dcrat | 94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8.exe
Size

1.3MB
MD5

1c691da0d57ee1dbd98c7d229e45f8f3
SHA1

a6d25730087d6e1807ee596e97548472eeb6fa3b
SHA256

94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8
SHA512

9237a906662f49721aed1d149998779823590b151af9d8026ce04065fc6b84cee8f649239a7e9222498fe2f75942aa4dd1c4176d8d91ee40c0e8483cba7b427a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2892	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000162b2-9.dat	dcrat
behavioral1/memory/2168-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2576-40-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/2916-145-0x0000000000A00000-0x0000000000B10000-memory.dmp	dcrat
behavioral1/memory/580-205-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/1556-325-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/1832-385-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/2312-446-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/3040-506-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2876-566-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/1816-626-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1632	powershell.exe
1076	powershell.exe
2312	powershell.exe
1932	powershell.exe
1088	powershell.exe
1404	powershell.exe
2172	powershell.exe
2980	powershell.exe
1028	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2168	DllCommonsvc.exe
2576	Idle.exe
2916	Idle.exe
580	Idle.exe
1764	Idle.exe
1556	Idle.exe
1832	Idle.exe
2312	Idle.exe
3040	Idle.exe
2876	Idle.exe
1816	Idle.exe
2664	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2692	cmd.exe
2692	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows NT\Accessories\de-DE\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Speech\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2600	schtasks.exe
2628	schtasks.exe
1892	schtasks.exe
1472	schtasks.exe
1500	schtasks.exe
2000	schtasks.exe
2988	schtasks.exe
1876	schtasks.exe
1940	schtasks.exe
2956	schtasks.exe
2944	schtasks.exe
2584	schtasks.exe
1596	schtasks.exe
2560	schtasks.exe
808	schtasks.exe
1828	schtasks.exe
2884	schtasks.exe
2700	schtasks.exe
2804	schtasks.exe
2500	schtasks.exe
2696	schtasks.exe
2620	schtasks.exe
2812	schtasks.exe
868	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
2168	DllCommonsvc.exe
1076	powershell.exe
1088	powershell.exe
1632	powershell.exe
2980	powershell.exe
1028	powershell.exe
1404	powershell.exe
2312	powershell.exe
2172	powershell.exe
1932	powershell.exe
2576	Idle.exe
2916	Idle.exe
580	Idle.exe
1764	Idle.exe
1556	Idle.exe
1832	Idle.exe
2312	Idle.exe
3040	Idle.exe
2876	Idle.exe
1816	Idle.exe
2664	Idle.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2168	DllCommonsvc.exe
Token: SeDebugPrivilege	1076	powershell.exe
Token: SeDebugPrivilege	2576	Idle.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1404	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2916	Idle.exe
Token: SeDebugPrivilege	580	Idle.exe
Token: SeDebugPrivilege	1764	Idle.exe
Token: SeDebugPrivilege	1556	Idle.exe
Token: SeDebugPrivilege	1832	Idle.exe
Token: SeDebugPrivilege	2312	Idle.exe
Token: SeDebugPrivilege	3040	Idle.exe
Token: SeDebugPrivilege	2876	Idle.exe
Token: SeDebugPrivilege	1816	Idle.exe
Token: SeDebugPrivilege	2664	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2408	2508	JaffaCakes118_94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8.exe	30
PID 2508 wrote to memory of 2408	2508	JaffaCakes118_94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8.exe	30
PID 2508 wrote to memory of 2408	2508	JaffaCakes118_94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8.exe	30
PID 2508 wrote to memory of 2408	2508	JaffaCakes118_94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8.exe	30
PID 2408 wrote to memory of 2692	2408	WScript.exe	31
PID 2408 wrote to memory of 2692	2408	WScript.exe	31
PID 2408 wrote to memory of 2692	2408	WScript.exe	31
PID 2408 wrote to memory of 2692	2408	WScript.exe	31
PID 2692 wrote to memory of 2168	2692	cmd.exe	33
PID 2692 wrote to memory of 2168	2692	cmd.exe	33
PID 2692 wrote to memory of 2168	2692	cmd.exe	33
PID 2692 wrote to memory of 2168	2692	cmd.exe	33
PID 2168 wrote to memory of 1632	2168	DllCommonsvc.exe	59
PID 2168 wrote to memory of 1632	2168	DllCommonsvc.exe	59
PID 2168 wrote to memory of 1632	2168	DllCommonsvc.exe	59
PID 2168 wrote to memory of 1076	2168	DllCommonsvc.exe	60
PID 2168 wrote to memory of 1076	2168	DllCommonsvc.exe	60
PID 2168 wrote to memory of 1076	2168	DllCommonsvc.exe	60
PID 2168 wrote to memory of 1088	2168	DllCommonsvc.exe	61
PID 2168 wrote to memory of 1088	2168	DllCommonsvc.exe	61
PID 2168 wrote to memory of 1088	2168	DllCommonsvc.exe	61
PID 2168 wrote to memory of 2312	2168	DllCommonsvc.exe	62
PID 2168 wrote to memory of 2312	2168	DllCommonsvc.exe	62
PID 2168 wrote to memory of 2312	2168	DllCommonsvc.exe	62
PID 2168 wrote to memory of 1404	2168	DllCommonsvc.exe	63
PID 2168 wrote to memory of 1404	2168	DllCommonsvc.exe	63
PID 2168 wrote to memory of 1404	2168	DllCommonsvc.exe	63
PID 2168 wrote to memory of 2172	2168	DllCommonsvc.exe	64
PID 2168 wrote to memory of 2172	2168	DllCommonsvc.exe	64
PID 2168 wrote to memory of 2172	2168	DllCommonsvc.exe	64
PID 2168 wrote to memory of 2980	2168	DllCommonsvc.exe	65
PID 2168 wrote to memory of 2980	2168	DllCommonsvc.exe	65
PID 2168 wrote to memory of 2980	2168	DllCommonsvc.exe	65
PID 2168 wrote to memory of 1932	2168	DllCommonsvc.exe	66
PID 2168 wrote to memory of 1932	2168	DllCommonsvc.exe	66
PID 2168 wrote to memory of 1932	2168	DllCommonsvc.exe	66
PID 2168 wrote to memory of 1028	2168	DllCommonsvc.exe	67
PID 2168 wrote to memory of 1028	2168	DllCommonsvc.exe	67
PID 2168 wrote to memory of 1028	2168	DllCommonsvc.exe	67
PID 2168 wrote to memory of 2576	2168	DllCommonsvc.exe	75
PID 2168 wrote to memory of 2576	2168	DllCommonsvc.exe	75
PID 2168 wrote to memory of 2576	2168	DllCommonsvc.exe	75
PID 2576 wrote to memory of 1676	2576	Idle.exe	79
PID 2576 wrote to memory of 1676	2576	Idle.exe	79
PID 2576 wrote to memory of 1676	2576	Idle.exe	79
PID 1676 wrote to memory of 2704	1676	cmd.exe	81
PID 1676 wrote to memory of 2704	1676	cmd.exe	81
PID 1676 wrote to memory of 2704	1676	cmd.exe	81
PID 1676 wrote to memory of 2916	1676	cmd.exe	82
PID 1676 wrote to memory of 2916	1676	cmd.exe	82
PID 1676 wrote to memory of 2916	1676	cmd.exe	82
PID 2916 wrote to memory of 1564	2916	Idle.exe	83
PID 2916 wrote to memory of 1564	2916	Idle.exe	83
PID 2916 wrote to memory of 1564	2916	Idle.exe	83
PID 1564 wrote to memory of 2932	1564	cmd.exe	85
PID 1564 wrote to memory of 2932	1564	cmd.exe	85
PID 1564 wrote to memory of 2932	1564	cmd.exe	85
PID 1564 wrote to memory of 580	1564	cmd.exe	86
PID 1564 wrote to memory of 580	1564	cmd.exe	86
PID 1564 wrote to memory of 580	1564	cmd.exe	86
PID 580 wrote to memory of 896	580	Idle.exe	87
PID 580 wrote to memory of 896	580	Idle.exe	87
PID 580 wrote to memory of 896	580	Idle.exe	87
PID 896 wrote to memory of 2992	896	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_94b0ca59d8203f58db9ecefac778eb4a1d54e276b7e1343599d32732c40601b8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2692
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2576
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2704
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2932
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2992
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        12⤵
        
        PID:1600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1788
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat"
        14⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:808
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        16⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2436
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat"
        18⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2204
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat"
        20⤵
        
        PID:1172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2064
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
        22⤵
        
        PID:876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2888
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat"
        24⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1704
        
        C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe
        
        "C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows NT\Accessories\de-DE\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Windows\Speech\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Speech\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
493f8838a7c7e99c236131605418daed

SHA1
ca1f6c648864a3efb320c9de22acfc2bf99b8df7

SHA256
5c73d5b97c7c2fce9f095595a08305de291c6d6d5a4c9278fe8eb0425e6619b8

SHA512
b10da56b7740f287f6e3fcc8a41666552f60ac4627f9707f5edef695c84a256a507fd7fdb7e31485d0a5855d88c9bdfc02eb4b33edfb5ca61b84d1c193e8c428

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d748e4f5404d7cc9c720eee4516999f

SHA1
f6b73e46a75f7c36db0b7cec78f7dba8627d2bb3

SHA256
a0281dc5161142efcb5815b966bf760d1d5bc50d0e3136abb6dcd5adb1ba41f7

SHA512
58896470c8162aa4e07799ca70bce5bfaf069d587fea206516b7980609354f442e56364cb72db820bf5e2cc2c203b80d5985fa3a07cf90ca6ea6074ec04dc30d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da9500f5cc310c4bca0b48bbe9cf3eed

SHA1
dc3418d3e833261bade58747369476490cc749f8

SHA256
491455971cef80e54483033b1f3bfa6b2beed105de30d6c289516151205dadb6

SHA512
60db1314b8119d5dbad0e5c6e421d3c7087c52a7f060cfa38fc72ddd04611b77d3387714b7c10b7ee302780e0366f04b2767fc416d1692570fe7ab0b1f6a45e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d26a5088c32c80cd591122dd57193cb

SHA1
7cc8d5d691e2bf4133eb07133d9a9487fecb8b6b

SHA256
d0c8558ef5cfdf95bae945f887e0fb7758e2fcfed4d989babfa5018b5c88a097

SHA512
96f3f3a088c291c29cbf5629ba813c8d7ab93c56c539746ec668f1dea8a9907e665028eed203768f8ab98ab64b5174e39d7296a69a11f2780178d9aed7c251db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
abf7c17c9ba441ece33ae7fec384db7e

SHA1
b609539f0ae2fa532d12a5c20f813fda4ac4fd87

SHA256
625a574669c25a85b316b9872ecb9501accb3fb8207eccf2fa023f750ffa8a5f

SHA512
35bfcf138e519dabcf3735d42f7e09dbf00ea639881618132e490b4ccb11fa9f695b600ef4aa3199a8e10b17cb3c61aa39ff7061523719e486dcd20d9a54b933

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71aa02d17f27a5810765d5efdd7fb6ff

SHA1
a0a50c9d00354c81575dce48d99798dfd50363c7

SHA256
e7c0115a466cd2e9a95d6dddd3ee6982987f568273bfa73e5b596939dddfdc52

SHA512
e8630f55f85f19b561b857761c14ec5a4f764ad496845f87af561ee0a30a2e4bad4b0f9556e890cc85175407219ad8471e29827a02817783c76b13ffe3c4441a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8aab8bd677a7890f37711cf3267e04d

SHA1
056700163537fb5497fc4f247f3fb016955ca0f2

SHA256
bc2aa234012b43116f9781a8a3d40c4527455509b31e8b232a28e32fe9646d9c

SHA512
fcb6c1103b4c728beadaaa0269c36bd73f7664ee1291cb9c0736a5d693459138d2b1ad0eb0b87276a288ee496025b5e3212ddef03171cbfcc4dc250fc40b4487

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a668ff5a706d5f460f5e0fabda17b02

SHA1
f574feccd715f58c662fb50ae584133fe9daabcf

SHA256
0401a3c9ac5dd1fefb3df9dcf454a112a51fbf4cf89e4e4524daa7eeaea8a876

SHA512
b5b60169b7b725776a212f2a47422a99dc315e0d632362b537a21745044cd8cbbd836114c2a30b52af3afdc6ad9101727a81fbe6d6762546b430c47de1aeee40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d4aad11e7c12ea51ecefe8d06d12c529

SHA1
ed9a11dd1443ca41a83869b86fe8d64d4ed63342

SHA256
b40c2669afaf235cbb6c4d1206698ce649eda77b676a8969ab547e4ae548d7e2

SHA512
34eaa6d496f8ecc9d497f0f30c79680aae6d5fb4498a31e4b2b8a5b41ed744421ff1f868a2caa3d6b52fd4a8fc09b6daddde6ee13fb176fdbf202861bd32dce0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3j9hYFnRH7.bat

Filesize
219B

MD5
245a47f774f4d56c110472b7402a3970

SHA1
a8bc93953587caf37770125827bb6f2cc5069105

SHA256
76cf1a8a770fddf0a413ac4efeebf69400aff5ac3de92331b6f9a18277ac148d

SHA512
7ed430172db632118875d70f6ac2a5510436236a07940053a78b39169dd084dd74dfc02295d333eea5a5cdcf5bc86126821b4fb7cbaf6d3fc778e8bc46d0f1e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCD8E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

Filesize
219B

MD5
6882a788b362af76b785b49cefdcfffa

SHA1
9e3cc0404d24e69b4892d12edcf2b5316bcff9c8

SHA256
ae51fbdd5e056f501c0c0ba3e6a45165cafbc1764a09351ab696d91291f2b822

SHA512
9f61a1962414834e4b469ed2968b089bb3a26ca9f50f28fa724a91e75023e7f7615c960c8892969ba85cea26df3b6c728325222d19dacb4851478d69dc908349

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat

Filesize
219B

MD5
435bce0568c680565ead359084a3e2fa

SHA1
1ec7e5cb3e39dd44b4e877b209c68938b4576bd1

SHA256
6313af2159316dea21d392a7d5e2ae77d33b26669154cd82b962a7716ca2d6f7

SHA512
07b64433ce4e3cc60557f339077ce73b751971e26b4518cbeca518a208b770004c1d73f2bf84ffed74d52e9a6cbe2c5fbc730c48b5475058cbbf9684f71cc1d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

Filesize
219B

MD5
40dc244bc3e798e87f41d55d8af84d95

SHA1
e51a197366de9526e441a90f55d67e9ffe3a8734

SHA256
cc8787e98233a3f402735a935be9f6f0d486ceb41bcc2d606abd2f8f8740cad9

SHA512
64217a5260da17a67f6dc5d4e509d99c163ee00f829f8d54850cf0240f20855e6bf259a483e3a04e7957074e1ce15a094e97c4d251cd7ae44ae351a8a715f1b1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
219B

MD5
cd0bfc396048ce60259571a754863c61

SHA1
9f05767c8d01e46f080f104bb0c3650412669162

SHA256
9c9c7c3a273e1f897e445edecd327b120869f18c9544910dc0ed94fd6932278f

SHA512
086e3d1706ff8fce8d67615c03f5e91791eb906439241821f65e5a5d527fde192358bf4c88aee840b9853d379945ff2b82b34db47fc2297900657d5376bc8c1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCDA0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZcfpJnj91J.bat

Filesize
219B

MD5
08b6c60ed7210cc4fe0af0a60d6ad4d7

SHA1
a2d7f383758818e8f5f30883c280ced660a8b530

SHA256
d3046096a5be6c607cf6bd6bdd10c90539bf73b29b3b279ee56d44fbe6bf747c

SHA512
6ec35642e311d2efdf78c55c3f699bdb7193ced58087be6255a6d11cdfb3bb9383c338fca6210acbf2f6273798f721c88b396432fbdb3b2c00ce43fade9f10e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\n7UEJyIAjk.bat

Filesize
219B

MD5
bbb2fb8952d4eb3deddd1a6778a4fb7f

SHA1
0c9aaf48cdd8d5d74035307c267197f0e3f7a69f

SHA256
4156d62e55bcce2f57726836017c0c702a0dc54f9209f2f4373fbe74d6e09bac

SHA512
f6a0c047dc78b9520a8fec0c6611efc9c54b3bdf651a57f2445eb4c1fdb96f057b5ae3d4990a20b70d369c86d3523d594f262a5eb99f6c051c81dc56233672cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
219B

MD5
3b85d98b7cd0345a970df2e1984b49c4

SHA1
59a17eb0b7e1d5abc9642df7fa23d90db839daf7

SHA256
c450e06152a5769333f67c79855d372cdba9fae0dbea90de144a05a18dad57b5

SHA512
510075a03e6d08a996a2436f3fbd4d90550f92a824f15422dae6bb3d10970aea347d1b2e281376f54b18b60370831ee08261a54c25c2a61cd8e6e6651cf44f5d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ww4YVzclJm.bat

Filesize
219B

MD5
59b6109723b4b23ffdd992c78a276f19

SHA1
184599aeb0d7555860d3013110390f3085bdcb42

SHA256
65e8c79591c287fe33e08500f8afc6c4b84fc643df5a69a976178709cd688659

SHA512
4e0d9dc0ea9cf8c9d094c4d83d1edb2ff5c47559e531f534b1a9d7d0978f0649ac55d6e0e1e5922502c9c9d689daa2bfa42bdea91b4a860c3102aa8c433450bc

Download Submit
C:\Users\Admin\AppData\Local\Temp\z3bbUpz34c.bat

Filesize
219B

MD5
97a6b1279f141c197e62ae71f119fd3d

SHA1
40397717f0703597d28c8bd2dbd3e857f7934808

SHA256
dd001cc63f79b8388bbdf46a8bd978950634a4ceba8c5cc71fa813dc0595962c

SHA512
b4f03526236c4e330702c7fa3b2e27d44d598cc6c9457e36e49f91b6f2741dc5ef5e565ba1234042314be80dbc2ad990173de0243b9ff84a55eb13c3ff51f246

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d15839bc3a6ea53e975af7451d034384

SHA1
c109cf22560b8127d208f6071ccf312d0f5fe587

SHA256
57daa713aea5b23718da83212f8e586f8b59f304cbe56af505500d8bc5ca89b9

SHA512
b94669672f186ab995c66fe2f520b874409ca725e282caab74119c8dbf59f1cf7308667c40d1ad3229facb2f771a8c180662f26efa0eedf33ed4170355033c81

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/580-205-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/1076-52-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/1076-51-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1556-325-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1764-265-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1816-626-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/1832-385-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/1832-386-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2168-15-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2168-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2168-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2168-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2168-17-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2312-446-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/2576-40-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2876-566-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2916-145-0x0000000000A00000-0x0000000000B10000-memory.dmp

Filesize
1.1MB

Download
memory/3040-506-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download