dcrat | 749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe

Analysis

max time kernel
150s
max time network
139s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 19:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe
Size

1.3MB
MD5

473c79035b4b089582a4efe505da8bb6
SHA1

fa5e5d0ac359e3a3f310802f09620e79d2334a17
SHA256

749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe
SHA512

e200cb72e0aaa27b8981ac5932cfeb655b289eaf8f0b99cdb38b78fdd05bb3fa2ef2f23ddc267e3b7225a3842692e8a696977317766d4f76612531f375a79426
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2704	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2704	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186bf-9.dat	dcrat
behavioral1/memory/2708-13-0x0000000000D20000-0x0000000000E30000-memory.dmp	dcrat
behavioral1/memory/2424-73-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/2996-133-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/1952-253-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1820-313-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/2692-491-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat
behavioral1/memory/2132-610-0x00000000002E0000-0x00000000003F0000-memory.dmp	dcrat
behavioral1/memory/2680-671-0x0000000000E50000-0x0000000000F60000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1488	powershell.exe
1028	powershell.exe
1200	powershell.exe
1256	powershell.exe
700	powershell.exe
1492	powershell.exe
332	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2708	DllCommonsvc.exe
2424	OSPPSVC.exe
2996	OSPPSVC.exe
1324	OSPPSVC.exe
1952	OSPPSVC.exe
1820	OSPPSVC.exe
1900	OSPPSVC.exe
944	OSPPSVC.exe
2692	OSPPSVC.exe
2696	OSPPSVC.exe
2132	OSPPSVC.exe
2680	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
3044	cmd.exe
3044	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\en-US\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\en-US\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\7a0fd90576e088	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2320	schtasks.exe
2364	schtasks.exe
768	schtasks.exe
2036	schtasks.exe
3012	schtasks.exe
2412	schtasks.exe
2576	schtasks.exe
2732	schtasks.exe
2104	schtasks.exe
2644	schtasks.exe
528	schtasks.exe
2380	schtasks.exe
2264	schtasks.exe
2032	schtasks.exe
1864	schtasks.exe
2164	schtasks.exe
3016	schtasks.exe
1040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2708	DllCommonsvc.exe
2708	DllCommonsvc.exe
2708	DllCommonsvc.exe
2708	DllCommonsvc.exe
2708	DllCommonsvc.exe
700	powershell.exe
1028	powershell.exe
1256	powershell.exe
332	powershell.exe
1200	powershell.exe
1492	powershell.exe
1488	powershell.exe
2424	OSPPSVC.exe
2996	OSPPSVC.exe
1324	OSPPSVC.exe
1952	OSPPSVC.exe
1820	OSPPSVC.exe
1900	OSPPSVC.exe
944	OSPPSVC.exe
2692	OSPPSVC.exe
2696	OSPPSVC.exe
2132	OSPPSVC.exe
2680	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	DllCommonsvc.exe
Token: SeDebugPrivilege	700	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1492	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2424	OSPPSVC.exe
Token: SeDebugPrivilege	2996	OSPPSVC.exe
Token: SeDebugPrivilege	1324	OSPPSVC.exe
Token: SeDebugPrivilege	1952	OSPPSVC.exe
Token: SeDebugPrivilege	1820	OSPPSVC.exe
Token: SeDebugPrivilege	1900	OSPPSVC.exe
Token: SeDebugPrivilege	944	OSPPSVC.exe
Token: SeDebugPrivilege	2692	OSPPSVC.exe
Token: SeDebugPrivilege	2696	OSPPSVC.exe
Token: SeDebugPrivilege	2132	OSPPSVC.exe
Token: SeDebugPrivilege	2680	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 2888	2196	JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe	30
PID 2196 wrote to memory of 2888	2196	JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe	30
PID 2196 wrote to memory of 2888	2196	JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe	30
PID 2196 wrote to memory of 2888	2196	JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe	30
PID 2888 wrote to memory of 3044	2888	WScript.exe	31
PID 2888 wrote to memory of 3044	2888	WScript.exe	31
PID 2888 wrote to memory of 3044	2888	WScript.exe	31
PID 2888 wrote to memory of 3044	2888	WScript.exe	31
PID 3044 wrote to memory of 2708	3044	cmd.exe	33
PID 3044 wrote to memory of 2708	3044	cmd.exe	33
PID 3044 wrote to memory of 2708	3044	cmd.exe	33
PID 3044 wrote to memory of 2708	3044	cmd.exe	33
PID 2708 wrote to memory of 700	2708	DllCommonsvc.exe	53
PID 2708 wrote to memory of 700	2708	DllCommonsvc.exe	53
PID 2708 wrote to memory of 700	2708	DllCommonsvc.exe	53
PID 2708 wrote to memory of 1492	2708	DllCommonsvc.exe	54
PID 2708 wrote to memory of 1492	2708	DllCommonsvc.exe	54
PID 2708 wrote to memory of 1492	2708	DllCommonsvc.exe	54
PID 2708 wrote to memory of 332	2708	DllCommonsvc.exe	55
PID 2708 wrote to memory of 332	2708	DllCommonsvc.exe	55
PID 2708 wrote to memory of 332	2708	DllCommonsvc.exe	55
PID 2708 wrote to memory of 1488	2708	DllCommonsvc.exe	56
PID 2708 wrote to memory of 1488	2708	DllCommonsvc.exe	56
PID 2708 wrote to memory of 1488	2708	DllCommonsvc.exe	56
PID 2708 wrote to memory of 1028	2708	DllCommonsvc.exe	57
PID 2708 wrote to memory of 1028	2708	DllCommonsvc.exe	57
PID 2708 wrote to memory of 1028	2708	DllCommonsvc.exe	57
PID 2708 wrote to memory of 1200	2708	DllCommonsvc.exe	58
PID 2708 wrote to memory of 1200	2708	DllCommonsvc.exe	58
PID 2708 wrote to memory of 1200	2708	DllCommonsvc.exe	58
PID 2708 wrote to memory of 1256	2708	DllCommonsvc.exe	59
PID 2708 wrote to memory of 1256	2708	DllCommonsvc.exe	59
PID 2708 wrote to memory of 1256	2708	DllCommonsvc.exe	59
PID 2708 wrote to memory of 2428	2708	DllCommonsvc.exe	67
PID 2708 wrote to memory of 2428	2708	DllCommonsvc.exe	67
PID 2708 wrote to memory of 2428	2708	DllCommonsvc.exe	67
PID 2428 wrote to memory of 1784	2428	cmd.exe	69
PID 2428 wrote to memory of 1784	2428	cmd.exe	69
PID 2428 wrote to memory of 1784	2428	cmd.exe	69
PID 2428 wrote to memory of 2424	2428	cmd.exe	70
PID 2428 wrote to memory of 2424	2428	cmd.exe	70
PID 2428 wrote to memory of 2424	2428	cmd.exe	70
PID 2424 wrote to memory of 2140	2424	OSPPSVC.exe	71
PID 2424 wrote to memory of 2140	2424	OSPPSVC.exe	71
PID 2424 wrote to memory of 2140	2424	OSPPSVC.exe	71
PID 2140 wrote to memory of 2028	2140	cmd.exe	73
PID 2140 wrote to memory of 2028	2140	cmd.exe	73
PID 2140 wrote to memory of 2028	2140	cmd.exe	73
PID 2140 wrote to memory of 2996	2140	cmd.exe	75
PID 2140 wrote to memory of 2996	2140	cmd.exe	75
PID 2140 wrote to memory of 2996	2140	cmd.exe	75
PID 2996 wrote to memory of 352	2996	OSPPSVC.exe	76
PID 2996 wrote to memory of 352	2996	OSPPSVC.exe	76
PID 2996 wrote to memory of 352	2996	OSPPSVC.exe	76
PID 352 wrote to memory of 1744	352	cmd.exe	78
PID 352 wrote to memory of 1744	352	cmd.exe	78
PID 352 wrote to memory of 1744	352	cmd.exe	78
PID 352 wrote to memory of 1324	352	cmd.exe	79
PID 352 wrote to memory of 1324	352	cmd.exe	79
PID 352 wrote to memory of 1324	352	cmd.exe	79
PID 1324 wrote to memory of 688	1324	OSPPSVC.exe	80
PID 1324 wrote to memory of 688	1324	OSPPSVC.exe	80
PID 1324 wrote to memory of 688	1324	OSPPSVC.exe	80
PID 688 wrote to memory of 1256	688	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_749f27daba343be10bd2c137545577e30e8ee5573a1d8e50da69b1d09440edbe.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2196
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2888
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3044
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\en-US\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XXAR1wlpVP.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2428
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1784
      - C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2028
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1744
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1256
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
        13⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2992
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1820
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        15⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:624
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat"
        17⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2760
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        19⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2172
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"
        21⤵
        
        PID:2548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2984
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        23⤵
        
        PID:1132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1736
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat"
        25⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2784
        
        C:\Program Files\Google\Chrome\OSPPSVC.exe
        
        "C:\Program Files\Google\Chrome\OSPPSVC.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Sidebar\de-DE\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\de-DE\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\en-US\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\en-US\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95bb36c99c7deafa5482584333454c6c

SHA1
b57b3f11d22275c45fb52e8a44008485649d7b03

SHA256
cde4c62a7cdc17582b45c638924712cf496fd3016bd0cc755f800ce9e20d5929

SHA512
721cf38e7e470fc60027ea00f78b8d2d4961de6c66c5aca14c3f566e0df2feec161f6c17d57af62073779bf07247d24c83f80c4e6ad39c1b9e35f0fd102b051c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7992a82663894b3e7d1696ff433598ab

SHA1
4b9ba3030ca5a1299f96f97d9282d5bc54d34d71

SHA256
6e8dc82b04e28a43995f776a0fb038248f06eff4838f0dd7396762e9a2f23244

SHA512
6d7a7537ded5c2f0e60240c5a9dfb3c8eaba64680a3dae42c266eb2913aa33dad38fa387d1f3d4fcd25a38903fab21a524f73df12a365db1d919950e2963e8a8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b1c056c64ea738f404ce14f4a21ce7c

SHA1
b390bbec2b5e363b4daa28019c4de61376f4d878

SHA256
3df4387e3a18d4d45d4f095b91d3ca5d4114ab5241e3ab77789b64bc42accbde

SHA512
7decd3385c2740385a151ca59bc107f32cec2bba86b9548e05eddea3d0ca6f241d5e83c1a34659693d075d12391a315c7a59f6b59a1eb4e33bf02852637c9674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68f0954f38ba3a4dd432a4e5c1473cf0

SHA1
5a19325728b63b032c070704aec171f44240e4b1

SHA256
005d129c4f351642354b182cd1697b8625ae93c2502e7e3085c069778aeb1156

SHA512
b40cae66894cf3f3f9ab1c4f6a6503ac765c441026632f6b2abae65c65b0a7166e54089f0607f8ce642d7f687c1a69c7154b434cb0334b21470804fad4d53bce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5725361a99faf82df6eaf3ead72e4554

SHA1
9ac5d80f6f6b9eecea0e07ff0e4a80293ea56530

SHA256
490e0c3a501214ea129420f94f6f2d2c5f2fef2dd3b79644b71f2d481abe49da

SHA512
f68b382abf7fe948dea76686b706c4f6e26306035db1c8eb94e67054059102ab4bbb8c2af3d53c030362f577f90bd53220105a48aa8e40ba696103b3ad0da900

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6535574cb541829106772d3e22116cfa

SHA1
3f719a5d59313f89a30614b2d159ccd24c39c200

SHA256
a09d9f5020d61f33501d282305a9f3a3fbd722e717a0fb9922470bef228353e3

SHA512
dc19eab9dad2e305cf7333103ba8803b9089009fba9285e2c48f3e35a62f7c1db596ede94de11b8a3f3b5195d1bc8737e4b11c12df22280b737904fbe3eb693b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b40f745cfa5ac611bf8e8df9ff72c0d

SHA1
e749093145890dcce325d674a7ac7ddd2f56c6ae

SHA256
20f060af2dbd1527fb10a8387437b2ad65ac1b78e2a132f743c7fae4d659221a

SHA512
22343543e8eee2b46ed0fbae0c73be60d7260fcdddeff337b7e69cdacd55e8f4fa4f284b78bbfa7efb768c02c0e21791611ca32546ddfb5020e1b2509d771194

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1c9db5e75feb37f0460d680ec629c61

SHA1
9a8bb5184372c25a41119b4f9f09c1b5b9fb4b9f

SHA256
5c839f69dfd001b205b55d3f372df557b34fb4de9c4531a77cd406d98579eeb7

SHA512
1cebdde93eb171753efced406fe7cb07ba8dec543e6db8e21f9b6e3cb364fee2014048524052e8da9263f7edd11cb67edc7077f8e338bc6cea6deb891e429a52

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0058d5781dc521ae575413cd346682af

SHA1
7f1a209ad80201093555a95d4713bf8191decc55

SHA256
5848615d85a0bf4aecf9af32bedc3b950cad06cb67e4e0a37300f67aec9bb0f3

SHA512
11a99f939473cf2e267c5d2777c42eb97e8265c860410d0108e3d4e66b8e7e6bd88ed37a11dcc2c74b5aaf6e4fe1f78f4d095ef6a5cf4211b590231fb453d3f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
207B

MD5
df28953c6988376249cf5a0ec6f59d64

SHA1
fe6f26b6c202a7ffa421057db3a558a651dde813

SHA256
b33efedcfd0bbf13cc595aaa733eefaa8922ee2d1b4bac30e36b46eb3cc1f290

SHA512
802d899397e5fbe5aff8ad01e5abc90b294b5c23d0fab1a56ce480cc5b7c44ffcceb57bf46df0671a5231bdf79ec2d1460d178f9fa2033d3609cba8db0782a38

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC795.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FFH8oguQ3d.bat

Filesize
207B

MD5
03ced2fd715427be7b5fb675164cf8d6

SHA1
0b4e5d5ed95d5d6584e307e60e1de5a42473bb92

SHA256
69748c31a3f35ff1c25aa043568e6e040bdbdb7f8023378383cfc1cd849cd24e

SHA512
9ed1ede97d114914201f4ae857be6770545b72b0f7af2a5813a21fc931e22d39f6f543bb1e3152bdc4c60276d3f084ef8605116dd7fae469d206547578a2e3d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\LabqbH8bfv.bat

Filesize
207B

MD5
a75bd273fc5438c2d94d977216534866

SHA1
82a67b2df520a53cb666dbbaeaca17ff20f4cea9

SHA256
f851a122b52f4250f2a3db2fc2574358abbab47925115f1a437aaf29a57bd836

SHA512
a81c53ee796aab4233451b6626d0c2becca8c37fe8546856d5e3033fddaacbdcc332664f3d89584b93e4676e8fea4dcda627a3afbc0adca35b86feeeb36333a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
207B

MD5
6aaa937e1dc3ac6ff910e8dd6f83acd8

SHA1
aeb5b703713fd71b2b48b0ee74a497a49a4c669e

SHA256
ebed23a3a7ee7b609282650de644cd8d7e59394df45173da955cdddf39570b4d

SHA512
5880cba5234e493b655aafc4f2a50321a6a95795d8b645959ec9798985a8c6628a13368e91d25cab601422e94a41928e9e15a34586aaf19f4490dd9e2df45ff5

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

Filesize
207B

MD5
cfd78c0965d67649e8781494401feb34

SHA1
e166fb836641f1e3a0199ee1ada71fff801d7b1b

SHA256
d5e7f01d09ff5e1581aaf4ff18d0188e46c2e07dfa90e9737db4e63790ee5395

SHA512
8823bc33757375b534a92e0b557b43bd255818bf86762c8b3242a1a1e54c624dc0a4bfd0667d04ee65714d5f462d60eb699ce378e3eb1704340022b0ff37c7ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
207B

MD5
874ecc46827505a18fc9f04888f3bf47

SHA1
cff80ce165299c802cd73a7b7aaf067b39b9b04f

SHA256
fc7fb4b9f0ef087c0f4b239e0182e92bce687112f95e2c915a2e6167e44de2cf

SHA512
83cc711251ec25400cd1d7f55738aa467590872d9973e43516e898df9e19bc6edd1c120a5f3369ad8948f78a258798d0ddadb2f01b1c82d38bce777a99baf697

Download Submit
C:\Users\Admin\AppData\Local\Temp\T3kbcxG26A.bat

Filesize
207B

MD5
4917943a91c1aeefced9f78c301b57df

SHA1
cfc904be322a08db3f1df10ef3971133c38fb7c2

SHA256
db79be674d4e6462320d0611d8161ce6450a520a6ccbb83c8ab891f75d41f595

SHA512
b34fa632bff2548487fe43d8a232707e6f8b9696d36db743f175fe0ad1d550c50f40884bfe32ed8e47065cf115420d0c9370a3d466923632f099872ea419801e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC7B7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XXAR1wlpVP.bat

Filesize
207B

MD5
d4344c8a340a34dc8d1996f39da43884

SHA1
2cdd5e8022640c5d2b6f0853323518c1284eb913

SHA256
cb527c981a34667c4f24baddfd42444b66f9751cac53cd72eb6a6d8d23bbc2e7

SHA512
49eb82f998ba36f723d75a8fb236a541df307cab0522be6d0cab94a6648787659e5a5ed2df408cedc1f51c2b29ae97aa9173aa388f50425889bd6ab0fe9fef19

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

Filesize
207B

MD5
638e22086c2afccab037ba63954442f3

SHA1
46e8e0a7c305393facf7dd84cf929a9b56bc4ccb

SHA256
6f6eebc6654d52bdaa4f7198a40387b80058d2464766e17e3758199a7dbc76ea

SHA512
8c7d5f50e549d4bac652847e34b4932a78a575f3b56ac2112dcd6a753d75d7665e8a0fcdc3ccdfa9fc61bfafa23bef964395a049517f35e9a4454865515bd440

Download Submit
C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat

Filesize
207B

MD5
f987cb6105c17393081bee36916f1bf9

SHA1
2486f93ca579315388c46d7393dc0fde8ce126a5

SHA256
df13f15819ffb1a977462f4344729d51f502f9acf6fffbf90c076f5cba9f80a8

SHA512
2eb536ffcc73065bdd5f775ed8e8c2640e284b8fbd5d043e3d4da38e6049578ead08ac1b5085b6c637e9d0b40c8babdb7e79e22337a29c826ad2c267496dcc33

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
207B

MD5
c8981b73e2e27d3f73c3ee89d87961ca

SHA1
4b68434afdcf5dd1190ec1442fb9434d141a3bd2

SHA256
d8e9af89210a770b8b493c5812f0a319e5b6f679f67d4c8e42c1cb6dad24fc05

SHA512
d409eefdf29cc8e5def0b900db3569aa8d6603e9fe80ae9e6d1d5eb7fc236648f434b7095cecd95466ed1ee0de34b72cc798f820a8031c9e95ee3289f57e36d5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e14974dfcbdca5757f17eab34874eb85

SHA1
125af62f624890caae5a8f27a8f6f05d63787985

SHA256
005955ba0c3ed8dc7ff77e88e3672340e18228e6e01fe732c4c587dedbaa1abd

SHA512
9cdec8019df3042ee937ee5e48f4b743efef6ad77cfdc338b5ff3f645705f064c9e9702d8ed2f2bd6b15f6be7994d267eb747930e910c827f535998e0150f5aa

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/700-54-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/700-55-0x0000000001F80000-0x0000000001F88000-memory.dmp

Filesize
32KB

Download
memory/1820-313-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download
memory/1952-253-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2132-611-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2132-610-0x00000000002E0000-0x00000000003F0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-73-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/2424-74-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2680-671-0x0000000000E50000-0x0000000000F60000-memory.dmp

Filesize
1.1MB

Download
memory/2692-491-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/2708-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2708-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2708-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2708-13-0x0000000000D20000-0x0000000000E30000-memory.dmp

Filesize
1.1MB

Download
memory/2708-17-0x0000000000AA0000-0x0000000000AAC000-memory.dmp

Filesize
48KB

Download
memory/2996-133-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2996-134-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download