dcrat | 07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab.exe
Size

1.3MB
MD5

63a8df3bab06b4ca10ed7c7b787948cb
SHA1

97cf35339660b863f4fe63b03b684398f3024395
SHA256

07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab
SHA512

af66eb25a98220f7db189eb680f995b890d80c1f1a892ca55479aa45a810159b826cec1e38e9dc97e69c41b10a337aae6a9a9b1b27f2ff82bace4528ff44e363
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1896	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1116	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1556	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2888	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c58-9.dat	dcrat
behavioral1/memory/2736-13-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/2168-101-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/2772-161-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2644-221-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/1312-281-0x0000000001020000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/980-461-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2896-522-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat
behavioral1/memory/800-582-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2920-642-0x0000000000930000-0x0000000000A40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1300	powershell.exe
596	powershell.exe
1948	powershell.exe
2796	powershell.exe
1908	powershell.exe
1312	powershell.exe
2164	powershell.exe
1172	powershell.exe
1424	powershell.exe
1916	powershell.exe
940	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2736	DllCommonsvc.exe
2168	lsass.exe
2772	lsass.exe
2644	lsass.exe
1312	lsass.exe
408	lsass.exe
1704	lsass.exe
980	lsass.exe
2896	lsass.exe
800	lsass.exe
2920	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2056	cmd.exe
2056	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\de-DE\6203df4a6bafc7	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\security\audit\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\security\audit\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\fr-FR\sppsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1884	schtasks.exe
1116	schtasks.exe
1976	schtasks.exe
2728	schtasks.exe
3040	schtasks.exe
2644	schtasks.exe
2968	schtasks.exe
2800	schtasks.exe
1640	schtasks.exe
2200	schtasks.exe
1828	schtasks.exe
2648	schtasks.exe
1596	schtasks.exe
2128	schtasks.exe
2844	schtasks.exe
804	schtasks.exe
2848	schtasks.exe
2620	schtasks.exe
2404	schtasks.exe
2100	schtasks.exe
1008	schtasks.exe
1872	schtasks.exe
1672	schtasks.exe
1556	schtasks.exe
2660	schtasks.exe
1896	schtasks.exe
2152	schtasks.exe
2632	schtasks.exe
1256	schtasks.exe
1264	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2736	DllCommonsvc.exe
1916	powershell.exe
940	powershell.exe
1948	powershell.exe
596	powershell.exe
2164	powershell.exe
1424	powershell.exe
1172	powershell.exe
1908	powershell.exe
1300	powershell.exe
1312	powershell.exe
2796	powershell.exe
2168	lsass.exe
2772	lsass.exe
2644	lsass.exe
1312	lsass.exe
408	lsass.exe
1704	lsass.exe
980	lsass.exe
2896	lsass.exe
800	lsass.exe
2920	lsass.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	DllCommonsvc.exe
Token: SeDebugPrivilege	1916	powershell.exe
Token: SeDebugPrivilege	940	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	596	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1172	powershell.exe
Token: SeDebugPrivilege	1908	powershell.exe
Token: SeDebugPrivilege	1300	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	2168	lsass.exe
Token: SeDebugPrivilege	2772	lsass.exe
Token: SeDebugPrivilege	2644	lsass.exe
Token: SeDebugPrivilege	1312	lsass.exe
Token: SeDebugPrivilege	408	lsass.exe
Token: SeDebugPrivilege	1704	lsass.exe
Token: SeDebugPrivilege	980	lsass.exe
Token: SeDebugPrivilege	2896	lsass.exe
Token: SeDebugPrivilege	800	lsass.exe
Token: SeDebugPrivilege	2920	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2332 wrote to memory of 2544	2332	JaffaCakes118_07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab.exe	31
PID 2332 wrote to memory of 2544	2332	JaffaCakes118_07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab.exe	31
PID 2332 wrote to memory of 2544	2332	JaffaCakes118_07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab.exe	31
PID 2332 wrote to memory of 2544	2332	JaffaCakes118_07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab.exe	31
PID 2544 wrote to memory of 2056	2544	WScript.exe	32
PID 2544 wrote to memory of 2056	2544	WScript.exe	32
PID 2544 wrote to memory of 2056	2544	WScript.exe	32
PID 2544 wrote to memory of 2056	2544	WScript.exe	32
PID 2056 wrote to memory of 2736	2056	cmd.exe	34
PID 2056 wrote to memory of 2736	2056	cmd.exe	34
PID 2056 wrote to memory of 2736	2056	cmd.exe	34
PID 2056 wrote to memory of 2736	2056	cmd.exe	34
PID 2736 wrote to memory of 596	2736	DllCommonsvc.exe	66
PID 2736 wrote to memory of 596	2736	DllCommonsvc.exe	66
PID 2736 wrote to memory of 596	2736	DllCommonsvc.exe	66
PID 2736 wrote to memory of 940	2736	DllCommonsvc.exe	67
PID 2736 wrote to memory of 940	2736	DllCommonsvc.exe	67
PID 2736 wrote to memory of 940	2736	DllCommonsvc.exe	67
PID 2736 wrote to memory of 1300	2736	DllCommonsvc.exe	68
PID 2736 wrote to memory of 1300	2736	DllCommonsvc.exe	68
PID 2736 wrote to memory of 1300	2736	DllCommonsvc.exe	68
PID 2736 wrote to memory of 2164	2736	DllCommonsvc.exe	70
PID 2736 wrote to memory of 2164	2736	DllCommonsvc.exe	70
PID 2736 wrote to memory of 2164	2736	DllCommonsvc.exe	70
PID 2736 wrote to memory of 1172	2736	DllCommonsvc.exe	71
PID 2736 wrote to memory of 1172	2736	DllCommonsvc.exe	71
PID 2736 wrote to memory of 1172	2736	DllCommonsvc.exe	71
PID 2736 wrote to memory of 1312	2736	DllCommonsvc.exe	72
PID 2736 wrote to memory of 1312	2736	DllCommonsvc.exe	72
PID 2736 wrote to memory of 1312	2736	DllCommonsvc.exe	72
PID 2736 wrote to memory of 1908	2736	DllCommonsvc.exe	73
PID 2736 wrote to memory of 1908	2736	DllCommonsvc.exe	73
PID 2736 wrote to memory of 1908	2736	DllCommonsvc.exe	73
PID 2736 wrote to memory of 2796	2736	DllCommonsvc.exe	74
PID 2736 wrote to memory of 2796	2736	DllCommonsvc.exe	74
PID 2736 wrote to memory of 2796	2736	DllCommonsvc.exe	74
PID 2736 wrote to memory of 1948	2736	DllCommonsvc.exe	75
PID 2736 wrote to memory of 1948	2736	DllCommonsvc.exe	75
PID 2736 wrote to memory of 1948	2736	DllCommonsvc.exe	75
PID 2736 wrote to memory of 1916	2736	DllCommonsvc.exe	77
PID 2736 wrote to memory of 1916	2736	DllCommonsvc.exe	77
PID 2736 wrote to memory of 1916	2736	DllCommonsvc.exe	77
PID 2736 wrote to memory of 1424	2736	DllCommonsvc.exe	79
PID 2736 wrote to memory of 1424	2736	DllCommonsvc.exe	79
PID 2736 wrote to memory of 1424	2736	DllCommonsvc.exe	79
PID 2736 wrote to memory of 2148	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 2148	2736	DllCommonsvc.exe	88
PID 2736 wrote to memory of 2148	2736	DllCommonsvc.exe	88
PID 2148 wrote to memory of 1120	2148	cmd.exe	90
PID 2148 wrote to memory of 1120	2148	cmd.exe	90
PID 2148 wrote to memory of 1120	2148	cmd.exe	90
PID 2148 wrote to memory of 2168	2148	cmd.exe	91
PID 2148 wrote to memory of 2168	2148	cmd.exe	91
PID 2148 wrote to memory of 2168	2148	cmd.exe	91
PID 2168 wrote to memory of 2272	2168	lsass.exe	92
PID 2168 wrote to memory of 2272	2168	lsass.exe	92
PID 2168 wrote to memory of 2272	2168	lsass.exe	92
PID 2272 wrote to memory of 2908	2272	cmd.exe	94
PID 2272 wrote to memory of 2908	2272	cmd.exe	94
PID 2272 wrote to memory of 2908	2272	cmd.exe	94
PID 2272 wrote to memory of 2772	2272	cmd.exe	95
PID 2272 wrote to memory of 2772	2272	cmd.exe	95
PID 2272 wrote to memory of 2772	2272	cmd.exe	95
PID 2772 wrote to memory of 1940	2772	lsass.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_07e78e7183c89ddce6e00ca77bae7419d659b0ba5caab3646cb49d4727dd79ab.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2332
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2544
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2056
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\Sample Videos\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\security\audit\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\de-DE\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EXqKjrDbwq.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1120
      - C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2908
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat"
        9⤵
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2612
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2644
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        11⤵
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1900
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        13⤵
        
        PID:2904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2952
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat"
        15⤵
        
        PID:2516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1884
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat"
        17⤵
        
        PID:2036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1344
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        19⤵
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1180
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
        21⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1524
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        23⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2732
        
        C:\Program Files\Windows Sidebar\de-DE\lsass.exe
        
        "C:\Program Files\Windows Sidebar\de-DE\lsass.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5Yw7RONjUI.bat"
        25⤵
        
        PID:344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Videos\Sample Videos\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\security\audit\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\fr-FR\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Pictures\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Pictures\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e0cbcf2c273c00f3890705f5e2c4d9aa

SHA1
c21eff5a9bea0d9c977ec3be3391efad4897c934

SHA256
3c837eb4aa91b5dc6f718f1e111187c38e5bcf829f4cc3b451f6758c2da02c97

SHA512
be213c3b68b7cd3ca0a89d8f79a869d30004cb6bd66c66f09e0332fc6eb002873dee413ae6eb150422f8a1e1b404f5840cf89b55b435b5da65cb5bf8cc0bca87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f6edc433996c928abcdc9ff2037aaca

SHA1
83becc5906d87edb114d4b189cb93f931ffb64a2

SHA256
7f4a88ad72ce27ba80a48146ccdfa57c2bf0f2d8c3afff3f724823f44287d3c0

SHA512
3a6da10ec19cdc9d2b9130af0dfb6bc22465178db728eccf4bfb7e664eb86ef43892d4c551adb60c2b8b9663454ab4cd3854cd60d7cbf74242ced9313441cbd7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2e3cd622bcd7c1e55dc48076baec8a8e

SHA1
9654fef8c454c3ca176324304238b0100b61cb49

SHA256
39aebb7848ca76dd00aee88f3c386e13cf8e6660b8b5283f7e812785ebb2adc4

SHA512
6dccebe0694dc762a137368674fb08ddb41f76a23a358255f73fb1d1ca3e89c3952b2a728d2e8845600c85724856aa8da83182d3aadabc9be52df67388301f1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
597e1409dc8cc89ef3b5fa7ba83c6f37

SHA1
063b233cf70df5eb9b1c2160137374927d1196f0

SHA256
f75bda8d650e284fd1d61a870650fa431c0586de27f1d3447279690c5791e965

SHA512
6bc048dc1306f0a703ffa5caeedbdb9e7553b8d6217b9c015dd12e3179f16c0942b59bb74c33c7c8317a99357101f0e7c10c7bc90c9dc7a7ec95d2aa7d9e645f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ac5cc8039222ce4456d09fbe94a4fa2a

SHA1
f42fe78458bf069a97427c0b0a47fbe01018d464

SHA256
7cda632f9bcefb23d9d1c8c45c093703f95d8699ac2c8fb1e8a2d02f2334f111

SHA512
16fe0d5dd5224e49d3436d5e919d986ba4d924ce4d732ffb5fa2b218001c24e86f70b6767c460119bcaa19a90f3e902e4de228d0780c433661fe3d676cf50a2b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
004c644a255226d495647d45bc24fe44

SHA1
b7a5c3d98ac2bb3b2cc2bb258431a7f2b65702e2

SHA256
09d9df4f8a76cdf36bbb74252ed4cf0206c106804f0a15ba51ea5f120c6bff40

SHA512
8fbbd3051df0c117f91ea2495e6effc0bfe8cd05ad1e21bebdc8851de7ae280fbbc7975b5761d4b6d829a348e8bb88c28b3af4b1a9605bc7cb85f53d8b0e3287

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1d82d1a26b3021da0631c57bd995c91

SHA1
695b23061e82e8ef4f00fd4e2d7ca7918ce7bd34

SHA256
d746d37cf0457c212269f2316c87a90d683d5896a28ea7be8a99898de299c25e

SHA512
303ad9f5a64eed1698fd5aed975af44acaaa761cf593c376ce70e9ed79bf8281343f5afa196b8f315fe58e049854126786aa362325816f275bc0f33c2912f791

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
314f75162f2e9b97d51f07c01f2d2549

SHA1
682e9bfd08a8ce193725b9ae10b2ebafc7674c25

SHA256
3c26c59fd1ab2bb3d0715129e067183914c10613f107fad317aef7f87688e874

SHA512
605daa1f890115926d8f4f4bb50a86e37c116ea0381026cb549e7bc3c3dd32fa344c8310685bb92f8f80516b71223138d67107b52bdbaceba218f7ee3c01842b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e7f3ffd3ec7c57b4c240ca4ca18bacba

SHA1
04684c819de548e407b07a74ffbe41b0414f6ccc

SHA256
c2713a9c24b86f241d58f7301e5ef9309ceeea297236ff91794fe8f4277fdcde

SHA512
aa39351bab6a38bdcd8c08e44735b1a87b9dbfed7f139b7f9eeb0d5a5149152660dd7c1f4bf0749b08ed8a792ac207472d0e7f9e849e2383c6f6d2ef1d1a3333

Download Submit
C:\Users\Admin\AppData\Local\Temp\6M87tNVNy8.bat

Filesize
213B

MD5
f717251a4912526856cc7e2638327394

SHA1
278184e0ae1381b447779d64065d5ea3d56bbdb7

SHA256
7ccbb279f16de248097226970ebdfb48e44bc3b221c6992d9f48e21ec0d50ad3

SHA512
97e8f8d5214be71e62bb032daf23423d90c460f149bfca82ed9c7aa7db29d95ca8193806a538a1a5ca372fe34da7bd130fc1fdf4ecdbf4974728a6153d15b0a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
213B

MD5
37172e5f972e61d34e5d482edf9cb8ed

SHA1
c27d8cf578f5a5b5b7b862a57a553acee70e0535

SHA256
8ad93e543530569beb0832272afc98be1c26c016d07df715aa6cb6247211ae8b

SHA512
599807ad6bb164f36b509a3e95f1be425b5b465797f61d364fbb17995bd37f116855b4dc356c8d5872f319b3ff06eca7e2cdd2315f7e69a3dfaaa12cb85a517d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1528.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EXqKjrDbwq.bat

Filesize
213B

MD5
0a678460116e173a9834603f1f8357f8

SHA1
96b4269234cb9fe19e4abf270505caa7b9013fe9

SHA256
8025083eed7ceb2e2ca3a57acd9e4f4dd05f3227611d790eb73e43e184f22497

SHA512
65ec16c7f4ea0fbdeda589043ee6591e71dc6b1c7f79fab9a521d23a844226cfcaaf882da4ca5ca110b1e9f1196b1f81ce7a7bed0130d1af45ecd237a82af6aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat

Filesize
213B

MD5
5e748838c490a20f524c1a0c99fb2660

SHA1
9c17dd1c06fbefd7d25b13b8f6fb2accd7995b69

SHA256
f5f27ba2e1e5df8989749aab0656bd1d8a46910ba6d6c9bb43bf79cc625677bf

SHA512
63f9aee1d23d22f7d6f8d1d55507224a0e5b8e66cab81ed95d387df6c974ce4a3c0f2b8815d52fce3f24dfa43f407c7e49915aa9d82c963e19983d9ffbab2915

Download Submit
C:\Users\Admin\AppData\Local\Temp\SXiopUTlQe.bat

Filesize
213B

MD5
80451377a886874e7a1be5137ade12cf

SHA1
e7ed9038c40a7c7dae4c8e427da743da42e369a9

SHA256
7a09697f8c423892c996b3f82f5efc0baf61f2c9018421db576e5dd677d69b83

SHA512
993a7c8bb5b7d0885fb9e9d60fbeb82851bb3d5a69dacd9ad0f87648a381f1f814f4d6b979a65511b70ffe08182258e59c63e203b0045a3a1ed54f978f5ac585

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar154A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
213B

MD5
a1dd780afb68caf19156bd0c44694fd5

SHA1
f18a0c782c47b18d8e4fa4666d52fa401e0e7211

SHA256
13e57040166dfd6f9d7f4f5079d73d7b4355a1d4f344fabd7e9dbf773dd97aae

SHA512
669ae45f873914b9e46a9629619d7c9212dd8adc4a6923a657cdbd493c15f808398eac9f71d08027f69675a5e4c0692909a95e8ee7b7a3c1f7f8154f2c632b40

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
213B

MD5
05c9caea6979d1c514327ad6c0d94d01

SHA1
2a3f2808d268a314090c8b9d7a47ce5008c6e245

SHA256
dae62d04481614ee542c4f86d597e56f434d1acbe15a8aa733d80cb27566e6e4

SHA512
e05285dd7c94709da377600d4cea970ebc22f1d40f818e7a7efc1b873994609e0978a5e1ec61200b0bd289161daf2c2f2526b1a43500f9ffaa9d623201e190ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\cu7QADyCUt.bat

Filesize
213B

MD5
accfc3b473028e5523c3fa48c6398ba8

SHA1
85e082b510d5ea34984553b431584d1237485c8a

SHA256
ac42791b6747e781513a25ec424c8198dad13300ae855c027c10de685d4b60b7

SHA512
745463e8c2e4723100ff7bf773bf8fe9d437fd389c1276b011902e85b3412884a638f37f56f0792223c21f0036ff69f059a7b8d70d6ae44f94558a39641ef7a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\kYBl3UyOdq.bat

Filesize
213B

MD5
c514ef6f75022463182576f6294669e9

SHA1
beccdce7a4e59a4e45e3897837f34ec58deedd39

SHA256
92fad0915624fd5a33566e4725675634ab258b5e1d6b0ff7e2d1626f33229134

SHA512
e104e3fc572cab57de49a3de9931b889bcafcdc6ce5e99013a15f6761ab9c0c25ba8c1be0ee06acf28217ff66386cb23005efb49d2302a831ad2de64f6a3cd8c

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
213B

MD5
5a65689172c9524ff48ba2bb9bd103e8

SHA1
2e2a523546c5b6e2595ea5344ad174bb64d5732f

SHA256
fb522a16b6ee8df77210400a9793e083674eb76beb36519bd3ad3fb19aab1f07

SHA512
90ff6684558cfd619a1c80f01ac91292e1a28155710331407cf00fb576c794a3ee4b4d1e2d666150c0f1e96fdbd8725dc42ec17de6c2ac4191e1cd216390ab39

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
08924e79e72a1efa56875cb56b6b878c

SHA1
3feeffad1e72a2d4469a6c9985c63f79ae2fea06

SHA256
a6ffc3fc0c44856d85b11cd18da58c7008fac2d66f0d17db44764d6f487f20bf

SHA512
d6903633aeaa0856957eeff493708b99bd534892a317e1c125e78b9914ffc34618d146847dda0d582c64628c8ccab0b426a934cffd7911a58046b98753c2c03f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/800-582-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/980-462-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/980-461-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1312-281-0x0000000001020000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download
memory/1312-282-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1704-401-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1916-64-0x0000000001C80000-0x0000000001C88000-memory.dmp

Filesize
32KB

Download
memory/1948-62-0x000000001B4D0000-0x000000001B7B2000-memory.dmp

Filesize
2.9MB

Download
memory/2168-102-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2168-101-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2644-221-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/2736-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2736-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2736-13-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/2736-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2736-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2772-161-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2896-522-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/2920-642-0x0000000000930000-0x0000000000A40000-memory.dmp

Filesize
1.1MB

Download