dcrat | 56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3

Analysis

max time kernel
148s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3.exe
Size

1.3MB
MD5

46ef3a91d20590c8df995269ab5695cb
SHA1

575fd31124332c2ec3b05bde93e8f081c5bf574b
SHA256

56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3
SHA512

ddfdfa4a86f2c76baeb88e1d5e643979d0caa5b7fd60d67822650dcea33987cd105379c82a72a096bd97cb6b8c24457dd46870c5a1821482d8e963d2603b2dad
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2584	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0b-9.dat	dcrat
behavioral1/memory/1488-13-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2936-80-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/536-140-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/2352-318-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1388-378-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/2376-438-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2372-498-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/988-617-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/1384-677-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/1564-737-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe
2224	powershell.exe
1684	powershell.exe
772	powershell.exe
2220	powershell.exe
2388	powershell.exe
2152	powershell.exe
2172	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1488	DllCommonsvc.exe
2936	System.exe
536	System.exe
1676	System.exe
1768	System.exe
2352	System.exe
1388	System.exe
2376	System.exe
2372	System.exe
2896	System.exe
988	System.exe
1384	System.exe
1564	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	cmd.exe
2668	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
39	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\cs-CZ\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\System32\cs-CZ\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2608	schtasks.exe
1764	schtasks.exe
1648	schtasks.exe
844	schtasks.exe
1844	schtasks.exe
2504	schtasks.exe
2844	schtasks.exe
2768	schtasks.exe
1020	schtasks.exe
804	schtasks.exe
2712	schtasks.exe
2688	schtasks.exe
2652	schtasks.exe
1240	schtasks.exe
2644	schtasks.exe
2292	schtasks.exe
2024	schtasks.exe
1700	schtasks.exe
1720	schtasks.exe
2480	schtasks.exe
1580	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
1488	DllCommonsvc.exe
1684	powershell.exe
2116	powershell.exe
772	powershell.exe
2172	powershell.exe
2224	powershell.exe
2388	powershell.exe
2152	powershell.exe
2220	powershell.exe
2936	System.exe
536	System.exe
1676	System.exe
1768	System.exe
2352	System.exe
1388	System.exe
2376	System.exe
2372	System.exe
2896	System.exe
988	System.exe
1384	System.exe
1564	System.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	DllCommonsvc.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	772	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	2936	System.exe
Token: SeDebugPrivilege	536	System.exe
Token: SeDebugPrivilege	1676	System.exe
Token: SeDebugPrivilege	1768	System.exe
Token: SeDebugPrivilege	2352	System.exe
Token: SeDebugPrivilege	1388	System.exe
Token: SeDebugPrivilege	2376	System.exe
Token: SeDebugPrivilege	2372	System.exe
Token: SeDebugPrivilege	2896	System.exe
Token: SeDebugPrivilege	988	System.exe
Token: SeDebugPrivilege	1384	System.exe
Token: SeDebugPrivilege	1564	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2956	2496	JaffaCakes118_56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3.exe	30
PID 2496 wrote to memory of 2956	2496	JaffaCakes118_56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3.exe	30
PID 2496 wrote to memory of 2956	2496	JaffaCakes118_56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3.exe	30
PID 2496 wrote to memory of 2956	2496	JaffaCakes118_56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3.exe	30
PID 2956 wrote to memory of 2668	2956	WScript.exe	31
PID 2956 wrote to memory of 2668	2956	WScript.exe	31
PID 2956 wrote to memory of 2668	2956	WScript.exe	31
PID 2956 wrote to memory of 2668	2956	WScript.exe	31
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 1488 wrote to memory of 1684	1488	DllCommonsvc.exe	56
PID 1488 wrote to memory of 1684	1488	DllCommonsvc.exe	56
PID 1488 wrote to memory of 1684	1488	DllCommonsvc.exe	56
PID 1488 wrote to memory of 2224	1488	DllCommonsvc.exe	57
PID 1488 wrote to memory of 2224	1488	DllCommonsvc.exe	57
PID 1488 wrote to memory of 2224	1488	DllCommonsvc.exe	57
PID 1488 wrote to memory of 2116	1488	DllCommonsvc.exe	59
PID 1488 wrote to memory of 2116	1488	DllCommonsvc.exe	59
PID 1488 wrote to memory of 2116	1488	DllCommonsvc.exe	59
PID 1488 wrote to memory of 2172	1488	DllCommonsvc.exe	60
PID 1488 wrote to memory of 2172	1488	DllCommonsvc.exe	60
PID 1488 wrote to memory of 2172	1488	DllCommonsvc.exe	60
PID 1488 wrote to memory of 2152	1488	DllCommonsvc.exe	61
PID 1488 wrote to memory of 2152	1488	DllCommonsvc.exe	61
PID 1488 wrote to memory of 2152	1488	DllCommonsvc.exe	61
PID 1488 wrote to memory of 2388	1488	DllCommonsvc.exe	64
PID 1488 wrote to memory of 2388	1488	DllCommonsvc.exe	64
PID 1488 wrote to memory of 2388	1488	DllCommonsvc.exe	64
PID 1488 wrote to memory of 2220	1488	DllCommonsvc.exe	65
PID 1488 wrote to memory of 2220	1488	DllCommonsvc.exe	65
PID 1488 wrote to memory of 2220	1488	DllCommonsvc.exe	65
PID 1488 wrote to memory of 772	1488	DllCommonsvc.exe	66
PID 1488 wrote to memory of 772	1488	DllCommonsvc.exe	66
PID 1488 wrote to memory of 772	1488	DllCommonsvc.exe	66
PID 1488 wrote to memory of 1172	1488	DllCommonsvc.exe	72
PID 1488 wrote to memory of 1172	1488	DllCommonsvc.exe	72
PID 1488 wrote to memory of 1172	1488	DllCommonsvc.exe	72
PID 1172 wrote to memory of 548	1172	cmd.exe	74
PID 1172 wrote to memory of 548	1172	cmd.exe	74
PID 1172 wrote to memory of 548	1172	cmd.exe	74
PID 1172 wrote to memory of 2936	1172	cmd.exe	75
PID 1172 wrote to memory of 2936	1172	cmd.exe	75
PID 1172 wrote to memory of 2936	1172	cmd.exe	75
PID 2936 wrote to memory of 2740	2936	System.exe	77
PID 2936 wrote to memory of 2740	2936	System.exe	77
PID 2936 wrote to memory of 2740	2936	System.exe	77
PID 2740 wrote to memory of 1852	2740	cmd.exe	79
PID 2740 wrote to memory of 1852	2740	cmd.exe	79
PID 2740 wrote to memory of 1852	2740	cmd.exe	79
PID 2740 wrote to memory of 536	2740	cmd.exe	80
PID 2740 wrote to memory of 536	2740	cmd.exe	80
PID 2740 wrote to memory of 536	2740	cmd.exe	80
PID 536 wrote to memory of 1868	536	System.exe	81
PID 536 wrote to memory of 1868	536	System.exe	81
PID 536 wrote to memory of 1868	536	System.exe	81
PID 1868 wrote to memory of 1352	1868	cmd.exe	83
PID 1868 wrote to memory of 1352	1868	cmd.exe	83
PID 1868 wrote to memory of 1352	1868	cmd.exe	83
PID 1868 wrote to memory of 1676	1868	cmd.exe	84
PID 1868 wrote to memory of 1676	1868	cmd.exe	84
PID 1868 wrote to memory of 1676	1868	cmd.exe	84
PID 1676 wrote to memory of 1404	1676	System.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_56f1a8b6d17ff75c29037f696b32ba4058f87b5a0c6576a537935bec5986f2b3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\cs-CZ\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:772
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgf8UHGYA6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1172
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:548
      - C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1852
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1352
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat"
        11⤵
        
        PID:1404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1652
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat"
        13⤵
        
        PID:560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2120
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        15⤵
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2024
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        17⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1432
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat"
        19⤵
        
        PID:764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1544
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        21⤵
        
        PID:1400
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2700
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat"
        23⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1540
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        25⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:848
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        27⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2780
        
        C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe
        
        "C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\cs-CZ\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\cs-CZ\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\cs-CZ\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3ba01c84ea36174ce3664014113704a

SHA1
00dffeee6877d537234cf0f19b97a77339c51022

SHA256
88447e7daecf7d76532ba34a94c8390a0e8b51ef85b28084f598da7bcd4484e0

SHA512
7fbcc19899ef9bcb057e888e087b2878fa22fc5c3b2665e9376004586413d81557312f0c9c70312b9f2ab8bc369f16ed827adeba6e1a5805171f547448927e47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09cf36c6cae5c9d950d09da06871e21c

SHA1
f055ab3a668c2551d64c66d6bbf61ea594b22430

SHA256
db88b82fe05a1b392d4fd24799ac453f8c77f6b137cbb27cdbbbb5bae9325640

SHA512
30b1b50a3f8b22357bf8b94113a722f306af057f3761fe90229b541aa7e797b99539950f335d69832071cea9922545e5eb773364c655e22935b2d05d4f3974f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57d4d2fcb398414532aefa511f2df974

SHA1
3232ef96aac28960bda66bfbde438ed069fe86a4

SHA256
b06c5cb57ff370de588e172d2609d7f0d79d33709c06c9c0ecdb22b15bb4bc8a

SHA512
160a93cbe34861d798445b96a6f2ecf001486d09aa559e9c595eb88d0d8725dfe4794841fba9d585ba2a51014e68326c6c1e2a5b1def2ed1adac530e40e1674f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74f2504e5f67636c691bf7406c0f9672

SHA1
4fee8a3df12ea66c24fae3797fb0369cfaa9ab4a

SHA256
03cc0799309cd0a1439b5bc385e4214644ffbe41dc92311b079ce3f3419c4f7a

SHA512
f0b6664bbc0a30f86c895dd1d82bb3da7409b77b810645ae21a37c2e5bbd3a0b6ac6d160984bdce37f9d63eab379f09f9988e3e61adbd8ee03c58b77532abb6b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f09d26e62aa131a84b5469f3241e06c3

SHA1
d6258ed5445aa6021fd1a26b6dec103c909dff6d

SHA256
40ec47738021803703e285aa31ef1a9919095e21ee4d9f20096be7b235a55a4e

SHA512
213c400ee2c26343d75fbc42cf35b04a6e6a6a9de4963406f4b5182b72012978e63dffd109f335ab14f9dd5eeeacf762445476a9e0f4dcb6684ff2dc417406bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed6452953f0d2e3827c923fcfc36fda2

SHA1
ffeafbad0d55bfc3ec57aafbeeeae11f93c68d06

SHA256
9489cb5133377be11a5123ba0cf10a2c0a08956700dcff52f84b007a29cd1a4a

SHA512
07f7d64b99453dae2d97c48f65bcb416180ee33e6fad465462999d0cfb5679de91e44114153554bfe879994b5069903e53c915482a4cd2b87d3450e58bced466

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3be23147a7bdac87973df308510f94a

SHA1
d3b70ff3076db6bd160a1c21a78e90a75086776b

SHA256
319d7d2923a1af2a75377b33bcb8e040975fd22ad7caf4baee2ecb481951fde5

SHA512
2c3b167e21874478dc826715a50ecbbd0d8875811df1bbc5174e24541c329192615c16241b69327f0f2fb9c11ad9d930300fd26851716ed65c78bbc5a280908c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82e98d0f62af5cd80a70cd1ceb94b60c

SHA1
e6697a557ab7f55682a9543a8a0e88c56822a9f9

SHA256
0f761567dcb6091a7049e9b6eeef0862afdf1148af52555c810cda4b2f5f76c9

SHA512
1e100fd8df1e8a281c80612f613731bc9d99f68eb302042284477c0201627b6739547a02b03679bac71e16da9160dd568ffb3cf51c82ca48ad4cd5b99eafacdc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbfdb16fae9d16df0975b86a39845e77

SHA1
94bc2104c2084e01907b8c8aab9db26f76c41f9a

SHA256
f837b3ba276845f7db48c7c4c031d05f7d3d1a4a2e1b628c4a4c904afa60eff8

SHA512
de430a41d1ea18eb0f6180b5da4c59794bb3c1a4fd2947fd95a9c45c4ac1cce97ead1daa031c4ac4bac47608cb65cdcb556915025653f46886a6d51822c8d426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74871aa648e7bd9147a6afcc6d2388e8

SHA1
53e1a1a6339c90c2a27265975968b31d3707ecee

SHA256
1a2c49f76cba6b47ec773dc7200c3d5485758f5eb7d099e8fcad27e324b9e2de

SHA512
459ade4390d4f66c81cb29a13edf4cb3797d0c7c223bc8c723eb00c39c8dc3cb9f4efd7df4330df74afc51306438aa24a2b65c063d043396f741f5c413d9cdb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\2K3DLFE7WC.bat

Filesize
224B

MD5
974992dbbc7b642e9a67d6d864875998

SHA1
17812a463d8fbe299265dd8970899f447a86c944

SHA256
8fc637cfbcf0a64e37317f956e0f848d4ba51d0f9a29906ce93c5bf744e48123

SHA512
7195563daf8d8cf4435d2247304712ebfd24638b5e6c00ff529fafc38e44039276c36d43ce68e8d3200c6ec47dd272c9f53e9a76422d71a9629c4ebd6e534700

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Tm0GxqeGU.bat

Filesize
224B

MD5
8700a5c159ee6f6550a7ba2b58edf5a9

SHA1
355c4b35d586f02c1fe75471638af3c847032ee2

SHA256
7d05949f3909d90001f193a581e9e94d15968d9d8234aa93b6e8739bab77b74a

SHA512
43f92a1e0b82734e96421158156ee13bef1ccb2869261063919db8077c3d7a0ae575a63ae5bf8f4123bdb440de32981e52e0ffffad82bfa21021f543b6e065da

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabDE40.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
224B

MD5
0bd1aca88b7ac95a162476c37eddc387

SHA1
f78dffd546789cf14f81bf548635235d4be67af1

SHA256
72f2409e75861d735164fc43fef368d8646cd7a6a4e88a4e2b4da9d2053ea46a

SHA512
6c95145720dd18b1f7177dbf32e54e49d80ca7511a9a27b8bfb75719a7a5fe67acc595c130c534c4d530820679ded8129817fe0492f1ddf1ced0475f131e0476

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarDE53.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
224B

MD5
0e9121b0f1e2055b2bdb8dae95770744

SHA1
5a6e5b29099513af28a9d0d87782c54193b74699

SHA256
a022427abcf73fb7fe13467c53d15ee6b788dafde2e322ee6cd2325f90a5dcff

SHA512
a4a1d84eaa9c7458006eeb2b64b14b5abcd634d62e6a93679595ff0256c80def16dd0e620d71bf60531488acb8e1ea7e2ed1c8a07368337dc479bf5c9eee92e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
224B

MD5
4a433c4490368814e80044899399415d

SHA1
a18a2d6fae387d769504e21597798f440798fa00

SHA256
d6ceaf3a4a8c884e96553c94ba1aba6bf5ddaba9e492db0ca38ba957e1b01501

SHA512
3086d1480bc252619d879014e09fb762b83de082d019fbf47230d4d7a642dbf7aaff18b0b78ed65788114474b05f5c52c760640d375493b36b728ab3d9e0ba09

Download Submit
C:\Users\Admin\AppData\Local\Temp\blOcFVMglb.bat

Filesize
224B

MD5
3704f03f99af6f314f269e2693af55f3

SHA1
13734c8ea87f395814d733ac7d2b29f29b4b8ebf

SHA256
d383ad781f4654235c704dcc89439539f21be07bd59f78b0f6916e7871cb5c9d

SHA512
7fdefa5c27635c48f86b36e40b8094d9a3637d9f18093fe2cd5ad1df2ee7cce92c1e81cd7b6249472aed33b35029060f0410880706d3054828c581da798dbf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\cqXkQwtlzQ.bat

Filesize
224B

MD5
273ee49ec25bfa8effb094d1d88263fb

SHA1
2b538d620fe13ae99f64f79aa2b3076b61c0bfc6

SHA256
c9c6193d855254f3a8ddba07dcbfb8a4c09b221f92f0d80337cacfd99fceb2f4

SHA512
9198d6dc2c78b45b861398e521c123e2f5dba6768752fbd38302a85c718a870d3acfc1bb8590a1cbe29caebeeff6cadb787f5f85db425a43ed0a2c7403760498

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
224B

MD5
ac81e9ad96404e31d9eec8e943bca621

SHA1
9e965f3759e433833afb965fec6e190a608ceecf

SHA256
ac22fce1a54b286ee3fee63a3dacb71fe5bc42dac1d1b328df66218fb7d3c117

SHA512
d703442c91eb42af908f054410c5fa54e8c47e2070e47fb765f9add3894c62b45ab80d0ea8a6b7e449338569fa1f2e556af85ff529dc4d5ddda53d6b765c6809

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
224B

MD5
2a1e15073d9efc73548c31025178dd69

SHA1
5d84c61f067fdf33b4d8acb5582a831add768f22

SHA256
673ff6893f1b4a41b9e95d9781ce590e37cdde92c205d6b0f13c59bf33fd237b

SHA512
8c2d6e781bf351b6eed0d38c0fb49f6aaa5ede04b4f7c2a6844a987ef27c1b5bd5abd09d86ddd1a03d3c2d4007bc978c33296f154b56e1508bff0726056a8a26

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
224B

MD5
9b15eddbb7f86edaac5ddc69aaafe4e3

SHA1
1f0b56e8f0a2db5852a855c5881d18b1d34e0f1c

SHA256
57ad07d34f07a6b6e634f7d5518318b319361c0a2b9fc884f6a61fb69ba3e855

SHA512
a6171e58f07350df0c431e0c5d41d88d1d3fea2ed97dd4e21787b61fa5ad33c1a51c020035764846a998d533591120f2143cf40c31910bb457a252e437dfab61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
224B

MD5
5b6adeaa761dc14e5863c153b4742d91

SHA1
772f3761d9958741b9e8745fb70ac3b9f40d3994

SHA256
4109c024f69a6d73e482a7590e5e78a09ac35a3ee1778c43c6218dcab8070a6b

SHA512
ef18a663e7169b8d1b1d3613ccd1dc902b73092126a22b9cd1aaab37baa776a0413b0c9aa6511a6d3d132baa436758ae29e318dec45f54df8cb1a13883248f99

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgf8UHGYA6.bat

Filesize
224B

MD5
c16d867bb852b31a25866d74efe9166f

SHA1
846dab0c1580584c8a957b80b24167b17d7d442d

SHA256
f41e8919edaab2bdd7f29c9eb305d22abff9b1dc815331da34d335a25053810c

SHA512
46b5a1d46790716633da34b179cd00bf65e5a07440555c18e643a9c1141c4d10d88d0a50387af47074c227d5601f9925453bde0890030e38cceed685e7dc5601

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
f96641dda522e36fffc1f7602015c0c7

SHA1
a3bed7370df3b627332575d1ed1d823388260fb4

SHA256
3e0aee9d786d72a4f9b4e0cc1fd26ee36444b52df14695e76c4f6f6208fec804

SHA512
64d9e1fa3715fa1dc631a47df87f022f22b50a2f0797f1aa19a4b29431d0dfa0544281be324a95ffc01b73f1b79d7d6db40106c5c246d250ee209239a875a37a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/536-140-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/988-617-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/1384-677-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/1388-378-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/1488-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1488-17-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/1488-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/1488-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1488-13-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/1564-737-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/1684-46-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1684-45-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2352-318-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2372-498-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/2376-438-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2936-81-0x00000000004E0000-0x00000000004F2000-memory.dmp

Filesize
72KB

Download
memory/2936-80-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download