dcrat | d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410

Analysis

max time kernel
145s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410.exe
Size

1.3MB
MD5

37a7b38670da5158992bbc730fea6e12
SHA1

b208ae117692ea71830db90c6a12c82aa75bb1ce
SHA256

d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410
SHA512

5aa2979305bebea4ae036becec200db3d337f13dfb15595fea5efed1df39767986a3a31c3a6a31f2774aa35347bd07659a2b046fc16270dc947bb9e6a9825130
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d71-11.dat	dcrat
behavioral1/memory/3004-13-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat
behavioral1/memory/2108-50-0x0000000000BB0000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/1672-181-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1588-241-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/1396-301-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2180-420-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/1808-539-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2448	powershell.exe
1296	powershell.exe
1340	powershell.exe
760	powershell.exe
1752	powershell.exe
340	powershell.exe
2332	powershell.exe
2944	powershell.exe
1496	powershell.exe
2172	powershell.exe
2256	powershell.exe
1620	powershell.exe
2260	powershell.exe
2892	powershell.exe

Executes dropped EXE 9 IoCs

pid	Process
3004	DllCommonsvc.exe
2108	OSPPSVC.exe
1672	OSPPSVC.exe
1588	OSPPSVC.exe
1396	OSPPSVC.exe
2260	OSPPSVC.exe
2180	OSPPSVC.exe
1980	OSPPSVC.exe
1808	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
1028	cmd.exe
1028	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
31	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\Microsoft\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\1610b97d3ab4a7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1560	schtasks.exe
2416	schtasks.exe
1520	schtasks.exe
832	schtasks.exe
3008	schtasks.exe
972	schtasks.exe
2080	schtasks.exe
1248	schtasks.exe
2204	schtasks.exe
1912	schtasks.exe
1428	schtasks.exe
1664	schtasks.exe
2384	schtasks.exe
2616	schtasks.exe
2452	schtasks.exe
2792	schtasks.exe
2712	schtasks.exe
3028	schtasks.exe
2652	schtasks.exe
2196	schtasks.exe
2648	schtasks.exe
2192	schtasks.exe
1092	schtasks.exe
2088	schtasks.exe
440	schtasks.exe
1120	schtasks.exe
1832	schtasks.exe
1288	schtasks.exe
2596	schtasks.exe
1844	schtasks.exe
2872	schtasks.exe
1724	schtasks.exe
1696	schtasks.exe
2968	schtasks.exe
2724	schtasks.exe
768	schtasks.exe
2424	schtasks.exe
684	schtasks.exe
2760	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
3004	DllCommonsvc.exe
3004	DllCommonsvc.exe
3004	DllCommonsvc.exe
3004	DllCommonsvc.exe
3004	DllCommonsvc.exe
1496	powershell.exe
2260	powershell.exe
2944	powershell.exe
1620	powershell.exe
2256	powershell.exe
1752	powershell.exe
2892	powershell.exe
2332	powershell.exe
1340	powershell.exe
2448	powershell.exe
760	powershell.exe
2172	powershell.exe
340	powershell.exe
1296	powershell.exe
2108	OSPPSVC.exe
1672	OSPPSVC.exe
1588	OSPPSVC.exe
1396	OSPPSVC.exe
2260	OSPPSVC.exe
2180	OSPPSVC.exe
1980	OSPPSVC.exe
1808	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	DllCommonsvc.exe
Token: SeDebugPrivilege	1496	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1752	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2332	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	760	powershell.exe
Token: SeDebugPrivilege	2172	powershell.exe
Token: SeDebugPrivilege	2108	OSPPSVC.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeDebugPrivilege	1672	OSPPSVC.exe
Token: SeDebugPrivilege	1588	OSPPSVC.exe
Token: SeDebugPrivilege	1396	OSPPSVC.exe
Token: SeDebugPrivilege	2260	OSPPSVC.exe
Token: SeDebugPrivilege	2180	OSPPSVC.exe
Token: SeDebugPrivilege	1980	OSPPSVC.exe
Token: SeDebugPrivilege	1808	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1540 wrote to memory of 112	1540	JaffaCakes118_d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410.exe	30
PID 1540 wrote to memory of 112	1540	JaffaCakes118_d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410.exe	30
PID 1540 wrote to memory of 112	1540	JaffaCakes118_d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410.exe	30
PID 1540 wrote to memory of 112	1540	JaffaCakes118_d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410.exe	30
PID 112 wrote to memory of 1028	112	WScript.exe	31
PID 112 wrote to memory of 1028	112	WScript.exe	31
PID 112 wrote to memory of 1028	112	WScript.exe	31
PID 112 wrote to memory of 1028	112	WScript.exe	31
PID 1028 wrote to memory of 3004	1028	cmd.exe	33
PID 1028 wrote to memory of 3004	1028	cmd.exe	33
PID 1028 wrote to memory of 3004	1028	cmd.exe	33
PID 1028 wrote to memory of 3004	1028	cmd.exe	33
PID 3004 wrote to memory of 760	3004	DllCommonsvc.exe	74
PID 3004 wrote to memory of 760	3004	DllCommonsvc.exe	74
PID 3004 wrote to memory of 760	3004	DllCommonsvc.exe	74
PID 3004 wrote to memory of 1620	3004	DllCommonsvc.exe	75
PID 3004 wrote to memory of 1620	3004	DllCommonsvc.exe	75
PID 3004 wrote to memory of 1620	3004	DllCommonsvc.exe	75
PID 3004 wrote to memory of 2256	3004	DllCommonsvc.exe	76
PID 3004 wrote to memory of 2256	3004	DllCommonsvc.exe	76
PID 3004 wrote to memory of 2256	3004	DllCommonsvc.exe	76
PID 3004 wrote to memory of 2332	3004	DllCommonsvc.exe	77
PID 3004 wrote to memory of 2332	3004	DllCommonsvc.exe	77
PID 3004 wrote to memory of 2332	3004	DllCommonsvc.exe	77
PID 3004 wrote to memory of 1340	3004	DllCommonsvc.exe	78
PID 3004 wrote to memory of 1340	3004	DllCommonsvc.exe	78
PID 3004 wrote to memory of 1340	3004	DllCommonsvc.exe	78
PID 3004 wrote to memory of 340	3004	DllCommonsvc.exe	80
PID 3004 wrote to memory of 340	3004	DllCommonsvc.exe	80
PID 3004 wrote to memory of 340	3004	DllCommonsvc.exe	80
PID 3004 wrote to memory of 2892	3004	DllCommonsvc.exe	81
PID 3004 wrote to memory of 2892	3004	DllCommonsvc.exe	81
PID 3004 wrote to memory of 2892	3004	DllCommonsvc.exe	81
PID 3004 wrote to memory of 2172	3004	DllCommonsvc.exe	83
PID 3004 wrote to memory of 2172	3004	DllCommonsvc.exe	83
PID 3004 wrote to memory of 2172	3004	DllCommonsvc.exe	83
PID 3004 wrote to memory of 1296	3004	DllCommonsvc.exe	84
PID 3004 wrote to memory of 1296	3004	DllCommonsvc.exe	84
PID 3004 wrote to memory of 1296	3004	DllCommonsvc.exe	84
PID 3004 wrote to memory of 1752	3004	DllCommonsvc.exe	86
PID 3004 wrote to memory of 1752	3004	DllCommonsvc.exe	86
PID 3004 wrote to memory of 1752	3004	DllCommonsvc.exe	86
PID 3004 wrote to memory of 1496	3004	DllCommonsvc.exe	87
PID 3004 wrote to memory of 1496	3004	DllCommonsvc.exe	87
PID 3004 wrote to memory of 1496	3004	DllCommonsvc.exe	87
PID 3004 wrote to memory of 2448	3004	DllCommonsvc.exe	88
PID 3004 wrote to memory of 2448	3004	DllCommonsvc.exe	88
PID 3004 wrote to memory of 2448	3004	DllCommonsvc.exe	88
PID 3004 wrote to memory of 2260	3004	DllCommonsvc.exe	89
PID 3004 wrote to memory of 2260	3004	DllCommonsvc.exe	89
PID 3004 wrote to memory of 2260	3004	DllCommonsvc.exe	89
PID 3004 wrote to memory of 2944	3004	DllCommonsvc.exe	91
PID 3004 wrote to memory of 2944	3004	DllCommonsvc.exe	91
PID 3004 wrote to memory of 2944	3004	DllCommonsvc.exe	91
PID 3004 wrote to memory of 2108	3004	DllCommonsvc.exe	102
PID 3004 wrote to memory of 2108	3004	DllCommonsvc.exe	102
PID 3004 wrote to memory of 2108	3004	DllCommonsvc.exe	102
PID 2108 wrote to memory of 1236	2108	OSPPSVC.exe	104
PID 2108 wrote to memory of 1236	2108	OSPPSVC.exe	104
PID 2108 wrote to memory of 1236	2108	OSPPSVC.exe	104
PID 1236 wrote to memory of 2136	1236	cmd.exe	106
PID 1236 wrote to memory of 2136	1236	cmd.exe	106
PID 1236 wrote to memory of 2136	1236	cmd.exe	106
PID 1236 wrote to memory of 1672	1236	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d5fbec4be23e780294d9d719b484f7f9f1a5bb6138f78174aeba69f18f6f4410.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1540
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:112
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1028
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2172
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1296
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Application Data\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
        
        "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2108
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2136
        
        C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
        
        "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        8⤵
        
        PID:2728
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1216
        
        C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
        
        "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat"
        10⤵
        
        PID:284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:820
        
        C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
        
        "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat"
        12⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2660
        
        C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
        
        "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat"
        14⤵
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1284
        
        C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
        
        "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat"
        16⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1844
        
        C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
        
        "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        18⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2440
        
        C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe
        
        "C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat"
        20⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\csrss.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\csrss.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\lsm.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\Services\Idle.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\taskhost.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Program Files\Google\Chrome\taskhost.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\WmiPrvSE.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\lsass.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\Microsoft\lsass.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\cmd.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\audiodg.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\audiodg.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Application Data\DllCommonsvc.exe'" /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Users\Default\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Application Data\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Scheduled Task/Job: Scheduled Task
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
006750e08528a3e843041d2bc14ae44e

SHA1
1e16313f9196d3284160071abe797cb082b225ed

SHA256
78bf4455174154283ce84c0d0f4e048257c4c75b9ceb5c16a945db60af6bfa87

SHA512
5e054b700dc874d814236d7d9a3ea7117fabf52b8c64d161da382139b8451b6749dea5cf218b3045081ef870588e37051d78bd6c8ad48d990fb793bc3c0228de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
14711432ab9741ac309497f867354e5b

SHA1
d9d1778b1a1765e0db482e4ff35771adce8abc2d

SHA256
19abe069ca8659eff418b7f3089966965144f3a5375e07e17c1956aefe84cc9f

SHA512
655aced582d4a796a3519b46e3c5a059eaa2ff3d0c0472964a6047c39430a93559312e2226e47b7da943e430940eef8898758cbbe06da59bcf596254ded53a36

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8562143f00348a93449efa6d9c8029e

SHA1
bda523e7682d7159013a8d7bd9831ca77cf46285

SHA256
bb72a412f1b5c8eef87e441c426085e30f5e6de91c96e690194bc47cefc2f5da

SHA512
e29de0735b5daf03fe6ea7ea3d1104292b0f9399efb95c8571d8c1e82b1ba477b0a8ce8b681ca8566daf3cd1c090d81b9c874c53ca062d33bd47c8e0ad8b96b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a766c322f11c2a734bb1608353ab5f2e

SHA1
ca4e97a8574ad8e817e49bf26eea2c469f7d7640

SHA256
7c6ae46ca7d942def36255d510bc977d9619f69ce32479cd231c12e48ff13513

SHA512
f8354a9e7e9f41976ab5e111ff92314d9320c4364e6f501805ccfc2368c77a3df639e7cd9dc7bcc01478c8b42af88614939d4cb42a333f30940ba29834af48c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b378262f83976aa8c5c37e7fc7aaf6d

SHA1
4b1363ac4df924fe6a89e05303f79f3014fc3750

SHA256
8870aa8566f2f7675daa044ea2366f952f69fd9671be11ff8d09ae1664127fa8

SHA512
6252f6cc59a3e36b097098362544fb7db2855e150cea041d87c9cf4d24312a5c64e0f2fcecb810a79281c52a27a3b8470e65ef9d8990c5b850f46f15a15cb522

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a6ed8de0032f9c5f2e45acfb609f507

SHA1
51edcd6ac274873cc39cfbff38589bd081525893

SHA256
8b22b022777023742a1cc3dabd24528f1f1df12087d1fb68f32d6b3f6f2a6dc2

SHA512
e5bee974c84de1e229f21d29e4b8e039518d689ed9aa0a8eb0baa123bf882c8ad6acc6d656d5f9c751d14c1e0f2b94bcbe0840a8214a159ff5576dfaa7f830a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f22f2973dd71322865690083928991d8

SHA1
46f6e4b748b48ac201661407354c61a58ac1ae2d

SHA256
3131d0f9632d3f653774027d9e8671dea7eed8577310aeb1a2bbfee5dc4f5d2d

SHA512
23f3f462112a5f69c943c986fccc2cc1697cec4260fd351c0d28d4729deadab41f488f66d3ea39a3531d90eea969402fa11daeb31c35b18a2025ac150661ff64

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE8BC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
206B

MD5
b61018dcdbee34506afda4021fa57d91

SHA1
afe8d6cb1cc74ce8470229024c33459f91850c99

SHA256
981c22986b42e3951004e9cdace4e51938ed0ea594a1074bd93515447dff213e

SHA512
d4b791a6513d4504a2543b4e6c5ad480135559ef93f18c6e6dd5084bacedcfe30ddecec182d3b697a43e289879bd384d00dcfac73442dc68198bd0be9cb4331f

Download Submit
C:\Users\Admin\AppData\Local\Temp\L9j9zErPDE.bat

Filesize
206B

MD5
e89cccee92910d43990b63e6cc943d7e

SHA1
54f1cef4c6776d13e645bf410046186936e27b23

SHA256
04792935c814e0150840a0fc867d340271a29adde382096d17c25476e06764fd

SHA512
7b24216e5253c6e70acd0461e25cbb08809897d91a3b720e4d5f6267c9017365391d73ab460b85fd4a7c3c72588967ce34e68e690aab763c82392ddb59553637

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE8DE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
206B

MD5
096b91bf4bebea16765f8e83b5ef593d

SHA1
f6ef8dbe9afd9ff0a089509f06805ff100960e68

SHA256
0083d06f00f3e52ab6a20e5871815b436caa0deae6d3643f8bc1937a520d62d6

SHA512
f87df581f574d2a0dbe369f1ea5eb0dc9a76fbbe6be32b96a3905825b3e00da55943854a12720c3f5895037592cfb673cc219fd094a7db17ccd27465510ad91b

Download Submit
C:\Users\Admin\AppData\Local\Temp\djCrJd6RmA.bat

Filesize
206B

MD5
1a0678c922804c3d439b2ce7f0fbefed

SHA1
0ecddb005b2b1f9f1d28992d18e5aa612fdad1f9

SHA256
ae04d52b2a75341ec4ab326cf7a3b1bd0ed5e3f1e1e8f352f90d835cf4323742

SHA512
23e993d66a758acd6e5ed7ab89c6ec6411754f5000315f1e8e2b3ea99cdfb95f4fc3a64ecff9510e907dec6406d11072cfd972e30c620e353b105a9fd461ff87

Download Submit
C:\Users\Admin\AppData\Local\Temp\j95GpUP4tv.bat

Filesize
206B

MD5
807dd742e4fa75ea59930da4638c7b1c

SHA1
ea9acc1c2fdec4df34ac453d9df7ff32504dfeca

SHA256
83ad0426420803bddb653c5c56d2e56787758f575e490a2c736ab1597742abdf

SHA512
9f602cb5dcd8f34aa624f8020ffb7dda5fc15cd237c091636f1c5b4d7b100de8cc8e97da6986791474884dc5e4b897300ec853f78c39b425c47af1c67d4bd311

Download Submit
C:\Users\Admin\AppData\Local\Temp\msQYHxuKnC.bat

Filesize
206B

MD5
aeb02336ed42f3e90b8a0592e7393b15

SHA1
6be547b2c39ede1d8f4bd10dd91c7861ccd1de0d

SHA256
9b4a9e8f92b803e30f5f70240dfaea837e9dac2d3c493cc886d6733aab6accfa

SHA512
da51722ca0611eb3f7a802e8b8ae0e6acb6edc5c956c6e14e46d107104753d8f7147b5f3ae3acdbbc222bdd038ce0a79a36748cb0a6533f6c284a4aac7d71f9a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uugdhbmYnk.bat

Filesize
206B

MD5
fa84a16d95a5a1da02ddba8668f5e341

SHA1
2010651ff96084754f8c6ca940fedd359a741155

SHA256
68027b1d4b0035765bb9fa0c73312f6076a19c0e075853867cef12eb2f01c9a7

SHA512
38690319c023c9f83cb5d9bfb5b745725cfb042dee25a9bce3e0b4c4cc9737af7e35f46c7aa8c56b41a4d8070bcba1c0cabb40d752a78d8bf53b230a0a946de6

Download Submit
C:\Users\Admin\AppData\Local\Temp\zY3yp8Lh1n.bat

Filesize
206B

MD5
c6aea2e4afd0efb0e3ddc2ca403933bd

SHA1
3488415eb8963b594c0dd28041a9046f29df7f4b

SHA256
04fc3d5ddf9570779c6c06e0d8ec3cf3c1bec4a99928e804d78342688997a83b

SHA512
94c3d50840a526c4a135392f22938fed3baea6eb054d2ab7521963283da83ca70998105ec2abcb385090d4c0d6a3ecc0081c14eb581d6ef6d90a7421e8f36fac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
201319fdc67a905ea84354bc2aa713f5

SHA1
6eb81dee808b3e96ff4b7546aa78438203d16d78

SHA256
2984e22d2585a6c2f607a08f46d6ea55e16d0d5c1b38485002934ce3aa6d0926

SHA512
d76ff243d2753b932ea26efc56539507aef090c0d36876115d71367b127a26076bf7530f7031294f85de5e861de9b7f4f03488608579a7cd665725729831d2c3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1396-301-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/1496-91-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1496-92-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1588-241-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download
memory/1672-181-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1808-539-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2108-122-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2108-50-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/2180-420-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/3004-17-0x0000000002200000-0x000000000220C000-memory.dmp

Filesize
48KB

Download
memory/3004-16-0x00000000020F0000-0x00000000020FC000-memory.dmp

Filesize
48KB

Download
memory/3004-15-0x00000000004C0000-0x00000000004CC000-memory.dmp

Filesize
48KB

Download
memory/3004-14-0x00000000002A0000-0x00000000002B2000-memory.dmp

Filesize
72KB

Download
memory/3004-13-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download