dcrat | 3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553.exe
Size

1.3MB
MD5

538c41003a9719a7f7442adca90cd86f
SHA1

5c0c4ef08c893b615dc7c147d33c0a5130cc2000
SHA256

3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553
SHA512

304c0b5d880e7d265b9e1301a9b4010b7b27a680794073d4b66d438cbd08fc2cbf7b95a1c4bf32ebf05d2c25167819d04c118953bf4f73f70c4168f781084236
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1668	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	1668	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000174bf-9.dat	dcrat
behavioral1/memory/2664-13-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/3060-80-0x0000000000FC0000-0x00000000010D0000-memory.dmp	dcrat
behavioral1/memory/804-139-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/1524-435-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/2280-495-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/2324-555-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/1520-675-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1900	powershell.exe
3044	powershell.exe
2056	powershell.exe
2200	powershell.exe
2204	powershell.exe
1128	powershell.exe
1936	powershell.exe
1416	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2664	DllCommonsvc.exe
3060	System.exe
804	System.exe
1748	System.exe
2292	System.exe
3008	System.exe
288	System.exe
1524	System.exe
2280	System.exe
2324	System.exe
1416	System.exe
1520	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2716	cmd.exe
2716	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
19	raw.githubusercontent.com
22	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
15	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\en-US\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\de-DE\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\es-ES\DllCommonsvc.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
920	schtasks.exe
2616	schtasks.exe
1600	schtasks.exe
2380	schtasks.exe
1456	schtasks.exe
1928	schtasks.exe
1420	schtasks.exe
568	schtasks.exe
1380	schtasks.exe
3068	schtasks.exe
1948	schtasks.exe
264	schtasks.exe
1696	schtasks.exe
2364	schtasks.exe
2384	schtasks.exe
2024	schtasks.exe
2012	schtasks.exe
1640	schtasks.exe
1560	schtasks.exe
2248	schtasks.exe
2940	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2664	DllCommonsvc.exe
1128	powershell.exe
2204	powershell.exe
3044	powershell.exe
1900	powershell.exe
1416	powershell.exe
1936	powershell.exe
2056	powershell.exe
2200	powershell.exe
3060	System.exe
804	System.exe
1748	System.exe
2292	System.exe
3008	System.exe
288	System.exe
1524	System.exe
2280	System.exe
2324	System.exe
1416	System.exe
1520	System.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2664	DllCommonsvc.exe
Token: SeDebugPrivilege	1900	powershell.exe
Token: SeDebugPrivilege	1128	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	3044	powershell.exe
Token: SeDebugPrivilege	1416	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2200	powershell.exe
Token: SeDebugPrivilege	3060	System.exe
Token: SeDebugPrivilege	804	System.exe
Token: SeDebugPrivilege	1748	System.exe
Token: SeDebugPrivilege	2292	System.exe
Token: SeDebugPrivilege	3008	System.exe
Token: SeDebugPrivilege	288	System.exe
Token: SeDebugPrivilege	1524	System.exe
Token: SeDebugPrivilege	2280	System.exe
Token: SeDebugPrivilege	2324	System.exe
Token: SeDebugPrivilege	1416	System.exe
Token: SeDebugPrivilege	1520	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2792 wrote to memory of 2812	2792	JaffaCakes118_3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553.exe	30
PID 2792 wrote to memory of 2812	2792	JaffaCakes118_3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553.exe	30
PID 2792 wrote to memory of 2812	2792	JaffaCakes118_3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553.exe	30
PID 2792 wrote to memory of 2812	2792	JaffaCakes118_3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553.exe	30
PID 2812 wrote to memory of 2716	2812	WScript.exe	31
PID 2812 wrote to memory of 2716	2812	WScript.exe	31
PID 2812 wrote to memory of 2716	2812	WScript.exe	31
PID 2812 wrote to memory of 2716	2812	WScript.exe	31
PID 2716 wrote to memory of 2664	2716	cmd.exe	33
PID 2716 wrote to memory of 2664	2716	cmd.exe	33
PID 2716 wrote to memory of 2664	2716	cmd.exe	33
PID 2716 wrote to memory of 2664	2716	cmd.exe	33
PID 2664 wrote to memory of 2200	2664	DllCommonsvc.exe	56
PID 2664 wrote to memory of 2200	2664	DllCommonsvc.exe	56
PID 2664 wrote to memory of 2200	2664	DllCommonsvc.exe	56
PID 2664 wrote to memory of 2056	2664	DllCommonsvc.exe	57
PID 2664 wrote to memory of 2056	2664	DllCommonsvc.exe	57
PID 2664 wrote to memory of 2056	2664	DllCommonsvc.exe	57
PID 2664 wrote to memory of 2204	2664	DllCommonsvc.exe	59
PID 2664 wrote to memory of 2204	2664	DllCommonsvc.exe	59
PID 2664 wrote to memory of 2204	2664	DllCommonsvc.exe	59
PID 2664 wrote to memory of 3044	2664	DllCommonsvc.exe	60
PID 2664 wrote to memory of 3044	2664	DllCommonsvc.exe	60
PID 2664 wrote to memory of 3044	2664	DllCommonsvc.exe	60
PID 2664 wrote to memory of 1936	2664	DllCommonsvc.exe	61
PID 2664 wrote to memory of 1936	2664	DllCommonsvc.exe	61
PID 2664 wrote to memory of 1936	2664	DllCommonsvc.exe	61
PID 2664 wrote to memory of 1128	2664	DllCommonsvc.exe	62
PID 2664 wrote to memory of 1128	2664	DllCommonsvc.exe	62
PID 2664 wrote to memory of 1128	2664	DllCommonsvc.exe	62
PID 2664 wrote to memory of 1900	2664	DllCommonsvc.exe	63
PID 2664 wrote to memory of 1900	2664	DllCommonsvc.exe	63
PID 2664 wrote to memory of 1900	2664	DllCommonsvc.exe	63
PID 2664 wrote to memory of 1416	2664	DllCommonsvc.exe	64
PID 2664 wrote to memory of 1416	2664	DllCommonsvc.exe	64
PID 2664 wrote to memory of 1416	2664	DllCommonsvc.exe	64
PID 2664 wrote to memory of 2312	2664	DllCommonsvc.exe	72
PID 2664 wrote to memory of 2312	2664	DllCommonsvc.exe	72
PID 2664 wrote to memory of 2312	2664	DllCommonsvc.exe	72
PID 2312 wrote to memory of 564	2312	cmd.exe	74
PID 2312 wrote to memory of 564	2312	cmd.exe	74
PID 2312 wrote to memory of 564	2312	cmd.exe	74
PID 2312 wrote to memory of 3060	2312	cmd.exe	75
PID 2312 wrote to memory of 3060	2312	cmd.exe	75
PID 2312 wrote to memory of 3060	2312	cmd.exe	75
PID 3060 wrote to memory of 1056	3060	System.exe	76
PID 3060 wrote to memory of 1056	3060	System.exe	76
PID 3060 wrote to memory of 1056	3060	System.exe	76
PID 1056 wrote to memory of 1692	1056	cmd.exe	78
PID 1056 wrote to memory of 1692	1056	cmd.exe	78
PID 1056 wrote to memory of 1692	1056	cmd.exe	78
PID 1056 wrote to memory of 804	1056	cmd.exe	79
PID 1056 wrote to memory of 804	1056	cmd.exe	79
PID 1056 wrote to memory of 804	1056	cmd.exe	79
PID 804 wrote to memory of 1716	804	System.exe	80
PID 804 wrote to memory of 1716	804	System.exe	80
PID 804 wrote to memory of 1716	804	System.exe	80
PID 1716 wrote to memory of 2164	1716	cmd.exe	82
PID 1716 wrote to memory of 2164	1716	cmd.exe	82
PID 1716 wrote to memory of 2164	1716	cmd.exe	82
PID 1716 wrote to memory of 1748	1716	cmd.exe	83
PID 1716 wrote to memory of 1748	1716	cmd.exe	83
PID 1716 wrote to memory of 1748	1716	cmd.exe	83
PID 1748 wrote to memory of 2800	1748	System.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3f071d7fb6ab11cf20c6382fec3cca9d761822f1bcca3a9af5882ca23be1e553.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\en-US\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\de-DE\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Re6gLBgubP.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2312
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:564
      - C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3060
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1692
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2164
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat"
        11⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2088
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"
        13⤵
        
        PID:2404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2256
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
        15⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1260
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:288
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat"
        17⤵
        
        PID:2288
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2920
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"
        19⤵
        
        PID:2368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2676
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        21⤵
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2936
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        23⤵
        
        PID:1096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2328
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat"
        25⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1464
        
        C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe
        
        "C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\Resources\1033\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\de-DE\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\de-DE\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\1a287102-69f6-11ef-b2ff-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Windows\es-ES\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bff3ac6a59aa5b51cad3ec72e6af6a92

SHA1
c514c3da091fa7d8b0ee3c0569b78eeb61de12e8

SHA256
d0844ec484950c7b96bc07e692e77b6644f1eff7478c54b1a6e59cc987896247

SHA512
e0a03b0bd03dd6d33286991868476e190f5ab2a6ba48275b1b939b29ebfe510aff0938e99f397cc457a0b3605f8e0f3082cd05a58b73ed0458cd4a17bc669adb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a3ad9ac648e0eac33ba1f213ccce7014

SHA1
c861fdb46d73030c917810d9aca014d5b88e4062

SHA256
10c9ea459af6789926d0835cbce4f605e06130cd567642638ce8e1b949d7bde3

SHA512
755d375e393ceb1024d1c92dac82aa695cf759ecde3589c7fd3b4b9df0045cf9f628ecada3b0dd0ffcd7b581a226649898a56c71871813ad49dc90afc7f5a2d6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ca6925d5c2c3d8474d28a77f6eb02222

SHA1
cb66a12c8554a220c5328623b6f28a62764e2804

SHA256
d66cbacd6b4f79da5035eb15d87dd5a51f94f485374ea99852e365696687eb50

SHA512
ad727895ddb37f379178791fcf73398717a5e13c85ab9722192fe3ae741ddc64e7c806886aae8cb7c97dfb69719db7e29fca35344beda1ca42d07fb7ad396ed6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b9faba953d2d17134b2b03b0e046047a

SHA1
85e8efbd5b9e528c88b32bab5774c45bc3138f5c

SHA256
99cf09c1521945f1c49ec91f6616a975ea51495740f39b68066c893c8c522647

SHA512
216b871f3aa9664885355e53c29adde1c32437d63bb65ecbc6abe4f69083bc2736959418033e88181e73ce1b527e9088857e2d12c01ca83be89834e1d16c203e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e51c4a678009182c64c730b4702b7802

SHA1
8f6d454173529be3fd811975426448baaba09460

SHA256
849125b1fb3903fd7478f3d05dde396aa7cdd50627bb1af2d41055029037c625

SHA512
834c1ed66da4cca333c371c1e2d5b08079fead764902df7b950f389f50a09bf6378f5ce7b34dbffe15ab4eec9d2efb2007ce46e6c755378942184444820aa27a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9e1136f5233ae041633cabc4a01778f

SHA1
a7f3918cd5cf8b9404b3709a316d292f71aa2d15

SHA256
b63bcaff703fade97ee80762881f384998a9a445114d20891ab3afba2df61e28

SHA512
1107504124a17a1990f71877541cb342442be42ce39171408fe99ea45047be94b7a2ba26dca23e4637d19c8554ac4739c71eba7539575e3e02d5e6ed3502b0d4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb6ac61b74061ad6af45ede00eaf37ba

SHA1
ca26bf9fd9fbb586114ffd62e6913676370e0662

SHA256
1c692def88a64a2c73a505f99a468d17381be86a3c00faf54ba2d3c659b258f3

SHA512
d44cb68f08dcdc322a4f2ae8576979784a5ec47c12fc0c0607b6921f43ca3f8f1345d659e8bed1087255540a908d4c57a761752878b71c5b3fff172d8ec464fd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
987f379c0043bdac4b0afda3d6dbf07b

SHA1
e8d36d4f7bd735a806c34b5752fe9a5760830c32

SHA256
d58e29b5dfa5a08842ac79c05034397b794d0cadfb7308619173bd572826efd5

SHA512
9f31f6d1e3f08bb5116b28b663e6bf1426d75efa4f864436774f4d568a9e61297a40fd54853c13daa79fa744df8169c2958500530264fc76a0f0078c268e7dfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65d96b3a2614290521225a350ce6c3ae

SHA1
dfbb6d0bc9329f9d0c91c890888c38f1294a704d

SHA256
09920263d7fa720c08ce4c9c509f5692abc4bb01b263b177d6d25c5f60a072e9

SHA512
efbb6ed5aa6a76a2fd0207093553cd49dcb15c5b83d29d7dd52964318fabbee190e15eb96254879a84b559f607ab28f3e3476d8b890877ef21660c4eadb6ba1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmKXfVMxAz.bat

Filesize
253B

MD5
ded22884344145ae26edcac82acde3dd

SHA1
eec3ae560621dba5475c38f9d173a5cd7d3c24dd

SHA256
b889b11d10e494f12d5402b080c324c67f3215dfa3c8567114ad440b0d78604c

SHA512
61023a1c262e8aaed985ddf5bdccb2c92b115a454bf8ddf882dd661d6ea4e093f4796cfa0cbf6434f1fa756fe1ef4ebe774bc94a22b8bc119bf9badda9cbdb88

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4877.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat

Filesize
253B

MD5
f05fc9f8c185dca80d68788a06067106

SHA1
3e88f370d49c3b989032cd01b6ee7dd918957cd3

SHA256
ce9f24271fc307cb109cf3cd2653580e1c669817b2bae703d6e4cd463a8a4c63

SHA512
c04d6c2bc72cc8c3f3b7a866c2989bd377fec621abb065b1539fc34e80b1dbe18d948b4e18cf8a6e00c7ce5cfe60adef165572520eaacc7fcac1ac1ef5e3acb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat

Filesize
253B

MD5
ad3447ce30550d7670068d4120ec23bc

SHA1
451c9b11c868fdb38fe9d87a9e18ab421e4146cf

SHA256
315b050459361d328374208957f6dbd1f48c8f830fd28357b7ba0f830190c686

SHA512
d72b8c850a51df7b083a600ac2acda1ed46e1e71c0897024db200dfe501e120ed4d96f743a37c57e7f4933876eadc9c479823d6cb108ea551045eb810e9fba23

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
253B

MD5
a58d97116ec4ee9df6d5fcf5d506da96

SHA1
cb1e1032ac39a24c796b25a6721f08e94ecddd86

SHA256
18bc9fecb5146df2c373e352f2760eb0c09e63fe49cd9f4029f9035fbf18301b

SHA512
885bf48f24deb9747e084f9b66854de43e94ac411f190d5b2bb3414556827cabaa727bf18aa0d04a830b4fe6828cea9e8f007834c50cee239ede2918314b7906

Download Submit
C:\Users\Admin\AppData\Local\Temp\Re6gLBgubP.bat

Filesize
253B

MD5
5fa104e35b4e0357936e51cc70737e56

SHA1
20bfebb053579c805e501a0aa8f35679dc164a65

SHA256
34b5a96c83946310ec6adf0b4c0257662f9c56cb9b3b21003867ad320235bf7b

SHA512
8d5775a9e7ce776d42c1f68daa72b9f11c2577c00be57d6489ba9ffaa515bfd411f8f849c5b71524c91ff1a9000a4ee2039cf7a76dc231136c25ba47db3001e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar488A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
253B

MD5
264afbb62a39e707e3808ff15661a1cd

SHA1
82f9e07997d0e743af95c9bb31c34e7c077279be

SHA256
3412b310101175c5f69ebb9a368aa2f1849f8fa1efda2e9ec1fe42e9278ee03b

SHA512
14f5ec005ec13900940c94cf00069c6fe649ea0cc1f24f723dcae5c4fbaccb7254f77523d66c79c59d9715984bbef458b394523130496f6d67bf081a16fdaad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\guIa2jZB2U.bat

Filesize
253B

MD5
e78e52122c986800d66c58993d1b73ce

SHA1
0b2bbbbfb7b238a26dcf018969ea88adcf809927

SHA256
eb22ee15fb6dd6c1c230a6c4ba22df28b84842f9ae2b484a528cb49c455ec4ae

SHA512
3f6fd87e2ce70778eda4f616e1afe243deac1536818d505fc71bb5c2b6997c20dc28b99431bd8dd87812097b53ce333b97d764cd67a2beb0a897d330dbb246fa

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlHmrlOhE6.bat

Filesize
253B

MD5
14bb6a5bbc3e3703037a58adcffae4f1

SHA1
d30f23da56989c3f2b7c1189843d21e6a07689e1

SHA256
13e213e1a301cb563a469695881e752aaec77952b88a33b4bae4ceef7026b2fc

SHA512
9741404ff58201ed29ba244abe48788044e391a0a86e7a375673f314d4bfe97b88397640b8e372c1794c0ee344487f4e98ba33a2bb1f634272ebb5dcfd7880cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat

Filesize
253B

MD5
d39292e449404addf785a852053f3eda

SHA1
4d57d8d06a0b085ce23d06dbd901c5227159035a

SHA256
afb6f826f104ea19f7687962e9256659e7bbdc5318aee504c95d4826f8c6c5e6

SHA512
9bdd64a72a69376617e24c0837df2d307a6e74f2f96efa76017781988140cc52f448702627ce14671e4313cd9890c62857a8dff590aee81c88ce2954412b0b0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
253B

MD5
44977a188218a8f47cb5f92b7c4b92ac

SHA1
8a17d3fe1c8d8bda3e3a5de974039d89ff3d0114

SHA256
8197d92a4ad7eb5c2d8de7aabbd1d75a6986d221fe497c17430ce128121962fc

SHA512
1a7eb54ed344dc8b04692ea1d973558c5e96581adeb6796bd8c559fd25a6b4f7a215e2f7eef6fda387c0d2e179083585154d838ef0865efbb4e63e210520abdc

Download Submit
C:\Users\Admin\AppData\Local\Temp\wOqzmeZFfo.bat

Filesize
253B

MD5
aa1514ef0673fcd0b5ae763081d3e756

SHA1
c545ba134dc4eb2cb7f17d87c4ddeef2d6cc2bdb

SHA256
ddeb3b2542454cc5cfd6b4c13e4788409f0c570ef85bde83ff1cb758929cf81e

SHA512
c4105afe46f5390598b3bd4b591b83a1bdaa3d1f662148e93dfba67b2eb78196e620def8ba7764ef0eb021548b6a7ce767cd327e4ddfe4418abba3554d64862c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
623d684bc43cbb10f5ea57b9d6de3d82

SHA1
fab971f5f68cbf73d05904782790e6b2023d4ccc

SHA256
a12aa3aab7d31f3fd7e9b0b9664febc2c09c67353fdae07ec0867bc6837e96cc

SHA512
26005080f884c02278f04b1a7c5c66bdfd0529f987b354364b669b10466b07378f0f989e964e3a31347a25a0bea60da64c13c89e0fe5b3f18159f1370285ccd0

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/804-139-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/1416-75-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1416-615-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1520-675-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/1524-435-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2204-76-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2280-495-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2324-555-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2664-17-0x0000000002040000-0x000000000204C000-memory.dmp

Filesize
48KB

Download
memory/2664-16-0x0000000002030000-0x000000000203C000-memory.dmp

Filesize
48KB

Download
memory/2664-15-0x0000000000B10000-0x0000000000B1C000-memory.dmp

Filesize
48KB

Download
memory/2664-14-0x0000000000B00000-0x0000000000B12000-memory.dmp

Filesize
72KB

Download
memory/2664-13-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/3060-80-0x0000000000FC0000-0x00000000010D0000-memory.dmp

Filesize
1.1MB

Download