dcrat | b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 18:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f.exe
Size

1.3MB
MD5

1a2c2502e3baf31e4ea3ac3d86d48827
SHA1

f7ac0bc3d7e6e27349adf8079805d621248ec6ad
SHA256

b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f
SHA512

920956a8bc102e81b6df2492526f36a39bb9b058b9dcfd6a743cb0c69e1286f3297c8ecc7e49a1d4185ac2ae510dc649a963c125ef87272d3387c9b0c291928d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2840	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	860	2840	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000160da-9.dat	dcrat
behavioral1/memory/2672-13-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1940-49-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/1756-204-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/1812-265-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/400-385-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2708-445-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2656	powershell.exe
2144	powershell.exe
2224	powershell.exe
2104	powershell.exe
1132	powershell.exe
1716	powershell.exe
2128	powershell.exe
572	powershell.exe
1104	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2672	DllCommonsvc.exe
1940	sppsvc.exe
2148	sppsvc.exe
1756	sppsvc.exe
1812	sppsvc.exe
1936	sppsvc.exe
400	sppsvc.exe
2708	sppsvc.exe
1056	sppsvc.exe
1044	sppsvc.exe
2492	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2164	cmd.exe
2164	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\de-DE\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\winsxs\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2872	schtasks.exe
1876	schtasks.exe
2900	schtasks.exe
2252	schtasks.exe
860	schtasks.exe
2844	schtasks.exe
1744	schtasks.exe
1680	schtasks.exe
2876	schtasks.exe
2568	schtasks.exe
2368	schtasks.exe
2020	schtasks.exe
560	schtasks.exe
1240	schtasks.exe
2904	schtasks.exe
620	schtasks.exe
2596	schtasks.exe
2636	schtasks.exe
1236	schtasks.exe
2240	schtasks.exe
1760	schtasks.exe
2648	schtasks.exe
2628	schtasks.exe
2176	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
2148	sppsvc.exe
1756	sppsvc.exe
1812	sppsvc.exe
1936	sppsvc.exe
400	sppsvc.exe
2708	sppsvc.exe
1056	sppsvc.exe
1044	sppsvc.exe
2492	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2672	DllCommonsvc.exe
2672	DllCommonsvc.exe
2672	DllCommonsvc.exe
2672	DllCommonsvc.exe
2672	DllCommonsvc.exe
2672	DllCommonsvc.exe
2672	DllCommonsvc.exe
1104	powershell.exe
2144	powershell.exe
2224	powershell.exe
572	powershell.exe
2104	powershell.exe
2656	powershell.exe
2128	powershell.exe
1716	powershell.exe
1132	powershell.exe
1940	sppsvc.exe
2148	sppsvc.exe
1756	sppsvc.exe
1812	sppsvc.exe
1936	sppsvc.exe
400	sppsvc.exe
2708	sppsvc.exe
1056	sppsvc.exe
1044	sppsvc.exe
2492	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2672	DllCommonsvc.exe
Token: SeDebugPrivilege	1104	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1132	powershell.exe
Token: SeDebugPrivilege	1940	sppsvc.exe
Token: SeDebugPrivilege	2148	sppsvc.exe
Token: SeDebugPrivilege	1756	sppsvc.exe
Token: SeDebugPrivilege	1812	sppsvc.exe
Token: SeDebugPrivilege	1936	sppsvc.exe
Token: SeDebugPrivilege	400	sppsvc.exe
Token: SeDebugPrivilege	2708	sppsvc.exe
Token: SeDebugPrivilege	1056	sppsvc.exe
Token: SeDebugPrivilege	1044	sppsvc.exe
Token: SeDebugPrivilege	2492	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 276 wrote to memory of 2052	276	JaffaCakes118_b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f.exe	31
PID 276 wrote to memory of 2052	276	JaffaCakes118_b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f.exe	31
PID 276 wrote to memory of 2052	276	JaffaCakes118_b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f.exe	31
PID 276 wrote to memory of 2052	276	JaffaCakes118_b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f.exe	31
PID 2052 wrote to memory of 2164	2052	WScript.exe	32
PID 2052 wrote to memory of 2164	2052	WScript.exe	32
PID 2052 wrote to memory of 2164	2052	WScript.exe	32
PID 2052 wrote to memory of 2164	2052	WScript.exe	32
PID 2164 wrote to memory of 2672	2164	cmd.exe	34
PID 2164 wrote to memory of 2672	2164	cmd.exe	34
PID 2164 wrote to memory of 2672	2164	cmd.exe	34
PID 2164 wrote to memory of 2672	2164	cmd.exe	34
PID 2672 wrote to memory of 2656	2672	DllCommonsvc.exe	60
PID 2672 wrote to memory of 2656	2672	DllCommonsvc.exe	60
PID 2672 wrote to memory of 2656	2672	DllCommonsvc.exe	60
PID 2672 wrote to memory of 2144	2672	DllCommonsvc.exe	61
PID 2672 wrote to memory of 2144	2672	DllCommonsvc.exe	61
PID 2672 wrote to memory of 2144	2672	DllCommonsvc.exe	61
PID 2672 wrote to memory of 2224	2672	DllCommonsvc.exe	62
PID 2672 wrote to memory of 2224	2672	DllCommonsvc.exe	62
PID 2672 wrote to memory of 2224	2672	DllCommonsvc.exe	62
PID 2672 wrote to memory of 2104	2672	DllCommonsvc.exe	63
PID 2672 wrote to memory of 2104	2672	DllCommonsvc.exe	63
PID 2672 wrote to memory of 2104	2672	DllCommonsvc.exe	63
PID 2672 wrote to memory of 572	2672	DllCommonsvc.exe	65
PID 2672 wrote to memory of 572	2672	DllCommonsvc.exe	65
PID 2672 wrote to memory of 572	2672	DllCommonsvc.exe	65
PID 2672 wrote to memory of 2128	2672	DllCommonsvc.exe	68
PID 2672 wrote to memory of 2128	2672	DllCommonsvc.exe	68
PID 2672 wrote to memory of 2128	2672	DllCommonsvc.exe	68
PID 2672 wrote to memory of 1716	2672	DllCommonsvc.exe	70
PID 2672 wrote to memory of 1716	2672	DllCommonsvc.exe	70
PID 2672 wrote to memory of 1716	2672	DllCommonsvc.exe	70
PID 2672 wrote to memory of 1104	2672	DllCommonsvc.exe	71
PID 2672 wrote to memory of 1104	2672	DllCommonsvc.exe	71
PID 2672 wrote to memory of 1104	2672	DllCommonsvc.exe	71
PID 2672 wrote to memory of 1132	2672	DllCommonsvc.exe	72
PID 2672 wrote to memory of 1132	2672	DllCommonsvc.exe	72
PID 2672 wrote to memory of 1132	2672	DllCommonsvc.exe	72
PID 2672 wrote to memory of 1940	2672	DllCommonsvc.exe	78
PID 2672 wrote to memory of 1940	2672	DllCommonsvc.exe	78
PID 2672 wrote to memory of 1940	2672	DllCommonsvc.exe	78
PID 2672 wrote to memory of 1940	2672	DllCommonsvc.exe	78
PID 2672 wrote to memory of 1940	2672	DllCommonsvc.exe	78
PID 1940 wrote to memory of 1040	1940	sppsvc.exe	79
PID 1940 wrote to memory of 1040	1940	sppsvc.exe	79
PID 1940 wrote to memory of 1040	1940	sppsvc.exe	79
PID 1040 wrote to memory of 2868	1040	cmd.exe	81
PID 1040 wrote to memory of 2868	1040	cmd.exe	81
PID 1040 wrote to memory of 2868	1040	cmd.exe	81
PID 1040 wrote to memory of 2148	1040	cmd.exe	82
PID 1040 wrote to memory of 2148	1040	cmd.exe	82
PID 1040 wrote to memory of 2148	1040	cmd.exe	82
PID 1040 wrote to memory of 2148	1040	cmd.exe	82
PID 1040 wrote to memory of 2148	1040	cmd.exe	82
PID 2148 wrote to memory of 2668	2148	sppsvc.exe	83
PID 2148 wrote to memory of 2668	2148	sppsvc.exe	83
PID 2148 wrote to memory of 2668	2148	sppsvc.exe	83
PID 2668 wrote to memory of 1104	2668	cmd.exe	85
PID 2668 wrote to memory of 1104	2668	cmd.exe	85
PID 2668 wrote to memory of 1104	2668	cmd.exe	85
PID 2668 wrote to memory of 1756	2668	cmd.exe	86
PID 2668 wrote to memory of 1756	2668	cmd.exe	86
PID 2668 wrote to memory of 1756	2668	cmd.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_b03e6a554c1ec7865ce9ac4792730dabd8693e88aa39fbe0932baab5ab59d79f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:276
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2164
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\SendTo\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
    - - C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1940
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2868
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1104
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        10⤵
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2684
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat"
        12⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1828
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat"
        14⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1876
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        16⤵
        
        PID:2852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2164
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        18⤵
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:952
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat"
        20⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:664
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat"
        22⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2616
        
        C:\Program Files\Internet Explorer\de-DE\sppsvc.exe
        
        "C:\Program Files\Internet Explorer\de-DE\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        24⤵
        
        PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\Default\SendTo\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\SendTo\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\es\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Default\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06379de57a5173646c0145cb5627a0c4

SHA1
d5f86228db1a9e2567d4b264507877a4ed33c547

SHA256
0b4a3891e3bf4ad7ac2e275a00bfea17bc7ed54e66796d65a3a6ea305097f4df

SHA512
22d8fe155d376846289d43b1d6c7ea77c995875477f7b68d8f454485a3c176b4bdb728a8a9645f6d6dcda9d7acf0ae8374bcb47cbdb93f97e4e2c541d43be4dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
444bc14f11622bfc07a8815769225a3a

SHA1
be04db6bef740190ac56002a6120df85dc30eb61

SHA256
592cf188d203940f38dd48ba39dd6736cfb85613fca9bb3c92eb725f14050162

SHA512
7d23f85104de9611e5ced2e1a9df00020c02810da3c45c76146f04ab2609c0ff8767f134700d704ecd242f009928c10a2ab4feda8180d8c376426dc15d78ed60

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83e1dae8de708c222149230e1da90390

SHA1
f6be58b5d51a0bf060098af30f30217bddd9b8f4

SHA256
69f2cef15264bf699d9e0f071d8bdd9a4da5d59e2f22db24770a26b0aaf5c09b

SHA512
615b79500a5908c8d114904ea96a675d599654d0d6713b44e31b9bc13290938df1c2062789a7f780273c4858798c6256a43cc867597a2154f282cebbc118f33f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e96227fccf1f35b1f68a44c8cbe6be09

SHA1
51123aa45d26a0fcc09db12e04eea8f2635070ab

SHA256
5be017ff7f3ac61d740b01d019046ef34d6d35c8c7b9844c753fdea864293371

SHA512
f0d761c6376cc681c829c59a93d28259cd6d5a1565a89c2419bf01c3a16f3b0c25c638a8c8d3cc683016e42fb36d3e588d38455e214f403a45d2aeeb3accdb7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d167c094505c6ebc17b6f758776b59ca

SHA1
9865d5c3b2683278b90a9078d98ecd5a5bc0f276

SHA256
0401028ad69e4b4516f5d6b20853140386ba43613cbd3a0c6a7ee7ed4b98379d

SHA512
86d65922686068f7cfad40a871a23596aad91ed0cd8a6d521e9500c8eb3d40430439212e0534d893a38ac443d73ad64fbdec4ab3e3d303464c2189b32daeaf5e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dbca24266b3cc727f1bdfe05b84fafa

SHA1
01454272ed0f2964ee4afee584f39d23a25b2d2c

SHA256
9fbf697c9cb556312053a098d53dddc12317756e635afc3dd75336b67880ac41

SHA512
28a4ea2a7b51c6fa5d31188ad67fc79450faeae6c88ca5cb0e76d68dd013c5d046b235d45f73f5776883de91106c692c1cfd7768c2d4e0341373792a7802d684

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d8a094d43994d0cad51acdbb594844df

SHA1
4c9de181356b1f8160d76e002c9a5275c403d3f0

SHA256
1c7e7b138a34c3fe4d4854eccac011050271b66d32ce9a11213d1da5f18cf502

SHA512
00716090222f183a4e74decc164934975061ebf2d027d1fc2c4abfba6b393e776c0d2f5c6faba9ece1bfc60534481565e4d38203777bc63c6a29f94424585fb1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c533b17444f39075cb39f3f2185dcd10

SHA1
e225f909c1e3f9ddf0462f172cf4d1216a2edb09

SHA256
66f4387c23215398e5cc905822424bb12e6b61797e0019b6bc1e0c12cb5c42ed

SHA512
bfb5993d693b322a8dbd54933019807ee7f218fb166c40a5e149cff78a4dbd2fb59570d50dab37cd9aa63fc2ef1990ab36c6f302dc92a79f37c23563dbd81d49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa135e3de81350351aa123c33a3cb8fe

SHA1
37d04fade99c94319ca0ddf3611fc3f41162ee6e

SHA256
434a8dbf58d88e8ce10f639008cd1191a03bc3fb94e46a7fb79c11f5e17bd654

SHA512
858c6e27c7d7791e2e78ebb1a05814c6ce1bb9bad58c3396fab86b444c51f45d78b590cf8281391d23b7266e4d8fd27d96a7f537e47a2054c2b5b5e4e762575e

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
216B

MD5
76670e409d97a1bdffc3fa0503818e6b

SHA1
9d6871ac50c22dc77672209388170ba3d39a74fe

SHA256
7742e224f6920d524816651610289db43b105a665b5b38b2575b63f73cb7f555

SHA512
8ebc34c18426b78b4ad433e75359a0a164569f221afc8fe7724d6854d53f408ccfcf1acef4ec1890fed4b94115b09355a221d7cf8ae86b72ca52dee394015b49

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1289.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN1wkOWwnv.bat

Filesize
216B

MD5
45cd5083ac1b4b127d00eb0fa2ffd4ef

SHA1
44b68c262211f3891906967e9c353739ebba7958

SHA256
244ce67bcc9f4d5cf40624e1d9b59abbdb344f0d3ed7bc1bb7d7cc58bc143044

SHA512
fb6c6d63d095847cbecc38e2f42dca5149df23f34e2797f211e8f08b99216a8403121fb4a7c5ca7425e03f86028da7b68b3309654323e04f49a4661b9f1b6501

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
216B

MD5
aeb63feba00c0ba396cd437cc9dea955

SHA1
18717c081e3fa11acee9c55a75de0adc8063d12c

SHA256
be191c3e03998792574eeadd6e4c9cc65bb1e980ee730ff450423eade277c2e1

SHA512
f510ecf6ae10df5fe1438d37a34836c7864db457cc71467647fda81ff32794cfa76d1c5af327e93307101fc571c3b63d848b11ccf629e9ba63d1da8d36c19760

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
216B

MD5
7290e64fbcc93bb055603be478107216

SHA1
2c1fbe8051bb82668a2d17384e7491c05c000c7b

SHA256
e137ba27ad0c10f1c95e72000dd3ee567e8e4744804012457f54fd51e8140fe6

SHA512
64d447c847d4319b61eb72ba19e49e0ba0932d388ee9fe7ef1e1395618125af7571f7c088ffed4ab8345e18a7f6e4e8796caf6626a162d8a52ff03385cdc75f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar12AB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Xnyek1SZun.bat

Filesize
216B

MD5
ae4b0b145ea55e6e6585a6b183c549c7

SHA1
f86e3d1e0b41b723365186afbcae9cc4711139fe

SHA256
00d8047fc0c8477d1045a38d2b6c6d226a30671de7988b403452b8b91d01a2a4

SHA512
c794c10948be0ccfd94c3f1528cad9abe9ed0d9282e443ed2e18264d63b1171366801e8ead7af34a62b40fe04523dbf04290159f0449ef21d536923132b27d63

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
216B

MD5
9fa235fd94b87c7fa3d2279c3d6766c1

SHA1
5802c9c94579400ce36de3961380b488cd260d6a

SHA256
536b14d9b2309febaf5ddf4a68eb7e352feffae9d369ff7300adc2a9ee5b2754

SHA512
ee87fb34d2b0c040c29a8ed54af5557cd5d6355e7d9c008ed49fafa1bd8b66634b702ffca3cd884cc86e38be1c208e03c33671f1be107356a87cc2a02ed89cd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\hGj9C4kLBH.bat

Filesize
216B

MD5
4d52b23bc84912067a55976ecca47773

SHA1
1348d121b61f1260b895ef54fe864dea71b294cf

SHA256
d2e80247f5c651a11fe8a2727839c9a744b96011de2ffb5ab6907ffcdc8b0338

SHA512
63af1c2fcc80cb8f9d3ec7784307f46b9502da948fe944b02352768fe53c7eb956925c05d2c6d12e4537d896b570fe11ac40ee6bf91ee36330fa059c92ecef34

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
216B

MD5
b423d78f55404f4dbbdedb93aa27693e

SHA1
c8e2605b05fac8ffa99f26dacc63fc4b753d7717

SHA256
843f30f7b60e9d6c2fffad31ace94b41e0d64aebbda958d2483857dbd45a6faf

SHA512
bc7c6480098cdd12f45b45ed7921c0e282da612df2434eadcb77f3f7bdcf06cc565cbe87308bbd44d9fb6fef7f3492475855061d5ddcedeb6562148fe60326a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\xAFUrPKKMy.bat

Filesize
216B

MD5
623334f42122b6dcc2e405afbfb872af

SHA1
57e684da2bab20f25f325b8ec820ce82bb4b512a

SHA256
24728f58091a3df715b5ac07ba89eab20a46153f0611a0fdb8fe1a934095a4c6

SHA512
3e9a32f791a96ccd9eeff89447759c261dccfb00460fb4cfbb398310ff40ed24b44c22e1b42a6542af9b58719f815fafc46e80f122a149dce8829628280570ab

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
083062b3ac1ada651bcb69c285751c08

SHA1
acac4a20efdc5565232150cc54cd0c11b9e975d0

SHA256
546194643c829648e25911c4e4dbda7bbf39e2e77b8528d8697f3927455a26c9

SHA512
8e1801c2dffcd2b6a0c1bb4c1e402e360a7036481138cee75d11ca50647613d705cd643161c387fb79b99f61ecd06cd5f0b601337dd2ec2c8db31dcb970bdf2c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/400-385-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/1056-506-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1104-71-0x00000000022C0000-0x00000000022C8000-memory.dmp

Filesize
32KB

Download
memory/1756-205-0x00000000003A0000-0x00000000003B2000-memory.dmp

Filesize
72KB

Download
memory/1756-204-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/1812-265-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/1936-325-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1940-49-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2656-70-0x000000001B700000-0x000000001B9E2000-memory.dmp

Filesize
2.9MB

Download
memory/2672-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/2672-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2672-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2672-14-0x0000000000550000-0x0000000000562000-memory.dmp

Filesize
72KB

Download
memory/2672-13-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/2708-446-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/2708-445-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download