dcrat | 960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe
Size

1.3MB
MD5

aaebfc91d78692ceb82fc9ae88cdc53c
SHA1

98aa425b5faaf48103aa59c0d40c8143fcf20094
SHA256

960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9
SHA512

fdcca74b9992bd5c417e085ec34213aea2f6f3ce36daa6ccb8db4b8c66706ac768e8a0d4d961a06bcc27801d4de54301a484beb513aeeff7916ffd496bf9883a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	644	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2668	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001686c-9.dat	dcrat
behavioral1/memory/2244-13-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/2776-87-0x00000000008F0000-0x0000000000A00000-memory.dmp	dcrat
behavioral1/memory/2748-146-0x0000000000B10000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/948-206-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/1728-267-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2588-327-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat
behavioral1/memory/2836-388-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2780-449-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1460-568-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2596	powershell.exe
2436	powershell.exe
2352	powershell.exe
1588	powershell.exe
2248	powershell.exe
1972	powershell.exe
1508	powershell.exe
1520	powershell.exe
1412	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2244	DllCommonsvc.exe
2776	lsm.exe
2748	lsm.exe
948	lsm.exe
1728	lsm.exe
2588	lsm.exe
2836	lsm.exe
2780	lsm.exe
1728	lsm.exe
1460	lsm.exe
1916	lsm.exe
2500	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2936	cmd.exe
2936	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
36	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1648	schtasks.exe
1868	schtasks.exe
2332	schtasks.exe
2612	schtasks.exe
1880	schtasks.exe
1920	schtasks.exe
1048	schtasks.exe
2796	schtasks.exe
3012	schtasks.exe
2076	schtasks.exe
872	schtasks.exe
2008	schtasks.exe
2472	schtasks.exe
316	schtasks.exe
1360	schtasks.exe
2788	schtasks.exe
2764	schtasks.exe
2544	schtasks.exe
2948	schtasks.exe
1264	schtasks.exe
1372	schtasks.exe
1272	schtasks.exe
644	schtasks.exe
1740	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2244	DllCommonsvc.exe
2436	powershell.exe
1412	powershell.exe
2596	powershell.exe
1508	powershell.exe
1520	powershell.exe
2248	powershell.exe
1972	powershell.exe
1588	powershell.exe
2352	powershell.exe
2776	lsm.exe
2748	lsm.exe
948	lsm.exe
1728	lsm.exe
2588	lsm.exe
2836	lsm.exe
2780	lsm.exe
1728	lsm.exe
1460	lsm.exe
1916	lsm.exe
2500	lsm.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2244	DllCommonsvc.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2248	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2776	lsm.exe
Token: SeDebugPrivilege	2748	lsm.exe
Token: SeDebugPrivilege	948	lsm.exe
Token: SeDebugPrivilege	1728	lsm.exe
Token: SeDebugPrivilege	2588	lsm.exe
Token: SeDebugPrivilege	2836	lsm.exe
Token: SeDebugPrivilege	2780	lsm.exe
Token: SeDebugPrivilege	1728	lsm.exe
Token: SeDebugPrivilege	1460	lsm.exe
Token: SeDebugPrivilege	1916	lsm.exe
Token: SeDebugPrivilege	2500	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2092 wrote to memory of 2964	2092	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe	30
PID 2092 wrote to memory of 2964	2092	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe	30
PID 2092 wrote to memory of 2964	2092	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe	30
PID 2092 wrote to memory of 2964	2092	JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe	30
PID 2964 wrote to memory of 2936	2964	WScript.exe	32
PID 2964 wrote to memory of 2936	2964	WScript.exe	32
PID 2964 wrote to memory of 2936	2964	WScript.exe	32
PID 2964 wrote to memory of 2936	2964	WScript.exe	32
PID 2936 wrote to memory of 2244	2936	cmd.exe	34
PID 2936 wrote to memory of 2244	2936	cmd.exe	34
PID 2936 wrote to memory of 2244	2936	cmd.exe	34
PID 2936 wrote to memory of 2244	2936	cmd.exe	34
PID 2244 wrote to memory of 2596	2244	DllCommonsvc.exe	60
PID 2244 wrote to memory of 2596	2244	DllCommonsvc.exe	60
PID 2244 wrote to memory of 2596	2244	DllCommonsvc.exe	60
PID 2244 wrote to memory of 2436	2244	DllCommonsvc.exe	61
PID 2244 wrote to memory of 2436	2244	DllCommonsvc.exe	61
PID 2244 wrote to memory of 2436	2244	DllCommonsvc.exe	61
PID 2244 wrote to memory of 1972	2244	DllCommonsvc.exe	62
PID 2244 wrote to memory of 1972	2244	DllCommonsvc.exe	62
PID 2244 wrote to memory of 1972	2244	DllCommonsvc.exe	62
PID 2244 wrote to memory of 2352	2244	DllCommonsvc.exe	63
PID 2244 wrote to memory of 2352	2244	DllCommonsvc.exe	63
PID 2244 wrote to memory of 2352	2244	DllCommonsvc.exe	63
PID 2244 wrote to memory of 1508	2244	DllCommonsvc.exe	64
PID 2244 wrote to memory of 1508	2244	DllCommonsvc.exe	64
PID 2244 wrote to memory of 1508	2244	DllCommonsvc.exe	64
PID 2244 wrote to memory of 1520	2244	DllCommonsvc.exe	65
PID 2244 wrote to memory of 1520	2244	DllCommonsvc.exe	65
PID 2244 wrote to memory of 1520	2244	DllCommonsvc.exe	65
PID 2244 wrote to memory of 1588	2244	DllCommonsvc.exe	66
PID 2244 wrote to memory of 1588	2244	DllCommonsvc.exe	66
PID 2244 wrote to memory of 1588	2244	DllCommonsvc.exe	66
PID 2244 wrote to memory of 1412	2244	DllCommonsvc.exe	67
PID 2244 wrote to memory of 1412	2244	DllCommonsvc.exe	67
PID 2244 wrote to memory of 1412	2244	DllCommonsvc.exe	67
PID 2244 wrote to memory of 2248	2244	DllCommonsvc.exe	68
PID 2244 wrote to memory of 2248	2244	DllCommonsvc.exe	68
PID 2244 wrote to memory of 2248	2244	DllCommonsvc.exe	68
PID 2244 wrote to memory of 1308	2244	DllCommonsvc.exe	78
PID 2244 wrote to memory of 1308	2244	DllCommonsvc.exe	78
PID 2244 wrote to memory of 1308	2244	DllCommonsvc.exe	78
PID 1308 wrote to memory of 1928	1308	cmd.exe	80
PID 1308 wrote to memory of 1928	1308	cmd.exe	80
PID 1308 wrote to memory of 1928	1308	cmd.exe	80
PID 1308 wrote to memory of 2776	1308	cmd.exe	81
PID 1308 wrote to memory of 2776	1308	cmd.exe	81
PID 1308 wrote to memory of 2776	1308	cmd.exe	81
PID 2776 wrote to memory of 484	2776	lsm.exe	82
PID 2776 wrote to memory of 484	2776	lsm.exe	82
PID 2776 wrote to memory of 484	2776	lsm.exe	82
PID 484 wrote to memory of 2516	484	cmd.exe	84
PID 484 wrote to memory of 2516	484	cmd.exe	84
PID 484 wrote to memory of 2516	484	cmd.exe	84
PID 484 wrote to memory of 2748	484	cmd.exe	85
PID 484 wrote to memory of 2748	484	cmd.exe	85
PID 484 wrote to memory of 2748	484	cmd.exe	85
PID 2748 wrote to memory of 1848	2748	lsm.exe	86
PID 2748 wrote to memory of 1848	2748	lsm.exe	86
PID 2748 wrote to memory of 1848	2748	lsm.exe	86
PID 1848 wrote to memory of 3068	1848	cmd.exe	88
PID 1848 wrote to memory of 3068	1848	cmd.exe	88
PID 1848 wrote to memory of 3068	1848	cmd.exe	88
PID 1848 wrote to memory of 948	1848	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_960726de85b86c733dece301854423335136b145745df502806ae40a4a00d0e9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2964
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2244
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Start Menu\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m0FgMnUszz.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1308
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1928
      - C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2516
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3068
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat"
        11⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1476
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat"
        13⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1684
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"
        15⤵
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2340
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat"
        17⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:280
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat"
        19⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2808
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        21⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1724
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
        23⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2056
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        25⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2460
        
        C:\Users\Default\Start Menu\lsm.exe
        
        "C:\Users\Default\Start Menu\lsm.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Start Menu\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Start Menu\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Cartridges\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Uninstall Information\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7fb5bcfc929bf4ecdd49840fece865f

SHA1
1c8a1a5539f2d453b7e85aedc97ad8275781a5a2

SHA256
c6d26b1950783a1c9a13d2a1b8f95316ef71462ff7a1fc26feb85f5c37250cc1

SHA512
0cf47f28b7db3e8bcc01d99334ebd69602b66157530b411c0cb19b0e1da76460a57071df6db69d0c74adbc241a9d5755e47205977c0a73d8ee944251f9d71228

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f43fa88ad2c85d7b07b04b193c4f711

SHA1
7dcaa105f8fc887dd638f2c14193908f524c1913

SHA256
437a713b3d78f258ba207d79081df2d349269c8245c0eb40a7261341880cc5a0

SHA512
1fd6c1f6e29fe091680f29cee3dd48767009bedb5b7bce214ea9a25f83ebb42620b66a526ebe76de3196e4463be66ec68ba3133e28aa058b56ccb70c84a37c4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8e5c660f218f8223087147d8f73deb2

SHA1
06fa34dba827ec7328740de7fce530315f59706a

SHA256
753781db4097766d832bcdf0d0bdd83abcd19c093cbeb7eac4ae7a7fa57e9857

SHA512
e034ed6995f7ba6c1899e2c56a1e618b43fde4a25f51e52dae0be0ff413d33ce0bcafaad6a11474aa2fc5a84775f17f5878ecb96bc4f91e030224e60eaacc7a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
43becb56eb7eadd7dbeb7585af04b4db

SHA1
5a61153dc7faf08c8b57ae2eb8d140baabc607b8

SHA256
f30f78ad534691a2beee2202f86ac023ad6cbf07dc30e6b1f9443cb898cdd56e

SHA512
5ad21b0fb736210e06b819efb82e1410b0f4ba1fb424fc614ea555b242924b4777f1d9b0fa95dbb2760342f30bde8c2449c8718ae546070b0a01b126cc3839eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2aa37def11b65f94ff1e398a8157e3d2

SHA1
a777c3bf2e8fa18a0212e4645aaeaa9d3842de42

SHA256
41bd7901f6a228103bb087ba78e2c613e4902934c0f1897d9e9469815bc42ddf

SHA512
5191b873217ef14ed50fec3a26ca8882790c85201b19315bdb836e88be7935f2ab64d73b296c03be723077e360811a5785cf9f12aed83cf06443ed972e2f16a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a244660bff6aa1ee3d83f1fe4f0d4cec

SHA1
8629bb2b8aa95bc9613fd2c86b1a4540a44b584f

SHA256
47d444483e9985c742460a015ee5c5723ed0e7bfe426a4cb484ed86e651301ff

SHA512
44ef335e472b617b8795cb9f56cdd3789789f161385ee61806515bbb3f956ce2ac52235914df69cc97495715d420ef77a94976db99b817d49bae1f7470d7de40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbe27b097518cf1ae7b19795bfb0f2e2

SHA1
c455057ef7ee0e8ab40e7be9b9073969e5802b63

SHA256
933341ca26a843c7d2cffff44a6a427a9588ffbf24158e5ef53514d23f54853e

SHA512
544cbb145033b5980db1b6c6f1c90dd0bd34a2e1669d06c2a85476a7a0bef5b42370aa2d4e805446123bfebc32460376aab5622c2eccbf5b8ead71963d92adb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f65bba0327e7d855ef9c38b9b26cddad

SHA1
b3a8b0f005686b8776b59b9b892cc2372e2c9c0f

SHA256
9d76db2ded4ad1b00c9613f89d364fe0730c7061b81c649706bbb2beb547cfc9

SHA512
b15debf796c48dc188e273ce37b58c352a7730f511978f8e088eae89a0afbd062f4f7954e273f633f02eb0a16ff2000157070a8afa4563bce178cf17e341521a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbda5d719e48635a5679bfbd41274f35

SHA1
3098af152b9c0f5bf01865b70729af9025f0a416

SHA256
f8d03a91250749f3b1ea5548c06fe3c48a88a5e7a682fbb9496b2271d537d838

SHA512
c23535a6350b3c28ab6c292b65a2e00617d6c5bca9b3b10ef022042c13563d1091d72eb4287e2af2c56fce0b511b1d1e9702d36e9dcb1bf24c249dfaa4a8fd20

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
200B

MD5
15f978f916cb66e30248780f24f13d3c

SHA1
a83680ecf8ddc99cac2c9cbb3b9a5912200a8ca7

SHA256
b74239d5736486e10ceb599b13bc649c6bd1a0aa02018530644036e6fba001a2

SHA512
e6d1d85d5c5a648d4511d6a7b67e443bb40537308836174069b35b32429492dafcf26c3a0daef32de872e417c6dab0f56a07609406e563b53deac41711618b1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab59E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F1gdtReUkn.bat

Filesize
200B

MD5
a3bcc7dce8430497795514295b87e15f

SHA1
b561aeb0e5d5967210c00e2bdd1d761c934b24a2

SHA256
680b83c499356c03da278fd78ad23c8949baea1c10b3d37c11fa5a2731d7d3a4

SHA512
584848366a3afc515e4d2810172ff310bebbf8fff21eb2e9d91b48e6684aa6707fcad58121bb27935bd8d7f04b39937e122b04fb15b3ed2dde583d17e1c67711

Download Submit
C:\Users\Admin\AppData\Local\Temp\GX2kvMhQbI.bat

Filesize
200B

MD5
3de61abb511a5e902a61f31b1f26d940

SHA1
85c55e8d954bd915f73f66fd2294051acf54b28b

SHA256
9d595f40a54e63c0c381ab0a8bddd5c5c5504023b6f46b85acc69219ae5e08c8

SHA512
c9cb45a509802cbeb764db1a1f3514aa497c3abac720525d2fe7435e0b17a4ced1ece9463218c94c384cd6f8ec09667ae47391c28e1f44b23fd19325256ea239

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat

Filesize
200B

MD5
9506a7a7cfecd6108ca6cb362d1720c7

SHA1
9b4e16179f9353e22c8d4e3004d74ba49ffa7b4c

SHA256
110d0346407dcf0fb7721a91b0769776a1c5ab3b9c13173d28c240af501a4c41

SHA512
8744eaa0c9e1411baead0818bfeb3b7967d89c31a194e56cbefb36d3e3c0da50fabe5afa989b33b995d0a0fbe57bf3346b5ea74a360cfa9d2ae8c35b56ad56c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
200B

MD5
a401d42a10dd49be092f4b5a1b12a685

SHA1
d8acd71e2e8a1c35bc2e593391f41124fc20c726

SHA256
ea2aacce8111db2e381814015355f8d5ce3192580e41567be29b4e22f6aa37d3

SHA512
f0ffbe0f0b6df5a39f8850d28fa558acf1fef5ab1e881c8fcff4f46fccb8eb896b32f9d81bb064b5b21ec59d05b4ed3678587b51b56423c3ddc893d99aa7026a

Download Submit
C:\Users\Admin\AppData\Local\Temp\axBdnWD1Gl.bat

Filesize
200B

MD5
6b4eef5869e78662cdc914b12e285f00

SHA1
97fa97afc549cfd2ce7c48b94bbfc3a102afa464

SHA256
ba2c91696fd7cc25d35f7760859d5e0ff9a01f8aa0df38a98c67871cdf1b6eea

SHA512
0a748c643183a2f9c3129360a3c8374dc44ce88bb7bb6367c6a23a109fe3b605873cb7a237f73d1ca05d12c1f71fa94715cd28eaf6c1fb9813af2f8cc36ce080

Download Submit
C:\Users\Admin\AppData\Local\Temp\m0FgMnUszz.bat

Filesize
200B

MD5
0e4cc9b0d028dc74c8ccc9ec3e826b62

SHA1
56b2e9d5580f01fb012a1f6ba37bb9950c4ad6fc

SHA256
3f8a4b974fc6b48da7b873a691fd528586621d6a0522ccee5207879e8e1f5c2e

SHA512
2d854645d7944c0575024bcf511b6e3270dd18ac0cba2166b4ec19430d7ae5acb1ee21e89c84588e65dd1a8f839ea85ee435b87f0d4fee1d51cbee0665dd8d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

Filesize
200B

MD5
18beb48960646e1dfa90e494d7e066a5

SHA1
f3604d316ae42a8e0111256a1275618a1051ca38

SHA256
816d9a1aa4d8ee54303c26a7dc18f4b976b72df19fface0fff6a89bf96eb71e4

SHA512
76e16097f732991608ea3ccfb51fd44bacc276bdb05cf57b2a842881db3a3d776af7b40cf93e2f654a0e4804f45a2e886839c20990f863ba273e43b4c02359f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
200B

MD5
50204d39fdce0e6994c5d32d9a5018df

SHA1
bbb13d83f806494dfd7db256bb6449f915751d5f

SHA256
805edae270eac69bbb1aa06dcab5fa4a65df8979e0e1978e33cfcf5d796d7a6d

SHA512
a0d5f612a0b551295731fbaded4df14dc482eacea60431ecba77c2604b0b53ceb18f897ee3113e67bbf6e9b2cc4db5f11702100f5c18720385dc8baf5c0dd4b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\sNl5EWIzDs.bat

Filesize
200B

MD5
f3e39b30c5b3407d3b3e777fad49b1b3

SHA1
2aedcdddf5d129e480ef3c38f8265e284aedcc8e

SHA256
844777650e0b68ba94713b5ade87b762027c354d17b446dfa5522c0a95982e51

SHA512
a856ef50e8f9c61301e6e58ba5703005c771021a659407857b0d2c5f93910e1f8fefcb9846dc83e9bd35a1aba9e5cbc655cae0779c980eee2fcd40208430be94

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbXk1H8t4K.bat

Filesize
200B

MD5
d5a3603e8d9d178e870aebbf7334293d

SHA1
49cc6c80ead42e53df07b2b54df32ee2a58ef145

SHA256
b59d3377243c1c5a7f0f07743d99b277f804fe3481310b70da3f4a0e1900ba44

SHA512
e56142d52ca3b8992b39f2a3d2aacf776ba5ab10a1266eabc9cd7921e7fef7961f2cf199eafdf8053dbd28108ae26b0112d7bd7b1e28b85da579052ce4e6c315

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
12602654ee47edf4eafa63ca1055f07d

SHA1
37095d29e08e61506f11fe777c1e110f7b91a41c

SHA256
1d1b1b60d9534a0ed7a071c55f4163372962ea238575f30d69ff401f84e97aee

SHA512
ab0222c93fead38b1a3c5ab3faef779d794ff76feb5a5c4ae6b00fa973979ab38cd76409c6b261a2c6e2c606cd759f1df9480e4f90167a61b07ca5b891bae607

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/948-206-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/948-207-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1460-569-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/1460-568-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/1520-53-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1728-267-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/1916-629-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2244-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2244-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2244-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2244-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2244-13-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2436-63-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2588-328-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2588-327-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2748-146-0x0000000000B10000-0x0000000000C20000-memory.dmp

Filesize
1.1MB

Download
memory/2776-87-0x00000000008F0000-0x0000000000A00000-memory.dmp

Filesize
1.1MB

Download
memory/2780-449-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-389-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2836-388-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download