dcrat | c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce

Analysis

max time kernel
143s
max time network
138s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce.exe
Size

1.3MB
MD5

3b0ca74b09ecb9d8eac4c4f69a4a0716
SHA1

5770d40cebaafde4a9ad69be1a1d046d18e9cf6b
SHA256

c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce
SHA512

6e2ea4cea3f82a14f452ee0d6d45d71cd673296fa8a28e268dabab83cdbedbd9c295b109197e29315b60d4eb2090d8b0b1ee3b8acb8e63f7c844d0c43f553682
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2476	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2860	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2652	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2652	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018bdd-12.dat	dcrat
behavioral1/memory/2956-13-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/1268-40-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/2860-142-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat
behavioral1/memory/1900-202-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2296-498-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1708-558-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/1564-619-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat
behavioral1/memory/2432-679-0x00000000009A0000-0x0000000000AB0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
448	powershell.exe
2072	powershell.exe
2596	powershell.exe
2096	powershell.exe
1056	powershell.exe
1132	powershell.exe
2512	powershell.exe
960	powershell.exe
2924	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2956	DllCommonsvc.exe
1268	WmiPrvSE.exe
2860	WmiPrvSE.exe
1900	WmiPrvSE.exe
1568	WmiPrvSE.exe
952	WmiPrvSE.exe
2144	WmiPrvSE.exe
1716	WmiPrvSE.exe
2296	WmiPrvSE.exe
1708	WmiPrvSE.exe
1564	WmiPrvSE.exe
2432	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
1604	cmd.exe
1604	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
35	raw.githubusercontent.com
32	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
900	schtasks.exe
2476	schtasks.exe
2044	schtasks.exe
2452	schtasks.exe
2876	schtasks.exe
3024	schtasks.exe
3044	schtasks.exe
2604	schtasks.exe
2216	schtasks.exe
1664	schtasks.exe
3016	schtasks.exe
3020	schtasks.exe
2032	schtasks.exe
1900	schtasks.exe
320	schtasks.exe
1716	schtasks.exe
2232	schtasks.exe
2860	schtasks.exe
1956	schtasks.exe
2948	schtasks.exe
2980	schtasks.exe
1572	schtasks.exe
2208	schtasks.exe
756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2956	DllCommonsvc.exe
2956	DllCommonsvc.exe
2956	DllCommonsvc.exe
2096	powershell.exe
1056	powershell.exe
2596	powershell.exe
2512	powershell.exe
448	powershell.exe
2924	powershell.exe
2072	powershell.exe
960	powershell.exe
1268	WmiPrvSE.exe
1132	powershell.exe
2860	WmiPrvSE.exe
1900	WmiPrvSE.exe
1568	WmiPrvSE.exe
952	WmiPrvSE.exe
2144	WmiPrvSE.exe
1716	WmiPrvSE.exe
2296	WmiPrvSE.exe
1708	WmiPrvSE.exe
1564	WmiPrvSE.exe
2432	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	DllCommonsvc.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	1268	WmiPrvSE.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	448	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	2860	WmiPrvSE.exe
Token: SeDebugPrivilege	1900	WmiPrvSE.exe
Token: SeDebugPrivilege	1568	WmiPrvSE.exe
Token: SeDebugPrivilege	952	WmiPrvSE.exe
Token: SeDebugPrivilege	2144	WmiPrvSE.exe
Token: SeDebugPrivilege	1716	WmiPrvSE.exe
Token: SeDebugPrivilege	2296	WmiPrvSE.exe
Token: SeDebugPrivilege	1708	WmiPrvSE.exe
Token: SeDebugPrivilege	1564	WmiPrvSE.exe
Token: SeDebugPrivilege	2432	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2724 wrote to memory of 2820	2724	JaffaCakes118_c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce.exe	31
PID 2724 wrote to memory of 2820	2724	JaffaCakes118_c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce.exe	31
PID 2724 wrote to memory of 2820	2724	JaffaCakes118_c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce.exe	31
PID 2724 wrote to memory of 2820	2724	JaffaCakes118_c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce.exe	31
PID 2820 wrote to memory of 1604	2820	WScript.exe	32
PID 2820 wrote to memory of 1604	2820	WScript.exe	32
PID 2820 wrote to memory of 1604	2820	WScript.exe	32
PID 2820 wrote to memory of 1604	2820	WScript.exe	32
PID 1604 wrote to memory of 2956	1604	cmd.exe	34
PID 1604 wrote to memory of 2956	1604	cmd.exe	34
PID 1604 wrote to memory of 2956	1604	cmd.exe	34
PID 1604 wrote to memory of 2956	1604	cmd.exe	34
PID 2956 wrote to memory of 2596	2956	DllCommonsvc.exe	60
PID 2956 wrote to memory of 2596	2956	DllCommonsvc.exe	60
PID 2956 wrote to memory of 2596	2956	DllCommonsvc.exe	60
PID 2956 wrote to memory of 2096	2956	DllCommonsvc.exe	61
PID 2956 wrote to memory of 2096	2956	DllCommonsvc.exe	61
PID 2956 wrote to memory of 2096	2956	DllCommonsvc.exe	61
PID 2956 wrote to memory of 2924	2956	DllCommonsvc.exe	62
PID 2956 wrote to memory of 2924	2956	DllCommonsvc.exe	62
PID 2956 wrote to memory of 2924	2956	DllCommonsvc.exe	62
PID 2956 wrote to memory of 960	2956	DllCommonsvc.exe	63
PID 2956 wrote to memory of 960	2956	DllCommonsvc.exe	63
PID 2956 wrote to memory of 960	2956	DllCommonsvc.exe	63
PID 2956 wrote to memory of 2512	2956	DllCommonsvc.exe	64
PID 2956 wrote to memory of 2512	2956	DllCommonsvc.exe	64
PID 2956 wrote to memory of 2512	2956	DllCommonsvc.exe	64
PID 2956 wrote to memory of 2072	2956	DllCommonsvc.exe	65
PID 2956 wrote to memory of 2072	2956	DllCommonsvc.exe	65
PID 2956 wrote to memory of 2072	2956	DllCommonsvc.exe	65
PID 2956 wrote to memory of 448	2956	DllCommonsvc.exe	66
PID 2956 wrote to memory of 448	2956	DllCommonsvc.exe	66
PID 2956 wrote to memory of 448	2956	DllCommonsvc.exe	66
PID 2956 wrote to memory of 1132	2956	DllCommonsvc.exe	67
PID 2956 wrote to memory of 1132	2956	DllCommonsvc.exe	67
PID 2956 wrote to memory of 1132	2956	DllCommonsvc.exe	67
PID 2956 wrote to memory of 1056	2956	DllCommonsvc.exe	68
PID 2956 wrote to memory of 1056	2956	DllCommonsvc.exe	68
PID 2956 wrote to memory of 1056	2956	DllCommonsvc.exe	68
PID 2956 wrote to memory of 1268	2956	DllCommonsvc.exe	78
PID 2956 wrote to memory of 1268	2956	DllCommonsvc.exe	78
PID 2956 wrote to memory of 1268	2956	DllCommonsvc.exe	78
PID 1268 wrote to memory of 108	1268	WmiPrvSE.exe	79
PID 1268 wrote to memory of 108	1268	WmiPrvSE.exe	79
PID 1268 wrote to memory of 108	1268	WmiPrvSE.exe	79
PID 108 wrote to memory of 2376	108	cmd.exe	81
PID 108 wrote to memory of 2376	108	cmd.exe	81
PID 108 wrote to memory of 2376	108	cmd.exe	81
PID 108 wrote to memory of 2860	108	cmd.exe	82
PID 108 wrote to memory of 2860	108	cmd.exe	82
PID 108 wrote to memory of 2860	108	cmd.exe	82
PID 2860 wrote to memory of 1588	2860	WmiPrvSE.exe	83
PID 2860 wrote to memory of 1588	2860	WmiPrvSE.exe	83
PID 2860 wrote to memory of 1588	2860	WmiPrvSE.exe	83
PID 1588 wrote to memory of 2136	1588	cmd.exe	85
PID 1588 wrote to memory of 2136	1588	cmd.exe	85
PID 1588 wrote to memory of 2136	1588	cmd.exe	85
PID 1588 wrote to memory of 1900	1588	cmd.exe	86
PID 1588 wrote to memory of 1900	1588	cmd.exe	86
PID 1588 wrote to memory of 1900	1588	cmd.exe	86
PID 1900 wrote to memory of 1156	1900	WmiPrvSE.exe	87
PID 1900 wrote to memory of 1156	1900	WmiPrvSE.exe	87
PID 1900 wrote to memory of 1156	1900	WmiPrvSE.exe	87
PID 1156 wrote to memory of 2524	1156	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c48d602db2a07fea3798803b63fdc2f4328b6c7fda512863cd5d00697f9a27ce.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2724
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2820
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2376
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2136
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2524
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
        12⤵
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3008
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat"
        14⤵
        
        PID:2232
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2968
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
        16⤵
        
        PID:664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2548
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        18⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1772
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        20⤵
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1500
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat"
        22⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2936
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"
        24⤵
        
        PID:1956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2728
        
        C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe
        
        "C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files\Common Files\Microsoft Shared\TextConv\de-DE\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Mail\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Windows\PCHEALTH\ERRORREP\QSIGNOFF\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c30404843d1d5f25f1c7fd750a48044

SHA1
fe8048184f7c0d985b74ec9c688577b4fe2b5b20

SHA256
658f7d82882495badb1340faa3da37f8eed777db850bd47583ec8e4a71e66bf4

SHA512
592a7a76fdda6bcf8e445aad4cdf9a385ec66db08d0f6f304d9ea935a47007d4677ee481a7751c7feba4f86338fe664182ddeb4f207a45330576ecacab0a2cc2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22610bbd6e0c1913375f02c4e6a12535

SHA1
f5bf96e661cad2ce9848cba8d78b60e8b31e5bd3

SHA256
c05752e0ed9cc9097445e5dfcc5da69988d28fd1e4bddeb833e5699ee59d311a

SHA512
996dd6ba7903d1f187fd9026695ab48b726fb1ea15aacec4c0165f3a42870228f7b890f0d7d761567251d66168ae8794d08047c3a19173d0a491830b05a729bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8583cbf96a4e0486c1e74b7c2de1844b

SHA1
960e106e9d7bd352df02e0e80047e67d8ac8a768

SHA256
1d7ca02e929cc62a3bda494f2162735de618530990fec7d3d0e16e32af60c3ea

SHA512
e2bf6965460ed48b7fbd18b7d4b28a678eff0bb51224f3a6220bbe27840942d9e7e1f00bb665310ac907039dfa52f16e90188ba81db506d98cfb8a560f4f7eb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1600ee1fbe6e4e3eb59509366c77fe24

SHA1
90accc68d544469d64f17fb67acb5d85c60274d7

SHA256
06cf7b6ae1537546069fa3719625be3ada617e34fe1aee2fb969c90892cd477f

SHA512
e4bfd772e94e5671aef6f9a5356d0b9f5b7ceab7b5029d2f7ef6b26f43f26b80646242b6b9062487b79b8269b50f660e396bea52a19a96b0754255b0a9749b9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b2c65952244569fd42c8e5ca812224e

SHA1
f4cbba5d0f32e42aa25f1a2a217a603b73191c57

SHA256
737dc1f995511af9a815449537dcffc0a950ac94c1b5b38fa5204e1813bfdae6

SHA512
6488624d600868bcf025b332daec11cd5b79601871ee6fac5569c380c38ecb0cccb573d462d947dc2c29c91453a083bff2ec477a032b5e9d98b1f899bb3e8f57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
be3ccbdf4b6082669b02345f8de51ace

SHA1
af77577019e30784c48c5ff4562b9d2661241d73

SHA256
d92e7f93e832fff80fab240c7c0af509c36b1bc9981b715658cf5cffda5d1633

SHA512
f71a2a8edd38f4002b5137911ae5ad80d2b7b72ffa8d0d0f2cf98fe34e0de1935debfa8d939be569fb9c78cadf8ae4c6c9ea3a2db4ecddc033e6c11f02a1c663

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09b10b32dd8f2b36c45b2d1f510ef112

SHA1
ec4d76dd5d96c44c61ac3e8d9392b39843c11a19

SHA256
718fdec727f4173cca51dfdff0d3bf3eb5e62483878261fc1de5c8a8ee38f0b3

SHA512
cb0227f4353950ff258fa8d21d036e379ac4ca8dcd79ddef60f978cede7912c8f88ea8081ff5e8e39b451ec7436955b7b746fbba5d86971567a434279e3aae34

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72bd8fcf3ae51824a9d2895f1cc3e252

SHA1
a1c8be630e9f9a977d0a071194359842f5c20b6c

SHA256
1bd05c4a0a4c87bd1d3298647faa8072482547c2f1bfe49c9550398bbc4a02eb

SHA512
924eca6eace3b675d5252a1d5aa6ef1ec589a562bb8ff90a5b1026370d4fbb9bbccc0a6e6e0f55317c70becd35ff19131619aa48aed00c0e43f92abd03107666

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2be1150d7c7f59ed3a3c39f30a90c8e8

SHA1
566b8d35c5089235e67b067c1bf57b19deebee0f

SHA256
a11f3d3d9729b62d7c8e4a8becce7fdfed97fd54d5711c02fbf8325b3efe1816

SHA512
f04e7fd4c2c4554d0e76da127d353156347f37ab1bed3f6d23dbc0c1a79bbe35576363d00d990b3cff390f20d6d86dd175dfc9aa475f35c249ed252a6ee71afb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3748.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

Filesize
239B

MD5
75d642bcd2e37ee79574591334cdb882

SHA1
cbc3e2e7789722a01c78d062ae2973290db04940

SHA256
1b2a22583995f0c560533b021e655c86ed99f50d664c07423017ae9a82cee0a9

SHA512
7d20220daefed6c3ef1abcfcf80b9cde806b5967f68d605a3536c7780ad48019c54a3e74b26ad5fb9a544cb7123cadb9657231fa3abeefa28b51d1823d4592e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

Filesize
239B

MD5
79f0fafccb80c8c3c340dde9adb4558d

SHA1
cafefd2b167b2f55f35ac522dc07e2a1863ceffd

SHA256
f46280a98cf37ecf810c2fb7ac450a5f3051daee747709b9ba0724ac42a2af32

SHA512
069c10852dc1b4aab5333b48799227e11ed23f31810f46fb7b7db7cefe1b4e40c349455514b90573093ffc551bcf370347565b22519ce3e5063d62a65ef55ce2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

Filesize
239B

MD5
d8f59abbcef64cfd2be6552be5e655d8

SHA1
1c0fd44903ec328f5b0c97e3357ff5fe1d7f349d

SHA256
bbdd3e3776019be825e25203c5c817c7534804d4fb5d2a8478de7245601e7144

SHA512
fc3c9194bf6bf254bc1c321db12b1e0f48422f8c490abb56d09a375a7ae192f3058d0b0b5ff44e30dc8e12f1b92d4bc1537969199abb89e5da5f7d2a5dee6229

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pi2dGiCBJ7.bat

Filesize
239B

MD5
acc98ae804d2d144c9937c3e78a0306a

SHA1
b85f49a0e7fdc9711f682c432e91354d45e1ed56

SHA256
d58acda601d273427bc40e253b0d353442fae943fa62e86e21a9df0e47a12e24

SHA512
b1b4eb30aabcec1be885a28d6078fe0785c34d182539baa590962c26d00140e35c3a00c1ccff647fd822b4e0db09e3986d01faf99e7c02a91e8af2baad385aea

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar376A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat

Filesize
239B

MD5
ab95c3f50a05d6493e1e689aabeeea40

SHA1
6c52704fd5d2f0206ec3a59b73d7c6bc212450af

SHA256
c7d2f1fdf1d53b888aa5f01a58edb9310a547de3b78d42f5580cdbd7c218e2ae

SHA512
4522f27af5a763ed7458786c4244c47575701848099b18463ca3cff31bec6631c799a232a7e5ceef1f9b0a10c5f452069a32b288c9d8b25f385b921ad139c8db

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

Filesize
239B

MD5
b53736db7f534d40228f28bb98a6de10

SHA1
d1117574a021d1f7b8c5c6f1a416f384325742b1

SHA256
9d0f72b1725734676ef1235a48ead534b47baaa225bdb109e455ea732c9faae9

SHA512
f89bea39326d5388850ba23928ccf328602c95341043c952b608187134a58e5582646a6f9ab3d4c00d26323a4ca7aa472c52870b5dd860ddcae0fc804812be78

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
239B

MD5
93fbda6cffdb110ed094792026bdaf9c

SHA1
d6b573c868f82cd3311b10e5de1f3e21baefc892

SHA256
6a1e0bc7ad393355a8b5acff2c19ecc3284700bb92b58ef136efc19284137235

SHA512
893f2a4b0d6e18771e1ccc4f0bbff8332257c5fae04edfad06554a98a7c5b6e51c24521c6a8cf4d2a874a181d681f0da15ad0fd581dfab94a7b0099233123672

Download Submit
C:\Users\Admin\AppData\Local\Temp\kwOVarqRTQ.bat

Filesize
239B

MD5
bab85d29eb91d2eda0fbefdf22912216

SHA1
4f653108f47e90fe3691ff98d09097ac6f1b8b4f

SHA256
24f4d398406ca16a054d4804e7c21ed22df9119537a67a736d56178f9f3b6473

SHA512
9066193da4adb2ca3f08d4a844f1d758e4a7169f1a43dcff00d4d1a387920434d8bcefcadce573f9d72469fca4620a961a2b97ea57e4ac271c88a916f8ab07b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\oYNvu0ZNBR.bat

Filesize
239B

MD5
7ddef6ccf9082c565526ab1cd1bb0d22

SHA1
813bf375b01b45a6022de0f3dfe69d4e43fdaf25

SHA256
3fbcbc6f734a4463575939d1e14673e47962afe1188bb190a425f0d8a7b5b44b

SHA512
e9f78827d96017cf52bb92bbbc765c4027ec1deee3d2df09dfe5d59d3d55d316c9ed8a8163696d423480cfae2f97ff4107716305d82d0d43f718f396c4b5c878

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
239B

MD5
d06d20d5988757aeb32fa28fb97660d0

SHA1
700b183e91c44aa859510be34e55a9f82358fd1b

SHA256
30a7c858f075de68d3ed513b4009fb544f31d3cdbf5061f7471d96c3241c3b31

SHA512
19fccc888906fec7f918d74cbc6e5747a017137e77009d60ffe80766fb57c0cda5d752bb6f764fb4ef8d2a22baef79aea8ceaf5d7ed36af884a653382d4b4636

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c73a5753be4c12b09cb1112d8d3da257

SHA1
c9d64d7a0aace30ae357fc55ae60fd014b27ea78

SHA256
f791efdd34a6e5c8b90887062e7a031203de59991e153b39473dba2fd63acc44

SHA512
98fe136c0b363753f2c381f72aacdb719a4fc2b09b024f8a33946021a5bdc2018229175f1ed05a2fb7f9faff9dd9d3034992814fa4f7ab4f70fa1e3c8af7fd61

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1268-40-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1564-619-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-558-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/1708-559-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1900-202-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2096-56-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/2096-46-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/2296-498-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2432-679-0x00000000009A0000-0x0000000000AB0000-memory.dmp

Filesize
1.1MB

Download
memory/2860-142-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/2956-14-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2956-13-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/2956-15-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2956-16-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2956-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download