dcrat | dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9.exe
Size

1.3MB
MD5

d4058f5bb47845a08c5e16bf08587928
SHA1

5e00e056c4e94c6d8d099d23bf7b728b13e2bc88
SHA256

dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9
SHA512

d4d91dd528d4ec86ac5e90ec569efd93b5ff9e8ed95bda120fcfb0bb8d5d436c4306d1fbb6c33464d7d88624f4ecdd81f4f92a032d67f880e49ece9e075924fa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	284	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2552	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2552	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cec-9.dat	dcrat
behavioral1/memory/2576-13-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2336-80-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2912-140-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2836-201-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/2152-379-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2640-439-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/1964-618-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2284	powershell.exe
2428	powershell.exe
2228	powershell.exe
2380	powershell.exe
2196	powershell.exe
2492	powershell.exe
2408	powershell.exe
348	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2576	DllCommonsvc.exe
2336	dwm.exe
2912	dwm.exe
2836	dwm.exe
1372	dwm.exe
2796	dwm.exe
2152	dwm.exe
2640	dwm.exe
2132	dwm.exe
2676	dwm.exe
1964	dwm.exe
2276	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
2688	cmd.exe
2688	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
35	raw.githubusercontent.com
38	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\cs-CZ\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\System32\cs-CZ\winlogon.exe	DllCommonsvc.exe

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\spoolsv.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1948	schtasks.exe
1296	schtasks.exe
2840	schtasks.exe
536	schtasks.exe
1076	schtasks.exe
2976	schtasks.exe
1812	schtasks.exe
2856	schtasks.exe
2984	schtasks.exe
1692	schtasks.exe
2056	schtasks.exe
1264	schtasks.exe
2388	schtasks.exe
2424	schtasks.exe
1716	schtasks.exe
2520	schtasks.exe
2712	schtasks.exe
2964	schtasks.exe
1788	schtasks.exe
2064	schtasks.exe
284	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2576	DllCommonsvc.exe
2428	powershell.exe
2284	powershell.exe
2492	powershell.exe
2196	powershell.exe
2228	powershell.exe
2408	powershell.exe
348	powershell.exe
2380	powershell.exe
2336	dwm.exe
2912	dwm.exe
2836	dwm.exe
1372	dwm.exe
2796	dwm.exe
2152	dwm.exe
2640	dwm.exe
2132	dwm.exe
2676	dwm.exe
1964	dwm.exe
2276	dwm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2576	DllCommonsvc.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	2492	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	348	powershell.exe
Token: SeDebugPrivilege	2380	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2336	dwm.exe
Token: SeDebugPrivilege	2912	dwm.exe
Token: SeDebugPrivilege	2836	dwm.exe
Token: SeDebugPrivilege	1372	dwm.exe
Token: SeDebugPrivilege	2796	dwm.exe
Token: SeDebugPrivilege	2152	dwm.exe
Token: SeDebugPrivilege	2640	dwm.exe
Token: SeDebugPrivilege	2132	dwm.exe
Token: SeDebugPrivilege	2676	dwm.exe
Token: SeDebugPrivilege	1964	dwm.exe
Token: SeDebugPrivilege	2276	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2828 wrote to memory of 2672	2828	JaffaCakes118_dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9.exe	31
PID 2828 wrote to memory of 2672	2828	JaffaCakes118_dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9.exe	31
PID 2828 wrote to memory of 2672	2828	JaffaCakes118_dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9.exe	31
PID 2828 wrote to memory of 2672	2828	JaffaCakes118_dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9.exe	31
PID 2672 wrote to memory of 2688	2672	WScript.exe	32
PID 2672 wrote to memory of 2688	2672	WScript.exe	32
PID 2672 wrote to memory of 2688	2672	WScript.exe	32
PID 2672 wrote to memory of 2688	2672	WScript.exe	32
PID 2688 wrote to memory of 2576	2688	cmd.exe	34
PID 2688 wrote to memory of 2576	2688	cmd.exe	34
PID 2688 wrote to memory of 2576	2688	cmd.exe	34
PID 2688 wrote to memory of 2576	2688	cmd.exe	34
PID 2576 wrote to memory of 348	2576	DllCommonsvc.exe	57
PID 2576 wrote to memory of 348	2576	DllCommonsvc.exe	57
PID 2576 wrote to memory of 348	2576	DllCommonsvc.exe	57
PID 2576 wrote to memory of 2284	2576	DllCommonsvc.exe	58
PID 2576 wrote to memory of 2284	2576	DllCommonsvc.exe	58
PID 2576 wrote to memory of 2284	2576	DllCommonsvc.exe	58
PID 2576 wrote to memory of 2428	2576	DllCommonsvc.exe	59
PID 2576 wrote to memory of 2428	2576	DllCommonsvc.exe	59
PID 2576 wrote to memory of 2428	2576	DllCommonsvc.exe	59
PID 2576 wrote to memory of 2228	2576	DllCommonsvc.exe	60
PID 2576 wrote to memory of 2228	2576	DllCommonsvc.exe	60
PID 2576 wrote to memory of 2228	2576	DllCommonsvc.exe	60
PID 2576 wrote to memory of 2380	2576	DllCommonsvc.exe	63
PID 2576 wrote to memory of 2380	2576	DllCommonsvc.exe	63
PID 2576 wrote to memory of 2380	2576	DllCommonsvc.exe	63
PID 2576 wrote to memory of 2196	2576	DllCommonsvc.exe	64
PID 2576 wrote to memory of 2196	2576	DllCommonsvc.exe	64
PID 2576 wrote to memory of 2196	2576	DllCommonsvc.exe	64
PID 2576 wrote to memory of 2492	2576	DllCommonsvc.exe	65
PID 2576 wrote to memory of 2492	2576	DllCommonsvc.exe	65
PID 2576 wrote to memory of 2492	2576	DllCommonsvc.exe	65
PID 2576 wrote to memory of 2408	2576	DllCommonsvc.exe	66
PID 2576 wrote to memory of 2408	2576	DllCommonsvc.exe	66
PID 2576 wrote to memory of 2408	2576	DllCommonsvc.exe	66
PID 2576 wrote to memory of 1308	2576	DllCommonsvc.exe	73
PID 2576 wrote to memory of 1308	2576	DllCommonsvc.exe	73
PID 2576 wrote to memory of 1308	2576	DllCommonsvc.exe	73
PID 1308 wrote to memory of 868	1308	cmd.exe	75
PID 1308 wrote to memory of 868	1308	cmd.exe	75
PID 1308 wrote to memory of 868	1308	cmd.exe	75
PID 1308 wrote to memory of 2336	1308	cmd.exe	76
PID 1308 wrote to memory of 2336	1308	cmd.exe	76
PID 1308 wrote to memory of 2336	1308	cmd.exe	76
PID 2336 wrote to memory of 2988	2336	dwm.exe	77
PID 2336 wrote to memory of 2988	2336	dwm.exe	77
PID 2336 wrote to memory of 2988	2336	dwm.exe	77
PID 2988 wrote to memory of 2404	2988	cmd.exe	79
PID 2988 wrote to memory of 2404	2988	cmd.exe	79
PID 2988 wrote to memory of 2404	2988	cmd.exe	79
PID 2988 wrote to memory of 2912	2988	cmd.exe	80
PID 2988 wrote to memory of 2912	2988	cmd.exe	80
PID 2988 wrote to memory of 2912	2988	cmd.exe	80
PID 2912 wrote to memory of 1424	2912	dwm.exe	81
PID 2912 wrote to memory of 1424	2912	dwm.exe	81
PID 2912 wrote to memory of 1424	2912	dwm.exe	81
PID 1424 wrote to memory of 1976	1424	cmd.exe	83
PID 1424 wrote to memory of 1976	1424	cmd.exe	83
PID 1424 wrote to memory of 1976	1424	cmd.exe	83
PID 1424 wrote to memory of 2836	1424	cmd.exe	84
PID 1424 wrote to memory of 2836	1424	cmd.exe	84
PID 1424 wrote to memory of 2836	1424	cmd.exe	84
PID 2836 wrote to memory of 2408	2836	dwm.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_dc9abf0eedf482a17485c2617b35dcffad8e8f1b3415d6fc0fdeb502ec75aca9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2828
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2672
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2688
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\cs-CZ\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2380
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgf8UHGYA6.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:868
      - C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2404
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1976
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat"
        11⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2472
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        13⤵
        
        PID:1344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2856
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat"
        15⤵
        
        PID:1076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2924
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
        17⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1924
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat"
        19⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2744
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        21⤵
        
        PID:1368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2716
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        23⤵
        
        PID:408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2228
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat"
        25⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2528
        
        C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe
        
        "C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\cs-CZ\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\System32\cs-CZ\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\cs-CZ\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows NT\Accessories\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bc96176683715629b2d514b1fb4e4288

SHA1
463999fcc757e0cf2d311d5f3fa6cf4004a39563

SHA256
795bc9ca408302faedcc69dff76d11bdefb101ece02a89635d94267c6c11d3c6

SHA512
cd347558090a2624bc02c116e3914cce9c3bd4425b86c8310a3e58f75b755aa15d07114dd080788e851eed054248b54541f792cb18205fe55a61bae8a04ccf43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6efd4b69f0d334898a37dbc55e89ac0b

SHA1
7fe3da8328da25587e2733752232fdccd3c33d69

SHA256
fbc2e391c6dd82d2529e9bcf8feb21a0ee61cd7edbdac74c435a8ef63f97994f

SHA512
67f165fe2a28519297e5ddad0190bb27aa2a510ac7cc4c3ae80cb9386744b6b00b0aa35e203da1bcdd22ea064d887101d0fb3117e197b49e672b42f9e30a16ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1f30f10d29628a8f6119f0683fb50ee

SHA1
7bebc47bb8ab4a4473d9114d1e44a4046fb76383

SHA256
27fd3a4693fd24e1646a692c9ff524b69575868ebd52604cd83d6f5473f45338

SHA512
825ec05fc0252e988c6f5a0243a5f835cadf91aaa8688487fbb7bd08698893d25642c442045ac307391835b443531300b6eca8ba8fb660300150490a4ca4e2be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1e9451f0661c106c9b4dee7c56c77d5

SHA1
8aee3d1a844f50a47e8ad9e26e00c54527fb6eba

SHA256
783f9bcd940b8bb574e60085ed059186502e1ee59b2c7b17831b32431b6b84ab

SHA512
fc63c805db243d476a73485b1068075eafd49dc3a3db295782fb40afbe83068b8003d60568cada512d1a544feaabf3d7b111bfb8ab1e1580239866504f576c4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa3b5e3598f1e58efd40c0bb9dc9ab55

SHA1
4f4314228c70a097b64d6e8fc5bdaef8cc3179fa

SHA256
d7385a3ee368be7a11e176a45efe6371bff117ffecabf6c39cbfc6567440ec73

SHA512
014dae1d073856591aa7fd74997219ecfb1a94dc9d07f329c945a9fbe1607fbab4e0766ef4deb2cf6e5195a4cc4ef2700580d809b4823f5ba91261d92d769645

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8b62fe6f39ed18ecd5164defef6b9ac

SHA1
c06482e6313b8f1c5894fe80803078cb515c5b3e

SHA256
3874d29c449ff7a31e8d9405386c801e3574b233aa2acbe66b9523ecd29056df

SHA512
5337af0b486349c478c91d672a9d440433ecf457c83b32382ed48b7b11243eb11cce307bffbe3815fba82b16a80422df28eacdd503bf6828e83a0d45a74d6905

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f920b881e92d4d6f13af973ad58165a

SHA1
d88525e86835af941b072be241fd8e89c1f81ec0

SHA256
7a308c84e9335d5df032c2d58affa4ca6689dbfc21ed3ae94e8aab0744902980

SHA512
49254e4448ba844519db2d93419d104785015231fac56285d6161ab9a50e073836bb129fe358d652c1bbb262fa6aaa9cecab0bfc4ba193086b1e2efa31d2ba53

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e242eaabd2cc625b568314e8ba88d11

SHA1
e121764a1d8aba35c2d79282f22df034320d7b60

SHA256
59dc7eb9d46cab713f9b538179862cbe380b7d9ae05e9367d99b81360905544f

SHA512
9ed8bb8a8c7a1738a72c41ec25930926ef514c231897ce1680a6ac98dd7782bb33b71af09de9cc4d3c0494cfb73512b3a42033729cc3425485df85d2eee691b5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb0ec4be20358504fbe6cc8f39eb962b

SHA1
3805864f5437861279da34e06dcd6804f8749e3b

SHA256
76a62f12859570fb52a8c512bab188249c732d8db664bab73aea9de5b54a9d21

SHA512
201bba70129f1680d4809d5e764e41d03db2b26a19148385c526b26f3314e6616ed9df696ea75f939b7f87e7aaffdb2d4b7bf63df220f74f31da00a448d56906

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2A6C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ELjGFNzRMY.bat

Filesize
221B

MD5
5a98689244da3da7eba418500a5633f9

SHA1
1724c985b4d124d0abd0dbdcf3124a0e97fd993c

SHA256
abb40b18c2eae30db8d9ebe9623e5f9cce4053224baea2d7ba92571530255d8d

SHA512
9031c8c969f8122877c669cef92a6c5788ef18a86ef113ca27ff440ccbe030f0bca2420683ece8e58e66440966e8a3b7b72a9d4ea90401dd71b1999248dfd959

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
221B

MD5
5ddc0dbef38d0cb9bad69f8cf622b6a5

SHA1
9c188107b95f4a936105ae1e9f2069884f3e8386

SHA256
be712b25477e7911491e5f94825f1ce8f3bd9ead12b27f499c8e819590f24d1c

SHA512
212e0fa74f3b103c5872c88016824ba6ea7d59d574edc9fca304af104175aabbdefb5ebbd5e57d0444052dfd6c6351b96cbe46227c0da9989a0d759b20f9470b

Download Submit
C:\Users\Admin\AppData\Local\Temp\OTxxDhnLNa.bat

Filesize
221B

MD5
720adf5bbe502ba60b1f65788ce32049

SHA1
134e03fbe34e85b2354524f0adc4d748e62f27b2

SHA256
ea9da4a54d2ffb548163ad2328742ee307646d474d89beec92faaefb9ee0aa8c

SHA512
ceb56f307a2c1c6e71d789b540f991e723e24c79fef587011ad133dd81a7fcd476a7e02344a1e3ec252dde95b7651dc6056a65de0c9e7e8bd82af301016f54be

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A7F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat

Filesize
221B

MD5
be22ecf233194c6a88cec4935429b7eb

SHA1
4961641d87d3d079fa407b208f69ca4640eebcd2

SHA256
99a9def4e22d15eedae1641cdf78a21b437953598fc00de55eebdf45003d9218

SHA512
0ec63d2f5ac95b1dc30ce3d5612086fbcfdde181683b1b867f9658aee4839fb97f1b853ac59485c34fcc8b985ef1c0fa2143791eec3bda74f87308252361821f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
221B

MD5
deb7ba607e790d7d8984a6dffa18254b

SHA1
f208aa3b603fa82029968d687ca03fc2867f047c

SHA256
c92c2b4b16cd20bf3addf5114960e21bb3f944e8dadfc54624844afc1fce808f

SHA512
9553d475a319ad23e6667a9012402c3d3e641bc1acf76421223d078489078ddaef7d5828d3a9b13b8fbc557fe9c69e49c8b10123dd46198ad991b94690f0aff6

Download Submit
C:\Users\Admin\AppData\Local\Temp\biigBqxW9T.bat

Filesize
221B

MD5
392f330d69476c3566b9e6c5c6736205

SHA1
0ccdda1847a290397c7bbd7a451ad3af63ad7f6b

SHA256
74519e31b166810cc9308a65d13ebdfcf3bdba6d480de90efff255778839abb8

SHA512
a18f1c97905696f8c06a9d321404e1f893e9cd1dd91a61bc622152e075130dced266a1ce91b3d1a4c48895024f74552e83e81725a81a0aa8fcc0f44b41daafa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
221B

MD5
5f800fb56a31c78cee86017d4040dd17

SHA1
6016464451e51034b98b8cb5cab9c87eeebb23c7

SHA256
3ccfa6a5b3ab3025050f3f0a7d660c84c01187b5cac06ea34c71894e1d156975

SHA512
ebea511bdc6afe1296252859b69330cbaea453dc232fa5ef7749310ee028833f0e8d71efa8b981349a190c30853e09a9ec13f5014d86fe7ed0b5c811c923a33a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
221B

MD5
3eae07737db61415780965db470c4302

SHA1
1099475a7ffdf5c5130a862781453b4104b8fc0f

SHA256
ba75c26a7ee13961e173cc0e45a7ff924fd7cd71dbfdc9f68813a163951a64b4

SHA512
fe91f618a69195f608b3bf697c911de9f82de36998d16c5dff3e479038f10e0f899e3c3f1b1c2d05654717336d72ba0e55fedccb346c01cae84dce8474b4a759

Download Submit
C:\Users\Admin\AppData\Local\Temp\tYG4XGbOex.bat

Filesize
221B

MD5
71d4e306f79514854baf904d24936717

SHA1
dfa464e770a2e0a7616e36e2a15b3449ca7065f4

SHA256
fc1c408603f8adee00f0668c2422f99a38b018788924732ab1a209d27e752d5e

SHA512
f101aca2798df0d61deadf7f34fb16970abca513219ebb67fa2b222ff22a01ad99fc7bab4209251fd645a45cc9d4e85da779bda44bb895ca0c39469f4fafa69d

Download Submit
C:\Users\Admin\AppData\Local\Temp\xZLz5Ote6t.bat

Filesize
221B

MD5
dac0372b1182a7b741ef08a92c5b8784

SHA1
3ce65940b4af6209a820d850f904305ada148978

SHA256
6efc519f370719a9cf78aa4c97644ff9ebdcee8f0d21aacd96aa9c799597f912

SHA512
18549e2b08aa28800739666c83df47ab6849e936f07d85731c4df423e6fe5a48fcd4ef7121850ea784fc26470eab293f645e362aeefce1cc26f76d782a2ccced

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgf8UHGYA6.bat

Filesize
221B

MD5
2f3df3a009355a54203a3858d243d980

SHA1
12c4967a8a61d8b6cd732b29a6d04bdd90829026

SHA256
33caf78d0c0e1d14501c4076a0c7ce75a32e518da2fd7e474a6d286c21b3a3cc

SHA512
05251fa6e846463fb5ffc6c0fe09a8522836da540356cb3059c9621637a3a7422ec94551f615ffa5964ba174c6190ed638896c13a3ca26b52320a6059719b1bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6D43CV22SF23OFS501DX.temp

Filesize
7KB

MD5
873d619722d3e3a2b7ccfb1e98c9a947

SHA1
22284717c865ab0bddebbcb4014325a91c613556

SHA256
e188d74687fb763dd80c78e04d2f282b9aa44ac3c8e34b189e9b3f4dbd0a6a12

SHA512
0a8cd83ac7da59439d7b7faa155a011b5cab65a280f916cb688e1b38c2684e0a48c24e5440d70e2f6d5b13bfd711f8b83b0210e01ec5cfe4c6e29ff5bd320ea7

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1964-619-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1964-618-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2132-499-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2152-379-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2284-67-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2336-80-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2336-81-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/2428-55-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/2576-15-0x0000000000770000-0x000000000077C000-memory.dmp

Filesize
48KB

Download
memory/2576-16-0x0000000000760000-0x000000000076C000-memory.dmp

Filesize
48KB

Download
memory/2576-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2576-13-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/2576-17-0x0000000000790000-0x000000000079C000-memory.dmp

Filesize
48KB

Download
memory/2640-439-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-201-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2912-140-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2912-141-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download