dcrat | 876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 23:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075.exe
Size

1.3MB
MD5

57a24235e3765418817a74bf50a451f1
SHA1

e89c1b35edc7ad810c7929991900137aac33b9d3
SHA256

876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075
SHA512

ef351519fb26e16d09f87c37f05f8345194133dfe9d7e7b58134674658a2beee6e3ebca6906512c97909c40da0332e250c474217058104c87d4f1fc1532b433d
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	528	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	688	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2876	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2876	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000017488-9.dat	dcrat
behavioral1/memory/2344-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat
behavioral1/memory/2600-40-0x0000000000900000-0x0000000000A10000-memory.dmp	dcrat
behavioral1/memory/2860-145-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/2228-264-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/704-325-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1792-385-0x0000000000CE0000-0x0000000000DF0000-memory.dmp	dcrat
behavioral1/memory/2552-445-0x0000000000D00000-0x0000000000E10000-memory.dmp	dcrat
behavioral1/memory/2544-506-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2056	powershell.exe
2508	powershell.exe
1976	powershell.exe
1948	powershell.exe
2864	powershell.exe
2088	powershell.exe
2092	powershell.exe
2376	powershell.exe
2264	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2344	DllCommonsvc.exe
2600	spoolsv.exe
2860	spoolsv.exe
1800	spoolsv.exe
2228	spoolsv.exe
704	spoolsv.exe
1792	spoolsv.exe
2552	spoolsv.exe
2544	spoolsv.exe
3052	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	cmd.exe
2904	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
34	raw.githubusercontent.com
16	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\ras\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\SysWOW64\ras\f3b6ecef712a24	DllCommonsvc.exe

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\CrashReports\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\es-ES\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3032	schtasks.exe
1320	schtasks.exe
1968	schtasks.exe
3008	schtasks.exe
2440	schtasks.exe
2780	schtasks.exe
2804	schtasks.exe
2740	schtasks.exe
2756	schtasks.exe
1812	schtasks.exe
1804	schtasks.exe
1004	schtasks.exe
1708	schtasks.exe
1784	schtasks.exe
2608	schtasks.exe
2636	schtasks.exe
528	schtasks.exe
688	schtasks.exe
1012	schtasks.exe
1688	schtasks.exe
2932	schtasks.exe
2676	schtasks.exe
112	schtasks.exe
1652	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2344	DllCommonsvc.exe
2344	DllCommonsvc.exe
2344	DllCommonsvc.exe
2344	DllCommonsvc.exe
2344	DllCommonsvc.exe
2344	DllCommonsvc.exe
2344	DllCommonsvc.exe
2344	DllCommonsvc.exe
2344	DllCommonsvc.exe
1976	powershell.exe
2376	powershell.exe
2056	powershell.exe
2264	powershell.exe
2864	powershell.exe
2088	powershell.exe
1948	powershell.exe
2508	powershell.exe
2092	powershell.exe
2600	spoolsv.exe
2860	spoolsv.exe
1800	spoolsv.exe
2228	spoolsv.exe
704	spoolsv.exe
1792	spoolsv.exe
2552	spoolsv.exe
2544	spoolsv.exe
3052	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	DllCommonsvc.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2088	powershell.exe
Token: SeDebugPrivilege	1948	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	2600	spoolsv.exe
Token: SeDebugPrivilege	2860	spoolsv.exe
Token: SeDebugPrivilege	1800	spoolsv.exe
Token: SeDebugPrivilege	2228	spoolsv.exe
Token: SeDebugPrivilege	704	spoolsv.exe
Token: SeDebugPrivilege	1792	spoolsv.exe
Token: SeDebugPrivilege	2552	spoolsv.exe
Token: SeDebugPrivilege	2544	spoolsv.exe
Token: SeDebugPrivilege	3052	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2384 wrote to memory of 2112	2384	JaffaCakes118_876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075.exe	30
PID 2384 wrote to memory of 2112	2384	JaffaCakes118_876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075.exe	30
PID 2384 wrote to memory of 2112	2384	JaffaCakes118_876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075.exe	30
PID 2384 wrote to memory of 2112	2384	JaffaCakes118_876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075.exe	30
PID 2112 wrote to memory of 2904	2112	WScript.exe	31
PID 2112 wrote to memory of 2904	2112	WScript.exe	31
PID 2112 wrote to memory of 2904	2112	WScript.exe	31
PID 2112 wrote to memory of 2904	2112	WScript.exe	31
PID 2904 wrote to memory of 2344	2904	cmd.exe	33
PID 2904 wrote to memory of 2344	2904	cmd.exe	33
PID 2904 wrote to memory of 2344	2904	cmd.exe	33
PID 2904 wrote to memory of 2344	2904	cmd.exe	33
PID 2344 wrote to memory of 2056	2344	DllCommonsvc.exe	59
PID 2344 wrote to memory of 2056	2344	DllCommonsvc.exe	59
PID 2344 wrote to memory of 2056	2344	DllCommonsvc.exe	59
PID 2344 wrote to memory of 2508	2344	DllCommonsvc.exe	60
PID 2344 wrote to memory of 2508	2344	DllCommonsvc.exe	60
PID 2344 wrote to memory of 2508	2344	DllCommonsvc.exe	60
PID 2344 wrote to memory of 2088	2344	DllCommonsvc.exe	61
PID 2344 wrote to memory of 2088	2344	DllCommonsvc.exe	61
PID 2344 wrote to memory of 2088	2344	DllCommonsvc.exe	61
PID 2344 wrote to memory of 2092	2344	DllCommonsvc.exe	62
PID 2344 wrote to memory of 2092	2344	DllCommonsvc.exe	62
PID 2344 wrote to memory of 2092	2344	DllCommonsvc.exe	62
PID 2344 wrote to memory of 1976	2344	DllCommonsvc.exe	63
PID 2344 wrote to memory of 1976	2344	DllCommonsvc.exe	63
PID 2344 wrote to memory of 1976	2344	DllCommonsvc.exe	63
PID 2344 wrote to memory of 2376	2344	DllCommonsvc.exe	64
PID 2344 wrote to memory of 2376	2344	DllCommonsvc.exe	64
PID 2344 wrote to memory of 2376	2344	DllCommonsvc.exe	64
PID 2344 wrote to memory of 1948	2344	DllCommonsvc.exe	65
PID 2344 wrote to memory of 1948	2344	DllCommonsvc.exe	65
PID 2344 wrote to memory of 1948	2344	DllCommonsvc.exe	65
PID 2344 wrote to memory of 2264	2344	DllCommonsvc.exe	66
PID 2344 wrote to memory of 2264	2344	DllCommonsvc.exe	66
PID 2344 wrote to memory of 2264	2344	DllCommonsvc.exe	66
PID 2344 wrote to memory of 2864	2344	DllCommonsvc.exe	67
PID 2344 wrote to memory of 2864	2344	DllCommonsvc.exe	67
PID 2344 wrote to memory of 2864	2344	DllCommonsvc.exe	67
PID 2344 wrote to memory of 2600	2344	DllCommonsvc.exe	73
PID 2344 wrote to memory of 2600	2344	DllCommonsvc.exe	73
PID 2344 wrote to memory of 2600	2344	DllCommonsvc.exe	73
PID 2600 wrote to memory of 2604	2600	spoolsv.exe	79
PID 2600 wrote to memory of 2604	2600	spoolsv.exe	79
PID 2600 wrote to memory of 2604	2600	spoolsv.exe	79
PID 2604 wrote to memory of 2972	2604	cmd.exe	81
PID 2604 wrote to memory of 2972	2604	cmd.exe	81
PID 2604 wrote to memory of 2972	2604	cmd.exe	81
PID 2604 wrote to memory of 2860	2604	cmd.exe	82
PID 2604 wrote to memory of 2860	2604	cmd.exe	82
PID 2604 wrote to memory of 2860	2604	cmd.exe	82
PID 2860 wrote to memory of 2868	2860	spoolsv.exe	83
PID 2860 wrote to memory of 2868	2860	spoolsv.exe	83
PID 2860 wrote to memory of 2868	2860	spoolsv.exe	83
PID 2868 wrote to memory of 1712	2868	cmd.exe	85
PID 2868 wrote to memory of 1712	2868	cmd.exe	85
PID 2868 wrote to memory of 1712	2868	cmd.exe	85
PID 2868 wrote to memory of 1800	2868	cmd.exe	86
PID 2868 wrote to memory of 1800	2868	cmd.exe	86
PID 2868 wrote to memory of 1800	2868	cmd.exe	86
PID 1800 wrote to memory of 2900	1800	spoolsv.exe	87
PID 1800 wrote to memory of 2900	1800	spoolsv.exe	87
PID 1800 wrote to memory of 2900	1800	spoolsv.exe	87
PID 2900 wrote to memory of 2076	2900	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_876ee2b6fabc880ce2e6ea26edd00b05aa0ff26e565b622c57b3d5c1b1f0c075.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2384
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\ras\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2600
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2972
        
        C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1712
        
        C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2076
        
        C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat"
        12⤵
        
        PID:1576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat"
        14⤵
        
        PID:2360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        16⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2784
        
        C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        18⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2996
        
        C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        20⤵
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1352
        
        C:\Windows\SysWOW64\ras\spoolsv.exe
        
        "C:\Windows\SysWOW64\ras\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat"
        22⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.0\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Windows\SysWOW64\ras\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\SysWOW64\ras\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Windows\SysWOW64\ras\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Google\CrashReports\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47314352391d5d68b9252f3bd444bc4a

SHA1
dd9f7594550582a5998b1895f6204f6204cd980e

SHA256
db143005046a49466535049a551ddf98b8c3b9443721a28629a1a30725792a4d

SHA512
1b4e0f3e583047b98902a4977906ae28427394f35f3b7f84d00f4d2f635c5755cd58ee42dbad55beb7cac3f466f6c38314879755667d4d082f7befb9dbf61307

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9ea8bb3ae7feaddcd9de4e9d0599070d

SHA1
0eac0260335c46a4a5b89cb2096f217d61a29b79

SHA256
5019285eca5013b2733a00c97efd315a68251ef8308203da44faf0e361cddb3d

SHA512
cb6f857de651f07871454360822b54105cbc16e17ba19e815aa5f64844a9e951010a438ffd841643bdf5fcadcfb580237090146e65c259059519745c59449e84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
394ee47886c82cf16cfe14b59cf7517f

SHA1
a028c2ab8933390033e4cbc1260e67bef3a9ba6b

SHA256
6d0628594e694b2035234cfb2949a862ac945f7578a4a0b3ab7f025c3b5452e9

SHA512
9b39afd3476c870bb611da288b14aa064f97eaa6c808403a5b1f3a3cd73e1b89dd2f5eb531a695ed0b705d756c47929d7d52a936fc7e86e023afc586f30ac580

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4cc79e258830c0c1a3a0805eac92e03d

SHA1
b8915a34961f206bb6a36070acf36c118aed083b

SHA256
e52bfbbe4b98eca605dbd147ba4b27d2cde07352546dc41ace94d4075299d441

SHA512
1d33265e8955360d298bd13b3b26cbb76b725a2df1e2f8b795256d631215466a3e28d7cd2399492ff5aacc7e6eba51f4feb130017e82f59731385501fe3c2801

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b1379703c9f3f70a98b709b1a77f82a4

SHA1
f9b51b4381c454f25b61aa239059bf197ef7a8d4

SHA256
ee42e8ed6803cfcf5ddfa5b97804983fa259e5294be58146fa3eb3cc3f64c207

SHA512
5c304b4df1efe4548cbcfe18b5af4893d0840434c42058bc482c21cbc49d324499c497f97d79a84a00539f0d238c6a8866d7d08b72a185293cf33467a00a203c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87e38aabb36ab8e6e379f4c7c5558dda

SHA1
47a40eb2826ce6418a5a2768613d53bc61e92f04

SHA256
50775044e5615e2c42020be398bd976a0cf6ccf419da7bd4c6058988cbe32ef1

SHA512
e0dff6806bb31edce975cd08cad3e01382dd3b1bab3776d9a3040c2f238706cd6e4f267f233b3905f7345750b334f53df6b39b4eb687bdabe54359945dd6375f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
322af9e5cb8d8afcba9408787bf380f0

SHA1
3f0c1c14f33ea17bdc7046ccbce013c3297e0334

SHA256
c63d09600c412459742a77ea9464ea1c06836f46c7c90f9e935f0f538459dd82

SHA512
04dbb79a9918ae002043e72ebcdb5657f72b8125939149d66aa2d6e3a2b634e05a232eebc0e43c4b0a84bf423aaae572438223fc6b7162ba03b87e15e9381f49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
40d24710884ddca8e94ff45ea961919a

SHA1
e16349c4b6afa3ac29e310c3db6ad2c9ae8613be

SHA256
3d4a7c8cf7b5650a2251efffdaf913b30cfb47a0053d64481fa932d3f390ab76

SHA512
a63a3bc2222fbfff2241fdb03bbe3158788ab9ead2fa45708af3deb4fb80cbcc4b44ecd19447ca52a601b7fffb5d18b50ec36880bae801fd6e9939ac52943b8e

Download Submit
C:\Users\Admin\AppData\Local\Temp\7hfvN6zFDa.bat

Filesize
200B

MD5
18bca2f4df466a30c29d9ed4c1b8725a

SHA1
69dddcc91cd4b7fd3225ae89951d43aba34e8f83

SHA256
c6d2fe4aa344e78032d1b353c005d9f94a13b84b150c6662b59ab16ec19a9fb8

SHA512
9f530613de0c58bacd2c9d6aeacad5312a97fc7a02c57b7aaae6c262b54336613b03e15114091f00822a6b1a90e48d3d08b7a861883791baa4606e57c8506132

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD867.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

Filesize
200B

MD5
ea4a4c9f2e6f4e933f07cab8173edc26

SHA1
3943ea0195ff01faf69275a78798bed6fe52915e

SHA256
c362711eb8ccbff1f6f7cf6255710d0229eba4fc9882e2bff767b8fe5c710961

SHA512
60d1c1c46d76f87987724babd77880a7dd3ab57f7d5b043f4407d29053490ddda2cb412109975da8e7abf4aa5e078dfaffd1be8d4b17bdbfa342b2f365370a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Dk8ljd7jBY.bat

Filesize
200B

MD5
f25ef8a14124b77d9e38ac7bdf0e8318

SHA1
652c4eaab0ab7ca4a80c269a0e6086be46939ed6

SHA256
7d601d5ff5fcd7d702af349f10f5f534e997ca118ba1a17aece13eb8a5b49e4a

SHA512
d1c1f769e0c16807193a16de4d487e4c0a058137879cf019043aede255b17e6632bbeca8e6a6b8bc4e51625167cfb5953aaf34e84e3b54eae3de3dc02fc467af

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD879.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
200B

MD5
7ec3bc642ebab72c9c6c8aaf848ab4dd

SHA1
8ef2c8708853b9308d1d426fa2ce621a06be6c8d

SHA256
6a9322babb0f4fdf1172d6409add0f8c12f84f8f2de4a29c92b10d5b307037f0

SHA512
e257493f2b51909979738fffd6aa25acd64df1baacf8ce844c3888d01113dc494d867c1dc2d28452dcaf91e3df046d2bb9dc6ffa23215a9c5dd7223ed7b3dc94

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1lJXnITmE.bat

Filesize
200B

MD5
d1f9e607ec3cc5a71f51fd21a9a487df

SHA1
ed5931b9d206c002a266616b55ff7e56ae7f8e8e

SHA256
13c074775e23c2062985db7f6be5254d37ac1476fdc9e3c9d5119ed9e3e14ec3

SHA512
5242310193acdcb0bfbebc3c77b4292354a47f1c7769b515050d46551ddceb9e7108d7c683b9a052b0836c8e2ebff6f532b77ec411a7651c7650e43fdd14abe9

Download Submit
C:\Users\Admin\AppData\Local\Temp\m47JVZSxDi.bat

Filesize
200B

MD5
d1b9f3c91b332a6093e8ba93e655e48d

SHA1
f381b61874370b993b0de8ecb6fd81a5c1c33d44

SHA256
ccace409618a8fca7e9422c3af48e389ed4f9cfb363e8fd2d2d5955968733a80

SHA512
6ae5d765eb38813596776bb629063060812557eb2ef43bab9cde724e4b84568de25345660ceda64da6f67435cac179fb216e8f83c6757266018177a8db44cb63

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
200B

MD5
0fecda04af251cd0cb4fe5867d08cf2e

SHA1
149f29c1f4d60c4f317949930b1222efe12ef0d0

SHA256
1af25ea2fc84c468fba913e06e7059f4c3039c5bf8ab9d44d2d352deb24b006b

SHA512
5ac3493919044210f0f012493354f91b954094af3525acfbdd74e3d595666e0e2b09cd79772b7eef7b1e497776e027b8bf5e56d42520a061b956d93b8ffca595

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
200B

MD5
a4d8bf9fb60b11dd4c3d3f87ff7c0913

SHA1
2c0afcb6dba2dfdaccaa2a3954807768106f927d

SHA256
4efcbf1a029f917d8189ecff64582c610127e36388800ad52f83f8f87f749df6

SHA512
477ea78987fd781f1e7d0516de6f341086dd9df20d87762a6a6a43b6c9dde35beb45382c3ad76ed8abf43e65b03fd9d668cec0babc4c9483726c4137a02d8aeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
200B

MD5
b02ca83120ca9b384e11da41aa16d9d8

SHA1
f5654638ef95c4ba94cd1b8393c2f3a21bbd7194

SHA256
2dc94dd9210d9fd46c42c2e6a0fbeba58b58c8868b45ae38e4e980ed69619650

SHA512
68dcb5a349fac707d2536a6ebb07b8828d00a006925a38916342f73a7e4ec1d0401cc6d7babc2317467268fc8f6f28f72db69920340079d56b2c73653b5824b1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cf8f45ee4d798d215f432dc26d64c660

SHA1
c670397ef42d5549a1c20daf46859b66f1a5deef

SHA256
aa01d0ca41075d9ebcdc9090b8a7c68f0cf32a06fd4390fb9f8f71b0f2965c0d

SHA512
d759595d9ac68883f781b6e353ef4f0a459a731e856a420d26a5c95f78574f493ea13197162ecc88695a16f40c3715cc6674d26ec5e6645273227bffa32f9374

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/704-325-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1792-385-0x0000000000CE0000-0x0000000000DF0000-memory.dmp

Filesize
1.1MB

Download
memory/1976-60-0x000000001B580000-0x000000001B862000-memory.dmp

Filesize
2.9MB

Download
memory/2228-264-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2228-265-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2344-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2344-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2344-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2344-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2344-13-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/2376-78-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2544-506-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2544-507-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2552-445-0x0000000000D00000-0x0000000000E10000-memory.dmp

Filesize
1.1MB

Download
memory/2552-446-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2600-40-0x0000000000900000-0x0000000000A10000-memory.dmp

Filesize
1.1MB

Download
memory/2860-145-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download