dd7acb01a38f9a9311395cebdb004c80b254e207188

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
203B

MD5
5a0ae71a2567ec64c68e5b23833e78bf

SHA1
db7bb025c25f0ecdf46aad90271f2f1418558012

SHA256
ac96c66dd21da3f1d9308460505596ba6fb78c696bff9b4c65c064283cb7d4dc

SHA512
f8d7b05d24cad5c7a3010b8723537747d0bac481a7e52c3d6a90968a01afa0ee7938ce4acd1c78ac42c60ef5ec13237d559ac6d64cb545e15f3532e8db8f7b59

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
203B

MD5
65bc64712f2c4f3e9bc895bee09ef95a

SHA1
5809b8658f0fe9a29fb4bf6f26db78c3fa992b9b

SHA256
54f4d44305c512f63ed94900049ebd8fee37b43792970702e2bcd9f667130621

SHA512
5addba41f3c7b5653f89d2b16cef0266ca1eedb15021cf06acd8511ee0a5a80cf368c967e0a431f047988a5c9c5e17ff67b02c118132593af367efd576681f58

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar214B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
203B

MD5
ee657c6264f66243c7d41af430276ba3

SHA1
2da4c833f6b4bfed875f0602414dc6e5c74f5caa

SHA256
580befff6a57e051c240559e23b8d9d0e01ff8a2f03a2e0434b3b02c659bf68d

SHA512
ce69d27e88fb5ce14a4daaa9f815dcfbb3d4db71ebb63526b2f5960342c0dee7c59f85b6f100ad08616c6b73454c3f05c2717e4fd5452d5541260f77c085b179

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

Filesize
203B

MD5
96e161c202cc94230594174295d7d2fa

SHA1
85f909b88bf73ea76a2a92238791a39580a20ea0

SHA256
57568994a65a7c6fd26144161ad9209ece7a42fd5f1ad665113a973ee46630ad

SHA512
bca2daac0eb868d6263bef9aa83a20bac6df05c9c1fce8144759fe75f15ef1a5d38f2f7410d4cb2020f2245f7b7117fd1ea3a5c07fb949cedf5a9774e35d2235

Download Submit
C:\Users\Admin\AppData\Local\Temp\wUI7DLfHyj.bat

Filesize
203B

MD5
5574a4263e0a87afd82087630f0226d2

SHA1
95dc5e0fa7e218c2ee9c37099145e62d385654ae

SHA256
c68badcee68c400d2c81f684331233b365c5c5a5b745da6330aadba484e4004e

SHA512
0494f05873029446bfcfc5e59b23f0c891f64e5fdf120b03a4502de66d4c4b51aa3cfee1ee9e94629fb6640ff93c8c96e2c9d589de9526feee0192585a32aa3f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\2WSEHAKL3YIJFQA7S4SX.temp

Filesize
7KB

MD5
62be9a071bdd681b17318820b85bab76

SHA1
38d15e8e7e954d2e917ced0ea57ca9908e9c8562

SHA256
ca637cc96883530ffdcb24c5bc1f080e905edf93b91346eda11768ad83b9c285

SHA512
2a763862c734cb957730977b6db5d8f7e45432f82dcc8df1bf7be7476bdc8d53c250627b188d160291f43a6949315e5c833d5a10f18081183b3d7588ea695164

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/540-217-0x0000000001180000-0x0000000001290000-memory.dmp

Filesize
1.1MB

Download
memory/548-635-0x0000000000B40000-0x0000000000B52000-memory.dmp

Filesize
72KB

Download
memory/1512-98-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/1676-47-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/1676-48-0x0000000002390000-0x0000000002398000-memory.dmp

Filesize
32KB

Download
memory/1920-337-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1920-336-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2188-17-0x0000000000490000-0x000000000049C000-memory.dmp

Filesize
48KB

Download
memory/2188-16-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2188-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2188-14-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/2188-13-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/2432-516-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2660-456-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2836-157-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download