dcrat | 7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809

Analysis

max time kernel
145s
max time network
146s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809.exe
Size

1.3MB
MD5

4f032dd69a44b056e0a3ccc13b4ab21b
SHA1

b9d07a4e7bfac66cd303087c95de9765a16cf885
SHA256

7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809
SHA512

3485f3fdfaeee4b24bc875d206297944757dffe21e578e0b3ab05fd2a979ba1e03f1756386d01d320e41a477a2ff4ee2a2569645747c09ab05b9f52ff2e4065f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2704	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1532	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1840	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1816	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	2476	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2476	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d42-9.dat	dcrat
behavioral1/memory/2572-13-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2168-51-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2288-72-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/1484-291-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/292-351-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/2800-411-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/2920-471-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/2988-531-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1684	powershell.exe
1144	powershell.exe
536	powershell.exe
1588	powershell.exe
1700	powershell.exe
1956	powershell.exe
1092	powershell.exe
2564	powershell.exe
624	powershell.exe
1972	powershell.exe
2312	powershell.exe
1720	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2572	DllCommonsvc.exe
2168	DllCommonsvc.exe
2288	winlogon.exe
2144	winlogon.exe
1732	winlogon.exe
1484	winlogon.exe
292	winlogon.exe
2800	winlogon.exe
2920	winlogon.exe
2988	winlogon.exe
1276	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2432	cmd.exe
2432	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PolicyDefinitions\de-DE\services.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PolicyDefinitions\de-DE\services.exe	DllCommonsvc.exe
File created	C:\Windows\PolicyDefinitions\de-DE\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\Globalization\services.exe	DllCommonsvc.exe
File created	C:\Windows\Globalization\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2704	schtasks.exe
2684	schtasks.exe
320	schtasks.exe
1816	schtasks.exe
2912	schtasks.exe
1796	schtasks.exe
304	schtasks.exe
2644	schtasks.exe
2444	schtasks.exe
1736	schtasks.exe
1676	schtasks.exe
656	schtasks.exe
2408	schtasks.exe
1532	schtasks.exe
768	schtasks.exe
2376	schtasks.exe
1276	schtasks.exe
904	schtasks.exe
696	schtasks.exe
2428	schtasks.exe
2240	schtasks.exe
2720	schtasks.exe
1948	schtasks.exe
604	schtasks.exe
2060	schtasks.exe
2968	schtasks.exe
1840	schtasks.exe
2488	schtasks.exe
2236	schtasks.exe
1664	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2572	DllCommonsvc.exe
1144	powershell.exe
1684	powershell.exe
1092	powershell.exe
536	powershell.exe
2168	DllCommonsvc.exe
624	powershell.exe
2564	powershell.exe
1972	powershell.exe
1956	powershell.exe
2312	powershell.exe
1588	powershell.exe
1720	powershell.exe
1700	powershell.exe
2288	winlogon.exe
2144	winlogon.exe
1732	winlogon.exe
1484	winlogon.exe
292	winlogon.exe
2800	winlogon.exe
2920	winlogon.exe
2988	winlogon.exe
1276	winlogon.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2572	DllCommonsvc.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2168	DllCommonsvc.exe
Token: SeDebugPrivilege	624	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2288	winlogon.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	1588	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2144	winlogon.exe
Token: SeDebugPrivilege	1732	winlogon.exe
Token: SeDebugPrivilege	1484	winlogon.exe
Token: SeDebugPrivilege	292	winlogon.exe
Token: SeDebugPrivilege	2800	winlogon.exe
Token: SeDebugPrivilege	2920	winlogon.exe
Token: SeDebugPrivilege	2988	winlogon.exe
Token: SeDebugPrivilege	1276	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2288	1728	JaffaCakes118_7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809.exe	31
PID 1728 wrote to memory of 2288	1728	JaffaCakes118_7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809.exe	31
PID 1728 wrote to memory of 2288	1728	JaffaCakes118_7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809.exe	31
PID 1728 wrote to memory of 2288	1728	JaffaCakes118_7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809.exe	31
PID 2288 wrote to memory of 2432	2288	WScript.exe	32
PID 2288 wrote to memory of 2432	2288	WScript.exe	32
PID 2288 wrote to memory of 2432	2288	WScript.exe	32
PID 2288 wrote to memory of 2432	2288	WScript.exe	32
PID 2432 wrote to memory of 2572	2432	cmd.exe	34
PID 2432 wrote to memory of 2572	2432	cmd.exe	34
PID 2432 wrote to memory of 2572	2432	cmd.exe	34
PID 2432 wrote to memory of 2572	2432	cmd.exe	34
PID 2572 wrote to memory of 1684	2572	DllCommonsvc.exe	45
PID 2572 wrote to memory of 1684	2572	DllCommonsvc.exe	45
PID 2572 wrote to memory of 1684	2572	DllCommonsvc.exe	45
PID 2572 wrote to memory of 536	2572	DllCommonsvc.exe	46
PID 2572 wrote to memory of 536	2572	DllCommonsvc.exe	46
PID 2572 wrote to memory of 536	2572	DllCommonsvc.exe	46
PID 2572 wrote to memory of 1092	2572	DllCommonsvc.exe	48
PID 2572 wrote to memory of 1092	2572	DllCommonsvc.exe	48
PID 2572 wrote to memory of 1092	2572	DllCommonsvc.exe	48
PID 2572 wrote to memory of 1144	2572	DllCommonsvc.exe	49
PID 2572 wrote to memory of 1144	2572	DllCommonsvc.exe	49
PID 2572 wrote to memory of 1144	2572	DllCommonsvc.exe	49
PID 2572 wrote to memory of 1192	2572	DllCommonsvc.exe	53
PID 2572 wrote to memory of 1192	2572	DllCommonsvc.exe	53
PID 2572 wrote to memory of 1192	2572	DllCommonsvc.exe	53
PID 1192 wrote to memory of 2864	1192	cmd.exe	55
PID 1192 wrote to memory of 2864	1192	cmd.exe	55
PID 1192 wrote to memory of 2864	1192	cmd.exe	55
PID 1192 wrote to memory of 2168	1192	cmd.exe	56
PID 1192 wrote to memory of 2168	1192	cmd.exe	56
PID 1192 wrote to memory of 2168	1192	cmd.exe	56
PID 2168 wrote to memory of 1588	2168	DllCommonsvc.exe	78
PID 2168 wrote to memory of 1588	2168	DllCommonsvc.exe	78
PID 2168 wrote to memory of 1588	2168	DllCommonsvc.exe	78
PID 2168 wrote to memory of 1700	2168	DllCommonsvc.exe	79
PID 2168 wrote to memory of 1700	2168	DllCommonsvc.exe	79
PID 2168 wrote to memory of 1700	2168	DllCommonsvc.exe	79
PID 2168 wrote to memory of 1720	2168	DllCommonsvc.exe	80
PID 2168 wrote to memory of 1720	2168	DllCommonsvc.exe	80
PID 2168 wrote to memory of 1720	2168	DllCommonsvc.exe	80
PID 2168 wrote to memory of 2564	2168	DllCommonsvc.exe	81
PID 2168 wrote to memory of 2564	2168	DllCommonsvc.exe	81
PID 2168 wrote to memory of 2564	2168	DllCommonsvc.exe	81
PID 2168 wrote to memory of 2312	2168	DllCommonsvc.exe	82
PID 2168 wrote to memory of 2312	2168	DllCommonsvc.exe	82
PID 2168 wrote to memory of 2312	2168	DllCommonsvc.exe	82
PID 2168 wrote to memory of 1972	2168	DllCommonsvc.exe	84
PID 2168 wrote to memory of 1972	2168	DllCommonsvc.exe	84
PID 2168 wrote to memory of 1972	2168	DllCommonsvc.exe	84
PID 2168 wrote to memory of 1956	2168	DllCommonsvc.exe	85
PID 2168 wrote to memory of 1956	2168	DllCommonsvc.exe	85
PID 2168 wrote to memory of 1956	2168	DllCommonsvc.exe	85
PID 2168 wrote to memory of 624	2168	DllCommonsvc.exe	87
PID 2168 wrote to memory of 624	2168	DllCommonsvc.exe	87
PID 2168 wrote to memory of 624	2168	DllCommonsvc.exe	87
PID 2168 wrote to memory of 2288	2168	DllCommonsvc.exe	94
PID 2168 wrote to memory of 2288	2168	DllCommonsvc.exe	94
PID 2168 wrote to memory of 2288	2168	DllCommonsvc.exe	94
PID 2288 wrote to memory of 1388	2288	winlogon.exe	95
PID 2288 wrote to memory of 1388	2288	winlogon.exe	95
PID 2288 wrote to memory of 1388	2288	winlogon.exe	95
PID 1388 wrote to memory of 2140	1388	cmd.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_7b7600fba14a3919a33ce55115120be0d6c13b9aaa664c9ae20acdd135030809.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2432
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PolicyDefinitions\de-DE\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0M8NeGSzLa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1192
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2864
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\lsm.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Globalization\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\services.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:624
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2140
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat"
        10⤵
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1328
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
        12⤵
        
        PID:336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2192
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
        14⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:952
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        16⤵
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2512
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat"
        18⤵
        
        PID:1156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1744
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat"
        20⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:344
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat"
        22⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1880
        
        C:\providercommon\winlogon.exe
        
        "C:\providercommon\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat"
        24⤵
        
        PID:624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\PolicyDefinitions\de-DE\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Windows\Globalization\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Globalization\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Windows\Globalization\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Program Files\Google\Chrome\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68f732198908e978fc58e8d6ddbe8776

SHA1
70695d6f2f4a0dfd6b0e6ee00480c26c5c96d508

SHA256
86c84d6a73f90caff3568bfc3db34f9497c6ba334db9eb9128141cd494cf30ac

SHA512
9d3cd7aa70346d15f90b28f8202a9b63829d7df813e261586e9bac238878b6f6acd1442f5a3cea556423bd02e241c4bbcd22448efc2fc40d8dad0cde97decfe2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
95083d3892c8e3fe628575bc310948e2

SHA1
fd0a6db84675dfe3df9b52a7b5fc404eb3361c54

SHA256
53919d097da1513619b96d7dc1bab6f99f8e46694442559889de18e8dfe3fc35

SHA512
b3ae76153c4695ddb68675c31e456a09c8613145f4ed618a268f600883d69807ebbf1d0473ac7265b27da249aad936b69e00608aee1824c6b9a908a76357a445

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f19e97473e04bc7d3517b5cbf928548

SHA1
f10f0b4f29829d5385c67d6b935c8d829a3a3ca8

SHA256
d1984e7c17144e99f9ab90d6b0496481b0541efa75b3105d06cbb2450d6f0062

SHA512
19d511cc6bd0cd7d178504cc46e1ba20c51bfcee4b6723ec4bf932cf14b8530e0541461cbef459a4b611b7e699c6529cfad8ae53b7098275f80bca64c26bb74b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
367b7286606e1b35b4b48166e8b1635b

SHA1
3c24f44c368394c0ab16257c70c7f49b8ed5277d

SHA256
841e8d2e7f913f1e24385c85f7fd6e7d948b9c29f29516b8bf5a647007d6c4ce

SHA512
6f65a49ddcb6f8cf71d3896c0c65d46792840e00023d49beee11aaf7dc43be3097b237b7bc33f91773e9e1ab91935b311b31e91bee59c2ea663a75984c09415c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
295e9d6575940c95ffd460e064ca22c6

SHA1
cb6392e7fdd5ff39934b4c23fb39cb8f30e25b2f

SHA256
d2830aada1d3d4f2115a1b0ef278228061818c63a156e12bfdbb9c9fddbb1352

SHA512
bb49ed83f8500a5d1bfdf09f3120f4a8cfda7dd4d6626e9ebf49840226baf0480df260a5d76cd8176458d5a0efe1f82fb44f9b1c0680beeada1dcd2475f6ee1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64bd8fb0b85af36de995ed2eac2b89ae

SHA1
12eaf4b83435038aa907ffee5d2829fe7b176d54

SHA256
954d1f2f0c41d9fab9707f00beb10e15ec10832cd18f77dfb9a79c87181756dc

SHA512
6a0feb8bed7e26d91a3f7197aee7c814042e0c02872c3ced26e9579e60a9da1dd8ff6a7390e7a6cf5619abfd0ee82862d1a203415506eb8ceb825e2496110080

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
44292a1ac4c860f362f3041181333f85

SHA1
300ec7b9a2badedf0fedfd2c436a283897af8813

SHA256
a984de0b29b55517a4e51bc7a4f228156448e1c61701f390a369b62bb3f5bb01

SHA512
9d5119dd088327da6e1cdfd51b10c9632d5a2a24c1b423ed0ccb5553bacb23a75f269ec2be4160deda098ab825eafdd3d2db21dba935a1fd2253d3240544f7af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
185128ad4e179eb41cae3e5c54797320

SHA1
ebd7fb584c9d075d773cefa20254aea36bbc7a41

SHA256
24c038b0533880077c4d5ba20afe6d5419469394c44a58dfdb59f6ba74c764ae

SHA512
8f0973e6e1f515ec7dbe4d72151135a9d36da71d41cf30e2e69ed53747ee3ce58cb29c674561aa4d9a042f96386a6609d61629bafb297b3a9b16b56b47ff5139

Download Submit
C:\Users\Admin\AppData\Local\Temp\0M8NeGSzLa.bat

Filesize
199B

MD5
51ea933a0515604343623b287dc5ddb6

SHA1
7d36b16bce3dae962b79ad30fde29330d3ea8cd5

SHA256
617e59b4a7ae54a701bb78f39d40fe6ed9225f7dd750d7bca7daf42073da189a

SHA512
a07513fcbcb0486f89a71cbc93491235dbb858e4a09fa3c632ab6ca7ce4e3290413b1076de66da05a9aa8f71057d2fda59714baff0b66997f5444a0e40565c44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4491.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FaowIOOII5.bat

Filesize
195B

MD5
ad49235bc07f6e179dc616d8cb7041a0

SHA1
481e00c2462027f2ba279e4783aa45a6705b67d0

SHA256
2018e176a75bcb802248182af414d4b947f7ffa27f7b81afcd4b9e2db8f47ea3

SHA512
94fcf86910902e5048e6551243c83ac6607fb5e4ee3fa28da3315a0848212e7ade804465512e5ec1a35480a18912f4875fd7f3602def85ec07bea67dc9e55a73

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

Filesize
195B

MD5
e54b578fe2e23e9243134be646864ded

SHA1
e20c67694ea5f50a509bbd370e2f22c20a5e8369

SHA256
436472a8db880b35357443d798a2876b34e0548178ab44487687e5498b15d55b

SHA512
2e094a68f07b1bb15eb29ed50a28c11a2bb08acc34f1c6e5bd981e944aebaecc62a08551b83d5ad7cefefd488c0fea0a2f767368d7e90cdf7edf1da05d0943c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KmPq9HzxB6.bat

Filesize
195B

MD5
66ef797c9a8d86ed04a9011decf4243f

SHA1
1136f48ac49222f3106ea651a7559a4b568abae8

SHA256
483637be9193453fc2de253911a2637a088502899ee1b719a305c04b6b4914ae

SHA512
80c1ed769c79535dbe1bf60e10c0e020f5ad925ea26b3ffc450d610ff200b8fde855cd08c970f72c0ef4c9ddf8277c8f5c88b5ff59dfd0567a39584cea4ab26e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NYP5fOsMgV.bat

Filesize
195B

MD5
1bc239b980828a9140b195039da0c971

SHA1
35c38b4c33751c1c7b96f29f09c4aff2674e215d

SHA256
0e343e8896d527ccde0ca10a97521efa9c59192c8573c9af0819a98de1081978

SHA512
0dce4e155ba0d73649fca0e3164cb937e968cdc57dc32b7c6e7880d4b3425e9f38c52a9e35a67234a0357d4fe620b77b816bd42894754938e7c837634ec463c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
195B

MD5
fbcb1a15e704968d204af0db6c791ab2

SHA1
9b45019c377744724f4f0607f75e11bc7659aa09

SHA256
392b3c68269a0cd383d9efcf9e9da81940b01c1aea9667e9e5e8fd27b0543b26

SHA512
f6320f030351e285efe05172fa3fd736c4a9d92a419ca8dddd8686dbd9d04c7ff20007b6d8d5ed51417ecd2162e6c288a9dde453f6c1c08354ec0c8e194826ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar44A3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZmgdUlucqh.bat

Filesize
195B

MD5
7ac24ca469884a11941aa0d93ceebf7c

SHA1
58389902924a039b124124edf84b300aa9853c28

SHA256
df96bef61c41fb19da86a9b6eabadf0b23edf9e2226c07eecf7057efb8f13786

SHA512
5b0103ffd00059b2a49af09cb2755effdc78263a97ad71c576cded69e66a57e8b48b7ab8b83866ab8ad51f5b150e27311794fceab4c5690f388dc5ca08600b17

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

Filesize
195B

MD5
efeb541aeba5338a544df6b4606b41ce

SHA1
b008a4d97127c2e4159a9965306e7deed7caa172

SHA256
d140ec1029643bb23a7060d41f7abaa98fcaf26283a3525f28491f365f6968de

SHA512
15dbe84fde80e7bf6657054ae76530b3322ff4ebd25f6b8302c35f10eca37b764f7581848f0a990a68965466f8ca9fcb24c8b171babb3dd7d3596e571b769c89

Download Submit
C:\Users\Admin\AppData\Local\Temp\iLsGNVHQP6.bat

Filesize
195B

MD5
933efb92d30f9c988b746d80193723a4

SHA1
2b63948ff2be1ca0a74d0516524f518acc9ca6b4

SHA256
76ecdc9571478b40f1abf0b073631c6fc92e9455af63005a540e51c41e0f7090

SHA512
b24095d70a5b4529ffed2077edc72ccb2bf1053a01f35c950d386e43ff1f17dda85b2fa1de73a149e1696b908c9e5ff78c4517fab561e17bedefbd5381f73722

Download Submit
C:\Users\Admin\AppData\Local\Temp\wzkVYe0vvu.bat

Filesize
195B

MD5
37370c69f05439641b38b40640723a99

SHA1
97a097188ce0e5703fb5724a4dedc5367983b586

SHA256
925ecae2de5c3d739d82fb6daea0105c913344781322a19e890b6fe480e1da92

SHA512
28f0c45c2d141ac8adb2b7c108ed07ee3a77bc91af6996483ea4749081ff83cc2964fbe793ec64faa5b781deaccbad8ff3cec3facf2df60fef70f52f1e1b6768

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e45b76c58d7593300f05409610cfe99b

SHA1
9ca1dba89107f0b3e0a64819733e5beac4e67567

SHA256
31858eaaf2824c345b871b64babcc8ff8fe1bcdb87003eaf7604f9a32438c01e

SHA512
a46ea86cb3a8afedcae73008fde259486b594e1e15eb87ac5adad00ad39ba3bcf991fa55884f838ff9662a70bdaa0faf6928505c38f5a2e79b8760f5cc26d469

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/292-351-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/624-92-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1144-39-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/1144-37-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1484-291-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2168-51-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2288-72-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/2564-94-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/2572-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2572-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2572-13-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2572-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2572-17-0x0000000000590000-0x000000000059C000-memory.dmp

Filesize
48KB

Download
memory/2800-411-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2920-471-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2988-531-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download