dcrat | d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd

Analysis

max time kernel
148s
max time network
153s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd.exe
Size

1.3MB
MD5

ea64bd92629f79ad41a268c995e03fee
SHA1

23ad7a3f4526ea4854405192ce1d94ee1e1a27f9
SHA256

d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd
SHA512

e25adb61e76dd2d3d761c45799df85fe7abe2a76dad21f8af8bd572ccbd11df2a08b948deb610012d945b44809486fb90b1654a2b61a161b6008fad38ee17410
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2952	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	432	2668	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2668	schtasks.exe	33

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000186b7-12.dat	dcrat
behavioral1/memory/2760-13-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/1748-94-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/1472-154-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/796-215-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/2156-276-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/2996-337-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/2448-397-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2152-457-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2084	powershell.exe
2152	powershell.exe
2088	powershell.exe
2596	powershell.exe
3044	powershell.exe
2144	powershell.exe
2588	powershell.exe
900	powershell.exe
2132	powershell.exe
2096	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2760	DllCommonsvc.exe
1748	sppsvc.exe
1472	sppsvc.exe
796	sppsvc.exe
2156	sppsvc.exe
2996	sppsvc.exe
2448	sppsvc.exe
2152	sppsvc.exe
1572	sppsvc.exe
2020	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2464	cmd.exe
2464	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
25	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 11 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Defender\de-DE\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\f3b6ecef712a24	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\de-DE\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\Stationery\1033\spoolsv.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\servicing\Sessions\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2692	schtasks.exe
2988	schtasks.exe
1948	schtasks.exe
1384	schtasks.exe
2436	schtasks.exe
2684	schtasks.exe
872	schtasks.exe
2616	schtasks.exe
2320	schtasks.exe
2932	schtasks.exe
432	schtasks.exe
648	schtasks.exe
2680	schtasks.exe
2336	schtasks.exe
2952	schtasks.exe
1468	schtasks.exe
2896	schtasks.exe
2632	schtasks.exe
1320	schtasks.exe
316	schtasks.exe
1732	schtasks.exe
1988	schtasks.exe
1964	schtasks.exe
2344	schtasks.exe
2768	schtasks.exe
1444	schtasks.exe
2420	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
1748	sppsvc.exe
1472	sppsvc.exe
796	sppsvc.exe
2156	sppsvc.exe
2996	sppsvc.exe
2448	sppsvc.exe
2152	sppsvc.exe
1572	sppsvc.exe
2020	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2760	DllCommonsvc.exe
2088	powershell.exe
2084	powershell.exe
2596	powershell.exe
2132	powershell.exe
900	powershell.exe
2588	powershell.exe
2152	powershell.exe
2144	powershell.exe
3044	powershell.exe
2096	powershell.exe
1748	sppsvc.exe
1472	sppsvc.exe
796	sppsvc.exe
2156	sppsvc.exe
2996	sppsvc.exe
2448	sppsvc.exe
2152	sppsvc.exe
1572	sppsvc.exe
2020	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	2084	powershell.exe
Token: SeDebugPrivilege	2596	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	900	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1748	sppsvc.exe
Token: SeDebugPrivilege	1472	sppsvc.exe
Token: SeDebugPrivilege	796	sppsvc.exe
Token: SeDebugPrivilege	2156	sppsvc.exe
Token: SeDebugPrivilege	2996	sppsvc.exe
Token: SeDebugPrivilege	2448	sppsvc.exe
Token: SeDebugPrivilege	2152	sppsvc.exe
Token: SeDebugPrivilege	1572	sppsvc.exe
Token: SeDebugPrivilege	2020	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1344 wrote to memory of 2260	1344	JaffaCakes118_d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd.exe	29
PID 1344 wrote to memory of 2260	1344	JaffaCakes118_d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd.exe	29
PID 1344 wrote to memory of 2260	1344	JaffaCakes118_d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd.exe	29
PID 1344 wrote to memory of 2260	1344	JaffaCakes118_d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd.exe	29
PID 2260 wrote to memory of 2464	2260	WScript.exe	30
PID 2260 wrote to memory of 2464	2260	WScript.exe	30
PID 2260 wrote to memory of 2464	2260	WScript.exe	30
PID 2260 wrote to memory of 2464	2260	WScript.exe	30
PID 2464 wrote to memory of 2760	2464	cmd.exe	32
PID 2464 wrote to memory of 2760	2464	cmd.exe	32
PID 2464 wrote to memory of 2760	2464	cmd.exe	32
PID 2464 wrote to memory of 2760	2464	cmd.exe	32
PID 2760 wrote to memory of 2096	2760	DllCommonsvc.exe	61
PID 2760 wrote to memory of 2096	2760	DllCommonsvc.exe	61
PID 2760 wrote to memory of 2096	2760	DllCommonsvc.exe	61
PID 2760 wrote to memory of 2088	2760	DllCommonsvc.exe	62
PID 2760 wrote to memory of 2088	2760	DllCommonsvc.exe	62
PID 2760 wrote to memory of 2088	2760	DllCommonsvc.exe	62
PID 2760 wrote to memory of 2152	2760	DllCommonsvc.exe	63
PID 2760 wrote to memory of 2152	2760	DllCommonsvc.exe	63
PID 2760 wrote to memory of 2152	2760	DllCommonsvc.exe	63
PID 2760 wrote to memory of 2084	2760	DllCommonsvc.exe	64
PID 2760 wrote to memory of 2084	2760	DllCommonsvc.exe	64
PID 2760 wrote to memory of 2084	2760	DllCommonsvc.exe	64
PID 2760 wrote to memory of 2588	2760	DllCommonsvc.exe	65
PID 2760 wrote to memory of 2588	2760	DllCommonsvc.exe	65
PID 2760 wrote to memory of 2588	2760	DllCommonsvc.exe	65
PID 2760 wrote to memory of 2144	2760	DllCommonsvc.exe	66
PID 2760 wrote to memory of 2144	2760	DllCommonsvc.exe	66
PID 2760 wrote to memory of 2144	2760	DllCommonsvc.exe	66
PID 2760 wrote to memory of 3044	2760	DllCommonsvc.exe	67
PID 2760 wrote to memory of 3044	2760	DllCommonsvc.exe	67
PID 2760 wrote to memory of 3044	2760	DllCommonsvc.exe	67
PID 2760 wrote to memory of 2132	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 2132	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 2132	2760	DllCommonsvc.exe	68
PID 2760 wrote to memory of 900	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 900	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 900	2760	DllCommonsvc.exe	69
PID 2760 wrote to memory of 2596	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 2596	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 2596	2760	DllCommonsvc.exe	70
PID 2760 wrote to memory of 2040	2760	DllCommonsvc.exe	81
PID 2760 wrote to memory of 2040	2760	DllCommonsvc.exe	81
PID 2760 wrote to memory of 2040	2760	DllCommonsvc.exe	81
PID 2040 wrote to memory of 2652	2040	cmd.exe	83
PID 2040 wrote to memory of 2652	2040	cmd.exe	83
PID 2040 wrote to memory of 2652	2040	cmd.exe	83
PID 2040 wrote to memory of 1748	2040	cmd.exe	84
PID 2040 wrote to memory of 1748	2040	cmd.exe	84
PID 2040 wrote to memory of 1748	2040	cmd.exe	84
PID 2040 wrote to memory of 1748	2040	cmd.exe	84
PID 2040 wrote to memory of 1748	2040	cmd.exe	84
PID 1748 wrote to memory of 2756	1748	sppsvc.exe	85
PID 1748 wrote to memory of 2756	1748	sppsvc.exe	85
PID 1748 wrote to memory of 2756	1748	sppsvc.exe	85
PID 2756 wrote to memory of 520	2756	cmd.exe	87
PID 2756 wrote to memory of 520	2756	cmd.exe	87
PID 2756 wrote to memory of 520	2756	cmd.exe	87
PID 2756 wrote to memory of 1472	2756	cmd.exe	88
PID 2756 wrote to memory of 1472	2756	cmd.exe	88
PID 2756 wrote to memory of 1472	2756	cmd.exe	88
PID 2756 wrote to memory of 1472	2756	cmd.exe	88
PID 2756 wrote to memory of 1472	2756	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d65899b5e01527f9733a44ec48e5d662726af70e326b3cdfa14558617c6ae8bd.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1344
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2260
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2464
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\Stationery\1033\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\de-DE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LZBxNd7EAA.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2652
      - C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:520
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        9⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2664
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat"
        11⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2300
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat"
        13⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2788
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"
        15⤵
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2444
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat"
        17⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1860
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        19⤵
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1320
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat"
        21⤵
        
        PID:964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2984
        
        C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\Stationery\1033\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\ja-JP\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\ja-JP\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Defender\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Sidebar\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\SDK\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92982908c10e64c194385832e90cc395

SHA1
fcd21f1e8e6d29cbbf363866376ac5dc5a667d58

SHA256
24601afe17ed52edd6ee5c6ad9863e91cf5583ec21aa02541bf7a79ac669c983

SHA512
5621da2ee9dc8fb112059c4c4210d781633dbe6eb76b2969e9e4d58a322d7732b78c7c5d73b7eddbd915eaa72dcb3658fb156568923de0c70f80e5f0e085871f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9c38170796244377b2782c03f17a828

SHA1
7fc062e39d8e978cb49442602552a08e0ed1dc4c

SHA256
33944ed7eacf01e2da422092c06b8feddddef2cb1c4fb4868ab558a1b38b5175

SHA512
bdd130115145189ef0e19c2e3fc801b52c69f2637b1c6103548e251ef17dd8da879c6658db69c9038977cde541e754eb5d7ef22c896d7b8fcffdb195feff3218

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea7d5ecef0c0613a5079c69077033081

SHA1
aeb8358e644045412b914c863c0398018ded1cc8

SHA256
662576a41dcc9f0ef4662684b58aa86de38cf8c0710a813a838e54fac2c3c862

SHA512
0fe6643bfb895992e9932862c0d170f57135176d302b8861db208fa614361f4663570df1a8c565e16e2a6ebf68d6eeb366ed1bf12525b25f4472428f26410c75

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e6af7972ecbf796df96db416348e605

SHA1
361950c7442bee9e68b5f20d115250c4e9455158

SHA256
6f99f9aa908672b77a72cc9f9f9a687ab85b481ff33a134ff444de8b72a481e2

SHA512
ddd1d0d248644299ef9a9e545cb6984b63aa5b3960350d6d6a02937989746eeb9aab731b69ab9fded1182172add5cd11ee3ef1cb2a895cb6be7397805f1ae3f6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67994211a94fd8bfb8687d5b25906256

SHA1
49d02d7a577e2a47e57cffcf4b71cf70bbc14dc2

SHA256
e837aa24d2d233e37cadb7d1569d57b2639fbd2ec35695fa947c865f95beed72

SHA512
5e3247a190621719005497831c6c37cfa40859fbb9880899336c8a07ce1ff075669c566f7ed0224c1beca28739f542f2425c4490b35b71cae986a0b768958b4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a075ffb7beaff414852ebca53ca3b35

SHA1
41626a604476eb9344d3fb5c4e9442319449088d

SHA256
876477bbd1377581aab6b5b31750654a59965596f42ac5a5814857bd991047ab

SHA512
afd97e6097bfc78798867bff8dc5a86ac68dfa998b163b6793668cf0c00f3f793d12c84c9e9f8905c063bbe8bc92bf5da7bc56d56ba46a519a5fce8ef61e0f3e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a579e3b2dc059c33a0212d3132e6a89

SHA1
74c5da35072b143b688643e07e182496d368fdb3

SHA256
ab161182939f8ab66aebba3a1651545934fd11374f44ee8d202796b3444bfe4c

SHA512
940cd72c9d081de63ec2a2beeaea315438f1aab7c0a245c1b4ff16930ece698725537ee2871dbbe18975fb15b253f09ba263ffe0d834ed47d7d43296be30afb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ba5cf2bedadeab8804bcecd61e51ac5

SHA1
5b5c541d31d62ae30b3e826fb1096a07363e2e6c

SHA256
ac35bb3f05bd1916199cb52718bb33783ee7a0746c4a9551e2c565b66442070a

SHA512
25a499641f813a04bca481b19014d972f79cdf0f9776bfc7908e31dd3df78aa20fdb060cb722fbffd48324a2affe861fd63e2e705cbc3c9d71b3a0638481e689

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1B40.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GvFVSjZSRs.bat

Filesize
228B

MD5
fc78d92d53cdf2c250830ee4ef5a49d0

SHA1
38c5e30b68e75620b22be0fbdf8095d4accc7f4a

SHA256
52a788b6f21b3ca5e4c860d787df3450f3844eccd252bf4431356f32ca764c69

SHA512
fc5ebfa58698501026500650d1ec8a4ede2e7c481efa0fe3fd136e98bb6ee90bf7a6d64ae828bd7a0121f319405e1f547f3af49f1bad3de8fd61fab535902297

Download Submit
C:\Users\Admin\AppData\Local\Temp\JhFjyqSsxH.bat

Filesize
228B

MD5
9c5e08f0bcf015ee35dcdc07619bb17e

SHA1
2b898ab9bdec6bf48ca016869e1b9b70ca0064ef

SHA256
b9f0a92412fd938c50fbd20b0145abc60217c676a211d27b491aee4553a30a99

SHA512
b52020d9ee4a2bebbe05639dc5b49ad2224e3e1992e15834ca4afbe29338eec507025fd95090ee51db9074f8ad2800d9878bdd2dc683ad7b3b332a7e9dcd7dda

Download Submit
C:\Users\Admin\AppData\Local\Temp\LZBxNd7EAA.bat

Filesize
228B

MD5
0651a9dff5f141aa54629a3d79c06233

SHA1
94d40510b943bea0edc1ab984dc4d5fe39c1fce4

SHA256
6f0251cf02637d184f72e1579593185e71d46d1a4c0458d9839034b74a3c1597

SHA512
b65351ff0d06286f5128d9b65c4571ffffc5b0851e023b916cb5b30220d3dc9f958a40f9eadeec02ee79c42c3f9979eeadd85f93e3a07a60c4b197fadb9ba689

Download Submit
C:\Users\Admin\AppData\Local\Temp\QwDZd8tkMK.bat

Filesize
228B

MD5
5d4491f83d6370f62ae7e0a3d666b6f6

SHA1
5974f86339e998619d8d8b445ff636c79a924317

SHA256
6f72e8e91ac33bc27ccbf53a5188b73db3ffba384517112c0398c6b7ad141f3a

SHA512
1dd724adc4df6282873560d32710db48a1bb3b0cc7370597ff60f71f87d446849d20bacd57e204759d60fc9b158d7cd3e72ce5a39078bf46cd883c71ce606345

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B62.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
228B

MD5
158b0e33c613dc10a22d2b3c7585daab

SHA1
f0ff9b760c1b8f6484d93fe29366e8cf9db4ac19

SHA256
9814fe2242b42c8232ae1d0657d5b148038f0e0af61078a4c7d4c2d7929bc8fe

SHA512
bd992ca6b61007e4295560ceba2c55c57c9b839968bef032bf55be75d6c8c25d24db0897c70fbfcd035cf658b56551537c1a92c598995e724f0bde09dcef38c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\b6uRiEqY03.bat

Filesize
228B

MD5
bc6fe502000e3380aa9277e8f8f90626

SHA1
d514372033831a1af6a195125a1856b3098be983

SHA256
653f158aafbf57f8309fbc2d621b28108a4e398a0b7134473ab1eb2e52645a4c

SHA512
2ca513737cc55aedbd654554320f307d5263de8e50d7858440ba2d27fc3cc6744b15a050d0c99e8ee2eeab1b06febac3eba71b10ea2b6df2f4d035e144cec6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\e2wUPJtRJp.bat

Filesize
228B

MD5
ca20d6fa0789ae1973eb1e8e434697db

SHA1
50ab3e5543d0b111db32bc19d8acc8eb226de043

SHA256
9e5153494e8ddf4392eb87efef9e56d2085a32b06a2834b3a47a189b658acd0d

SHA512
2cf7866441cf192d7a277465c93f9a290472c9bddbbcdce9cc4eb192acda9b1cf4dd5879b8ac1c032e92f554bd7b717671bbe592e72e24d0474280ad32759705

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
228B

MD5
c5d0f7f53c02bd544222360d5e3be54a

SHA1
13d30e1a17dc10cfd7459fe3a166cace5143ed68

SHA256
736ce38d4e2856ffe79a7ee1022f06b0b2c62bc6df8dd4f4559bd57a63255f82

SHA512
a86a172b79da16194937263190fafae2eb31d1d67e64909281a5957e7f341bd393e27f299719cc16f7b2911f31611a4f507a8571182518ad8f64b25a82fabfea

Download Submit
C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat

Filesize
228B

MD5
9f230a6bfc1ea9e4aa597fb4bcbdddbd

SHA1
56cf7adb2796b33138e4dce91ac0313d1b35a3fd

SHA256
328b705959e3b0713b6272b8c5c44b2726dade75c42a482da5d8abb2b33c0b56

SHA512
8f7a061064c10f0ce3b2c9d4f780b1d04efe2d12ba8780cd990d7d0daaf6127b8ed180a5e82ce756defcaa0358938ebf3f7ec1d6892f2f7e071e8f4c978260e9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
76fff75b52addb82f79d0871453c3e79

SHA1
d7941c8f332d0971ef17c296222443c60ff6f6c2

SHA256
bf486d888d7a5e4d67b44437cc0f625d033960d31d15bc0f0efa6a27d08ff843

SHA512
e9734c31b4a453ddcf63b802804e5ccd6c2af68268b3c02851098090ddfdda82587006c67ca8bdfd3e7af0c946ad6071be32ca8729d3f48d52bd940fe905d198

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/796-215-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/796-216-0x00000000003F0000-0x0000000000402000-memory.dmp

Filesize
72KB

Download
memory/1472-154-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/1472-155-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/1572-517-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1748-94-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/1748-95-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/2152-457-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/2156-277-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2156-276-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2448-397-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2596-89-0x000000001B2E0000-0x000000001B5C2000-memory.dmp

Filesize
2.9MB

Download
memory/2596-91-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/2760-15-0x00000000007B0000-0x00000000007BC000-memory.dmp

Filesize
48KB

Download
memory/2760-16-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2760-14-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2760-17-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2760-13-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/2996-337-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download