dcrat | 5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f

Analysis

max time kernel
142s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 13:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f.exe
Size

1.3MB
MD5

5c1b861eb31a0901d418c9c93ece7bf6
SHA1

cde5f0ce1ca2b4c8f621d1996e1e6c88cbc0e00d
SHA256

5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f
SHA512

1d537fb44dca46e48013eafa53444896d4c064449c5b8836a6d8cbdf9d06ad6507942affbf20ab9e481fe1e0a7d2af8509ccfb39ce0af9da2003a6fabe8ff290
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2020	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2500	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2500	schtasks.exe	32

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000014714-9.dat	dcrat
behavioral1/memory/3008-13-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/3040-63-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2360-153-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/1856-213-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/2888-273-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/3040-333-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/1040-689-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2732	powershell.exe
2328	powershell.exe
2676	powershell.exe
1756	powershell.exe
2700	powershell.exe
2804	powershell.exe
2840	powershell.exe
2332	powershell.exe
2132	powershell.exe
2724	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
3008	DllCommonsvc.exe
3040	lsm.exe
2360	lsm.exe
1856	lsm.exe
2888	lsm.exe
3040	lsm.exe
2480	lsm.exe
1632	lsm.exe
2724	lsm.exe
2720	lsm.exe
2968	lsm.exe
1040	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2684	cmd.exe
2684	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2520	schtasks.exe
1492	schtasks.exe
1780	schtasks.exe
1976	schtasks.exe
1544	schtasks.exe
2948	schtasks.exe
1080	schtasks.exe
1980	schtasks.exe
2604	schtasks.exe
2028	schtasks.exe
2552	schtasks.exe
2384	schtasks.exe
2524	schtasks.exe
1776	schtasks.exe
2000	schtasks.exe
1944	schtasks.exe
2960	schtasks.exe
2496	schtasks.exe
592	schtasks.exe
1948	schtasks.exe
848	schtasks.exe
2396	schtasks.exe
584	schtasks.exe
2020	schtasks.exe
1244	schtasks.exe
1796	schtasks.exe
2828	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
3008	DllCommonsvc.exe
3008	DllCommonsvc.exe
3008	DllCommonsvc.exe
3008	DllCommonsvc.exe
3008	DllCommonsvc.exe
3008	DllCommonsvc.exe
3008	DllCommonsvc.exe
2328	powershell.exe
2732	powershell.exe
2676	powershell.exe
1756	powershell.exe
2700	powershell.exe
2132	powershell.exe
2840	powershell.exe
2332	powershell.exe
2724	powershell.exe
2804	powershell.exe
3040	lsm.exe
2360	lsm.exe
1856	lsm.exe
2888	lsm.exe
3040	lsm.exe
2480	lsm.exe
1632	lsm.exe
2724	lsm.exe
2720	lsm.exe
2968	lsm.exe
1040	lsm.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	3008	DllCommonsvc.exe
Token: SeDebugPrivilege	2328	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2676	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	2724	powershell.exe
Token: SeDebugPrivilege	2804	powershell.exe
Token: SeDebugPrivilege	3040	lsm.exe
Token: SeDebugPrivilege	2360	lsm.exe
Token: SeDebugPrivilege	1856	lsm.exe
Token: SeDebugPrivilege	2888	lsm.exe
Token: SeDebugPrivilege	3040	lsm.exe
Token: SeDebugPrivilege	2480	lsm.exe
Token: SeDebugPrivilege	1632	lsm.exe
Token: SeDebugPrivilege	2724	lsm.exe
Token: SeDebugPrivilege	2720	lsm.exe
Token: SeDebugPrivilege	2968	lsm.exe
Token: SeDebugPrivilege	1040	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1852 wrote to memory of 2976	1852	JaffaCakes118_5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f.exe	28
PID 1852 wrote to memory of 2976	1852	JaffaCakes118_5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f.exe	28
PID 1852 wrote to memory of 2976	1852	JaffaCakes118_5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f.exe	28
PID 1852 wrote to memory of 2976	1852	JaffaCakes118_5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f.exe	28
PID 2976 wrote to memory of 2684	2976	WScript.exe	29
PID 2976 wrote to memory of 2684	2976	WScript.exe	29
PID 2976 wrote to memory of 2684	2976	WScript.exe	29
PID 2976 wrote to memory of 2684	2976	WScript.exe	29
PID 2684 wrote to memory of 3008	2684	cmd.exe	31
PID 2684 wrote to memory of 3008	2684	cmd.exe	31
PID 2684 wrote to memory of 3008	2684	cmd.exe	31
PID 2684 wrote to memory of 3008	2684	cmd.exe	31
PID 3008 wrote to memory of 1756	3008	DllCommonsvc.exe	60
PID 3008 wrote to memory of 1756	3008	DllCommonsvc.exe	60
PID 3008 wrote to memory of 1756	3008	DllCommonsvc.exe	60
PID 3008 wrote to memory of 2724	3008	DllCommonsvc.exe	61
PID 3008 wrote to memory of 2724	3008	DllCommonsvc.exe	61
PID 3008 wrote to memory of 2724	3008	DllCommonsvc.exe	61
PID 3008 wrote to memory of 2732	3008	DllCommonsvc.exe	63
PID 3008 wrote to memory of 2732	3008	DllCommonsvc.exe	63
PID 3008 wrote to memory of 2732	3008	DllCommonsvc.exe	63
PID 3008 wrote to memory of 2700	3008	DllCommonsvc.exe	64
PID 3008 wrote to memory of 2700	3008	DllCommonsvc.exe	64
PID 3008 wrote to memory of 2700	3008	DllCommonsvc.exe	64
PID 3008 wrote to memory of 2676	3008	DllCommonsvc.exe	65
PID 3008 wrote to memory of 2676	3008	DllCommonsvc.exe	65
PID 3008 wrote to memory of 2676	3008	DllCommonsvc.exe	65
PID 3008 wrote to memory of 2840	3008	DllCommonsvc.exe	66
PID 3008 wrote to memory of 2840	3008	DllCommonsvc.exe	66
PID 3008 wrote to memory of 2840	3008	DllCommonsvc.exe	66
PID 3008 wrote to memory of 2804	3008	DllCommonsvc.exe	67
PID 3008 wrote to memory of 2804	3008	DllCommonsvc.exe	67
PID 3008 wrote to memory of 2804	3008	DllCommonsvc.exe	67
PID 3008 wrote to memory of 2328	3008	DllCommonsvc.exe	68
PID 3008 wrote to memory of 2328	3008	DllCommonsvc.exe	68
PID 3008 wrote to memory of 2328	3008	DllCommonsvc.exe	68
PID 3008 wrote to memory of 2132	3008	DllCommonsvc.exe	70
PID 3008 wrote to memory of 2132	3008	DllCommonsvc.exe	70
PID 3008 wrote to memory of 2132	3008	DllCommonsvc.exe	70
PID 3008 wrote to memory of 2332	3008	DllCommonsvc.exe	71
PID 3008 wrote to memory of 2332	3008	DllCommonsvc.exe	71
PID 3008 wrote to memory of 2332	3008	DllCommonsvc.exe	71
PID 3008 wrote to memory of 3040	3008	DllCommonsvc.exe	80
PID 3008 wrote to memory of 3040	3008	DllCommonsvc.exe	80
PID 3008 wrote to memory of 3040	3008	DllCommonsvc.exe	80
PID 3040 wrote to memory of 328	3040	lsm.exe	81
PID 3040 wrote to memory of 328	3040	lsm.exe	81
PID 3040 wrote to memory of 328	3040	lsm.exe	81
PID 328 wrote to memory of 848	328	cmd.exe	83
PID 328 wrote to memory of 848	328	cmd.exe	83
PID 328 wrote to memory of 848	328	cmd.exe	83
PID 328 wrote to memory of 2360	328	cmd.exe	84
PID 328 wrote to memory of 2360	328	cmd.exe	84
PID 328 wrote to memory of 2360	328	cmd.exe	84
PID 2360 wrote to memory of 1980	2360	lsm.exe	87
PID 2360 wrote to memory of 1980	2360	lsm.exe	87
PID 2360 wrote to memory of 1980	2360	lsm.exe	87
PID 1980 wrote to memory of 2544	1980	cmd.exe	89
PID 1980 wrote to memory of 2544	1980	cmd.exe	89
PID 1980 wrote to memory of 2544	1980	cmd.exe	89
PID 1980 wrote to memory of 1856	1980	cmd.exe	90
PID 1980 wrote to memory of 1856	1980	cmd.exe	90
PID 1980 wrote to memory of 1856	1980	cmd.exe	90
PID 1856 wrote to memory of 2768	1856	lsm.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5dd70f02b997d95010ad1135b381696c5f9b935a177cfb7c8c6e8b7a7597684f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1852
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2976
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2684
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Local Settings\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3040
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:848
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2544
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1856
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat"
        10⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2644
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat"
        12⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1340
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat"
        14⤵
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3000
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat"
        16⤵
        
        PID:1908
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1596
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat"
        18⤵
        
        PID:1524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1512
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        20⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2016
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat"
        22⤵
        
        PID:600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2540
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        24⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2392
        
        C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Libraries\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Local Settings\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Local Settings\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3543a08345c5bcbc1371927262e6bed0

SHA1
a377779fab65974b3c6a4685ec245529fb6c0bc2

SHA256
6fa45d3b56b0a7989ad5aa622b8a8b6d1ef7584cd13312ebe5181c50bf08322c

SHA512
3f2e042b8168cad4f0fa8abab5f469544c4d6df3f27ff77fccd3f7f70fae4bd24ff00c1f8b917b9747212e2de04ad642917e25c8085b86702715a18ce06e167b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9dbe07872f9827988714a5eb4ce3f59e

SHA1
dfbda61a16731afa4c5892f3c281772b8c493600

SHA256
182d3f6045411a4c97fe38ffda02b74dc8cb7283c6ad8d951ee73e7aff35f48b

SHA512
3fc9b25abf0a2541e969c17920277b64f43a0a8dcdeab15de0a4e05dac758a1d3b7bf905a43662cc41c87bd2eabe7b7821fb8cb8dba33e08174b693d84d21e38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82fcd4f2ea7e8b5d6e9ac14c32dd42d2

SHA1
ad104abdef84592fe37fccfd874533703d9fccc9

SHA256
ce64a119e3598fc3884705d92c05cc40536535b8a6934d190b33a2d89782a345

SHA512
dd5919a1b698a0b0c8859fc3aded1a6fb4fe5b1dffb37b6239667eae7d10702f5072cfabafd0c47f8bb66fd3e17ec8499b08944a4e4e3cbbe892a102d5f49a51

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34e5212203e53725fcbb583755923d57

SHA1
d2e72fc19f902ef260154d523445f0ead87784bf

SHA256
ff5e7616e9e4c55ef072343a0904ac7b28aac89268226737a70ae6f361b5bae7

SHA512
f894ab2d991ba6c8bd99be18f380e37d994c1745acd14a567ff92b3fc0766e4a1470f5f59c1e3fe27c24d45bee9582f1bdbffffaf17137c14955f63ae626eb21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b9ae2de0ded755facffc3b823321013

SHA1
dc0c174e9b82f84cbdc2bf77c632fd5e207c2a9a

SHA256
272b93888079647508dfb757ccd60452fd618e328d412eb558901fac8dbfa57d

SHA512
6d5fd376b61d6f7f419a1553f54bf6f7b4b40daddb373d10ef2ed0331487c1e871d0f0286b48e9b3ae4b0bbcc95946f6d6b22e9457bd050dd002d120eed10c89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4958da61591ba204cbf0198d07d27740

SHA1
6a1f318fcf897a5a7dd8bc2299b1a5e125b9551a

SHA256
690b69e05a217cc9ac7a407e56a1adf3c75e355574988df36459e3ce607dfbdd

SHA512
b9a9e1a0591ddf0d76adada8b555366f16a9cbd35ba158f7d56fb72072f837d03b2b08dd164b67e36fe278c377a8c44bc675abe3a2b4a50cba6cf967b204716a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5fb335f8899951f16c16320592845e1

SHA1
b131b097d2a57f98eed2ae48d12d081d8b31b9a8

SHA256
be972006e034f9b0a8d56f16c129ac5a95563ceb244ed9bdd260d533649b9da9

SHA512
faf6e91e5ad32d56fdc795a2200e7832ed932e22338b1cf02543e444e12970506e20b421f782e98649b6a95c476af8696655aa67c09c40a8c79c825d3a8df519

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d0624c369c36f45bdad3088f0e372a6

SHA1
94b5746698323fae665374157d47aa28853bdffa

SHA256
c0a90ef56dcde19189d74a62db50e21345af500379c5b04344b9162c1e2dc435

SHA512
94639536e90dcc5685866d3ddab77647899eee0bbaac936f07360f868ba2d83f77ee94f1c7f650c763c82c25e47a482e1cfbaa83a41b7f6c363f4b35db7e9c22

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d26c78e044f3b874fbcc4c638bcd101c

SHA1
ab0116b18fd168533ee15e1dbd3fff7dc1d63528

SHA256
80592ea985ceee4bcc0982b3dfd9c45db0ca19f6658ab4ecc5ce90d6d0f61e2f

SHA512
c4f9eeabd981f21e81bcdc135a1ffa193274c92294ab04264241e550038138d3435d3ecde503fec9cc437b3f565f7f278808b7cf1eadbb2a32bbf321df7ef983

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
235B

MD5
10207277ecf29f4b0cb2aa4e59e7a59b

SHA1
28228cef9291d82503779bf9b1facb614e7465da

SHA256
849572079fa291064c51d71ad6209c519e7a8a5b287c638a99c9d15bb6b4228f

SHA512
952bc61faa1cdb3a5b501dd2b63ce6921d9581f9d2bf709fc2254b15ac543b65235354a7bbeef797ca4d20a303e3456c5ddbc6f41168c8f6b31b7d70a80c5097

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab908E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7eFR6a9mI.bat

Filesize
235B

MD5
6f6ce60540f1f91c8096fe985491b131

SHA1
c9322c37884378d08a938a41b631ae04c32c6eac

SHA256
10a0e35d1454b3e9071112caec79303a35c6cc6329928b79c2c358e176199e18

SHA512
1fdfaf77120a3a646e87c718f596667606c2c59a794faad34251482848ce9422cc2c81bd8f4fa14d6a40af718a06023bf66843c5b5009b6caf226d11a0bfea6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\KRs2fZV4we.bat

Filesize
235B

MD5
331a6919719040bd897be66e022347c8

SHA1
c1a2b300aa8d468e835629d56695ce59900c455d

SHA256
eb1b265402866035fb348456ee84b771de48b7116fb318500af3f41e0ca627ff

SHA512
bd503270c60ffe678cd04d937065188ce01dc3a938f52c069e6378061bc5ccb7a69f49e2fdb2e6df6b36e77d4e83e29a42fb3737fa4632812c4324ef01726820

Download Submit
C:\Users\Admin\AppData\Local\Temp\MsSi1KDKJG.bat

Filesize
235B

MD5
3c5a6df13b0e7326d99a2ac348287d44

SHA1
e9ebaa2eebffb6b0a0024a3ccdcbfab97a4de392

SHA256
ad1e28f138bcfbbedf12f7ddf36a496f969032767a57f956dcffb7feb894663c

SHA512
aed819cf385ec4e501c9014fb836c2e0df25dcc2736a0972b015c0df4e6146d9ded52bca190e01ec2dd6501a3bc56a7e6b2f7db8f102796cb3747c455dd885c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QY0o5k1hVk.bat

Filesize
235B

MD5
b06b86095fe899a2684e123613d5ab60

SHA1
68c49cc7f2c336e3fdccaa87527980a7c1a231a3

SHA256
705c0f9b40216984fede4eee82945075dd4f12b9791833001ee067303176cefa

SHA512
bdaf38e9338e184c64617a565392ba3989ce144ec8d428104061ae972d030b19bbb1840e260130e90aabf70e368ecdb19b6e6afdc3eebd356a786f7056a341d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
235B

MD5
a2c44c31973c0ad71327071feccf06ed

SHA1
64ac9498b1b92e5c613db48781f7a8bf7cd7a7df

SHA256
6c0baecf99e3c1ce0e7a88d171a9b836a1a9324878c4c381943358c7c9efab39

SHA512
e3bbae2e9225670d905684904d9b74d01719200b8a392dd962afd03321f2a60a9cb6cd2f957c989e13e4d7957384754520a73e287be54974f5e78ac844dfda8f

Download Submit
C:\Users\Admin\AppData\Local\Temp\SU2rmp5bpW.bat

Filesize
235B

MD5
435acd227eb4c76fbb898f1e22555304

SHA1
d1fdfffae875d8543069e19b6893628acd5fa174

SHA256
0a2b8907870ad3a0cdaaaa758ecb8b4c129f0ae7d8eb1b4b482ed07632422fdd

SHA512
383c53a7e85d43214e2677d219bd038b893153ba26f2e026738f154fabf9f2fe7b4e8f870e8e5b417d978bbb952c94e0d8a606d2aa50a87e0160b2826a031cfe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar90A1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VG36Hwy0Lv.bat

Filesize
235B

MD5
611fd52657aa47c9facf962689073db4

SHA1
706c00a64782b1f6b75610649bbcf69eb6931a81

SHA256
ec8d7194cbdbfa8d4a5f7351798ddf9f7863c4df02d78e574c6c503e48abb468

SHA512
27d12c4ffd454eae5277b090147d1696b6733ff4fd22a1246949c8d77cb476d66c010131423e51c1e046a2c84db04c340e7c507262054b34264b12323c5c70f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\WYuyh03jyF.bat

Filesize
235B

MD5
8bc9eb3786a4a31a79b0b237dd5325dd

SHA1
84cd03f1ebda0be722080997a3d3b5c6fbc542a5

SHA256
28758ef6d679adee01becd8e8008148c0f379a8a19870d59045f59501c5f403d

SHA512
f54988385c363ec75f2e95b11630e289d8737f7c76ef45015e0b8a09216408ac52ad8c3f30867920da832c64429590bf746358b8b6b3b57a3a3909eb2eef74c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
235B

MD5
0dc5128a81f5e1d5fec1d28876ebecc0

SHA1
a9c13a5ed3d64dc824ab01aa6d675ebcbbe9fea3

SHA256
746cff48db4e9a592d0fcd210803016ea0370d12b9af011627dbc66d89e24e48

SHA512
aecaf93e2b57d1079d2bd5f96dfb7982a0b8d0ea3ef10a3de89a4fd6ecb5ce56e6f7fc3e9c4639b451cb83d0a74c38c26b13b6043d04327b82a9649ea71ba8fa

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e042cc28024b78e6da6d184707fe3b5a

SHA1
59352e33f4e8b06238647d7390389ed7a896148e

SHA256
364c4c9f9fc7880346e9e325507747c85012c493582a985ff6a3a67447605097

SHA512
c8c68b423592b6655b5670be6d3997b2abafb58190827c443e22a202ddd3e8459daf66120817f04a870efec7bdf402dc618e0ce5c85ca4314a4accc0c5cf363d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1040-690-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1040-689-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/1856-213-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2328-64-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2328-52-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2360-153-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2724-511-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2888-273-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/3008-13-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/3008-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/3008-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/3008-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/3008-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/3040-94-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/3040-63-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/3040-333-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download