dcrat | 9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe
Size

1.3MB
MD5

de77b73f02aa71c5554295b73db978db
SHA1

7da112d26c4f550cb31f702f6cba43ddf28ed9e0
SHA256

9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1
SHA512

9860344170efc484940633fa0daf0e7258d2892815153002e5012bddd671ef960b399977cf1c04c6454c9682968cfd346e9f9d34c5c27e76c812a86999beec41
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1756	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2136	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2136	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d18-12.dat	dcrat
behavioral1/memory/2740-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp	dcrat
behavioral1/memory/2404-80-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/1160-140-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/2120-201-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2676-261-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/2872-380-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2052-441-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2180-501-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1660-561-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/1232-680-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1976	powershell.exe
2488	powershell.exe
2412	powershell.exe
2340	powershell.exe
2976	powershell.exe
2396	powershell.exe
2264	powershell.exe
2788	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2740	DllCommonsvc.exe
2404	Idle.exe
1160	Idle.exe
2120	Idle.exe
2676	Idle.exe
1756	Idle.exe
2872	Idle.exe
2052	Idle.exe
2180	Idle.exe
1660	Idle.exe
1240	Idle.exe
1232	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2240	cmd.exe
2240	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\audiodg.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\tracing\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\Web\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Web\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2816	schtasks.exe
1916	schtasks.exe
1160	schtasks.exe
2824	schtasks.exe
592	schtasks.exe
2876	schtasks.exe
2872	schtasks.exe
2308	schtasks.exe
2116	schtasks.exe
1756	schtasks.exe
2888	schtasks.exe
1748	schtasks.exe
1932	schtasks.exe
2092	schtasks.exe
3052	schtasks.exe
808	schtasks.exe
3020	schtasks.exe
2368	schtasks.exe
2516	schtasks.exe
2812	schtasks.exe
2892	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2740	DllCommonsvc.exe
2264	powershell.exe
2788	powershell.exe
1976	powershell.exe
2396	powershell.exe
2340	powershell.exe
2976	powershell.exe
2488	powershell.exe
2412	powershell.exe
2404	Idle.exe
1160	Idle.exe
2120	Idle.exe
2676	Idle.exe
1756	Idle.exe
2872	Idle.exe
2052	Idle.exe
2180	Idle.exe
1660	Idle.exe
1240	Idle.exe
1232	Idle.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	DllCommonsvc.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	2340	powershell.exe
Token: SeDebugPrivilege	2976	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2404	Idle.exe
Token: SeDebugPrivilege	1160	Idle.exe
Token: SeDebugPrivilege	2120	Idle.exe
Token: SeDebugPrivilege	2676	Idle.exe
Token: SeDebugPrivilege	1756	Idle.exe
Token: SeDebugPrivilege	2872	Idle.exe
Token: SeDebugPrivilege	2052	Idle.exe
Token: SeDebugPrivilege	2180	Idle.exe
Token: SeDebugPrivilege	1660	Idle.exe
Token: SeDebugPrivilege	1240	Idle.exe
Token: SeDebugPrivilege	1232	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2536	2756	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe	30
PID 2756 wrote to memory of 2536	2756	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe	30
PID 2756 wrote to memory of 2536	2756	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe	30
PID 2756 wrote to memory of 2536	2756	9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe	30
PID 2536 wrote to memory of 2240	2536	WScript.exe	31
PID 2536 wrote to memory of 2240	2536	WScript.exe	31
PID 2536 wrote to memory of 2240	2536	WScript.exe	31
PID 2536 wrote to memory of 2240	2536	WScript.exe	31
PID 2240 wrote to memory of 2740	2240	cmd.exe	33
PID 2240 wrote to memory of 2740	2240	cmd.exe	33
PID 2240 wrote to memory of 2740	2240	cmd.exe	33
PID 2240 wrote to memory of 2740	2240	cmd.exe	33
PID 2740 wrote to memory of 2788	2740	DllCommonsvc.exe	56
PID 2740 wrote to memory of 2788	2740	DllCommonsvc.exe	56
PID 2740 wrote to memory of 2788	2740	DllCommonsvc.exe	56
PID 2740 wrote to memory of 2264	2740	DllCommonsvc.exe	57
PID 2740 wrote to memory of 2264	2740	DllCommonsvc.exe	57
PID 2740 wrote to memory of 2264	2740	DllCommonsvc.exe	57
PID 2740 wrote to memory of 1976	2740	DllCommonsvc.exe	58
PID 2740 wrote to memory of 1976	2740	DllCommonsvc.exe	58
PID 2740 wrote to memory of 1976	2740	DllCommonsvc.exe	58
PID 2740 wrote to memory of 2396	2740	DllCommonsvc.exe	59
PID 2740 wrote to memory of 2396	2740	DllCommonsvc.exe	59
PID 2740 wrote to memory of 2396	2740	DllCommonsvc.exe	59
PID 2740 wrote to memory of 2976	2740	DllCommonsvc.exe	60
PID 2740 wrote to memory of 2976	2740	DllCommonsvc.exe	60
PID 2740 wrote to memory of 2976	2740	DllCommonsvc.exe	60
PID 2740 wrote to memory of 2340	2740	DllCommonsvc.exe	61
PID 2740 wrote to memory of 2340	2740	DllCommonsvc.exe	61
PID 2740 wrote to memory of 2340	2740	DllCommonsvc.exe	61
PID 2740 wrote to memory of 2412	2740	DllCommonsvc.exe	62
PID 2740 wrote to memory of 2412	2740	DllCommonsvc.exe	62
PID 2740 wrote to memory of 2412	2740	DllCommonsvc.exe	62
PID 2740 wrote to memory of 2488	2740	DllCommonsvc.exe	63
PID 2740 wrote to memory of 2488	2740	DllCommonsvc.exe	63
PID 2740 wrote to memory of 2488	2740	DllCommonsvc.exe	63
PID 2740 wrote to memory of 1072	2740	DllCommonsvc.exe	70
PID 2740 wrote to memory of 1072	2740	DllCommonsvc.exe	70
PID 2740 wrote to memory of 1072	2740	DllCommonsvc.exe	70
PID 1072 wrote to memory of 2676	1072	cmd.exe	75
PID 1072 wrote to memory of 2676	1072	cmd.exe	75
PID 1072 wrote to memory of 2676	1072	cmd.exe	75
PID 1072 wrote to memory of 2404	1072	cmd.exe	76
PID 1072 wrote to memory of 2404	1072	cmd.exe	76
PID 1072 wrote to memory of 2404	1072	cmd.exe	76
PID 2404 wrote to memory of 2816	2404	Idle.exe	77
PID 2404 wrote to memory of 2816	2404	Idle.exe	77
PID 2404 wrote to memory of 2816	2404	Idle.exe	77
PID 2816 wrote to memory of 1756	2816	cmd.exe	79
PID 2816 wrote to memory of 1756	2816	cmd.exe	79
PID 2816 wrote to memory of 1756	2816	cmd.exe	79
PID 2816 wrote to memory of 1160	2816	cmd.exe	80
PID 2816 wrote to memory of 1160	2816	cmd.exe	80
PID 2816 wrote to memory of 1160	2816	cmd.exe	80
PID 1160 wrote to memory of 2872	1160	Idle.exe	82
PID 1160 wrote to memory of 2872	1160	Idle.exe	82
PID 1160 wrote to memory of 2872	1160	Idle.exe	82
PID 2872 wrote to memory of 2684	2872	cmd.exe	84
PID 2872 wrote to memory of 2684	2872	cmd.exe	84
PID 2872 wrote to memory of 2684	2872	cmd.exe	84
PID 2872 wrote to memory of 2120	2872	cmd.exe	85
PID 2872 wrote to memory of 2120	2872	cmd.exe	85
PID 2872 wrote to memory of 2120	2872	cmd.exe	85
PID 2120 wrote to memory of 3024	2120	Idle.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe
"C:\Users\Admin\AppData\Local\Temp\9d85ec6569d7e52307193cf82295e793f7598bc21eb7e664bcbfd137feaefbf1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2536
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2240
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1072
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2676
      - C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1756
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2684
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2120
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
        11⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2052
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat"
        13⤵
        
        PID:3068
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2920
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
        15⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2788
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat"
        17⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2340
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat"
        19⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2676
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat"
        21⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1760
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        23⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:272
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        25⤵
        
        PID:592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3020
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ef528a8ac8074329c51bd735cf2e9af

SHA1
0af314e3b0baec522c320a2f6f71b1dc37b7e082

SHA256
bf00132de84473218671bc505b520f62c5c705dc76ca1a48a20156bb97966875

SHA512
42049386c6e7153a502e6ee6fa12c03269e8dca8899cf9ab278bc718fa92d27097a5a68961629d1f724bc947e41ef2d22a0031d7986d3988ff90a40cfb975f65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c275aee4528a24463fad2a653a68e69

SHA1
4cd57bea82cc4a9f08b7a3475d1960bd565cb221

SHA256
5140e61a3f6807e07043eb0b72eadd37eb52a464650012ea83063fcbd4afa6af

SHA512
e060c059ef060de28002449016c3f7e04fab2612f98366902f2c2b7cfd761eb9df7db3e438f3ffafb8ea9d5c4ff024eaa423102eac98759820b2ec6c4e7acb6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3263ddb94fa184e41fa68b9d8d86055

SHA1
b76ab86fd2de2a2602badb4d00ab90d307da9266

SHA256
c6b64bc5781f8fda7833f961d75ea44e0e7c4fb0f7d62b8a2f86b3943aaf95d7

SHA512
3d448816c6b9452e52e61bab744cd5526a92a9bdf2c09c1b5bc5a9092f13cb0091c8a15323af061c3dc33a6edc184abac56db1bfe442014e49e02f6e01300b6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e94e21dd5ccbc78251ae888cbdccff6c

SHA1
20cac8b70ae6a2b07428094c7ea8390762acfe6e

SHA256
a3281f2b23ab898b25273bf5464448d97bde2fcbe1b537694cc1b57b92dc8335

SHA512
509bb0a4b657c31d65824744ea92fd5e20cbfdf1f7b837dec1f474ee23dfb73fa7dbe8f6fc2dbb43e809800ce291444e8ea9201fb55c2b17af12a63dfbf34b2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d0b9a337cf5216d41e0602a480677fd0

SHA1
4153334bb33e50da7cd03b4f21a9aff6d4c5376e

SHA256
942f298fd7ff63727c82d7e1c42aa7a494f3f909d2f5182e1a683892162ea3ab

SHA512
8cb49e3285b023c39a9f256aa576f95ec4f43d0207d96022634c5c03c9c5240ad70ce7514bae35428de6022e6fbe89abe6ac1493a82065f9bbd88255c97b9924

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6561ea524ca457d42e918ac2f83ba17

SHA1
1ebaed51e806f5627aa8426055cf5ef3be1912f8

SHA256
6b4f3f62289e0165815c9744fea83cded378b8eb89d2439fbed033f93fe32cad

SHA512
421fadda6bc4d4924462b82e97a34498a1d32eb99c49440800c0ceebca42d2ffc9488df2f3ab17530e33e0243350e76076984067be8721f484310a73c84af6e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ed05ef043e64fda3cfc3cafad638591

SHA1
cf25a8d53986099c505a4e8743ce3e91f8697e35

SHA256
a258e9f3e2ed6d3b5c6ec5a7416bda54605af2ab76753c3a5d0c347958dffbc9

SHA512
f5221c7f7b23c9879a91ef87a3fa2085ca610036de431feef5f6184e6a91137cef90fda496ab984436ffadd85eda7c75a013276fff7369522a55379f7c8943e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6a3c2654bb8427a2aebc4fcaa192a1e

SHA1
f19c986aa525dbbc9055089da8927f24f2499870

SHA256
66aee34614f38484354bc8d5a2ba141a57a0694152fb7f62a53489e6c037ce74

SHA512
98b3c4ea85e87a216a643ecc252c7978a00788fd693a5e8c58710ba2d66ecb86a511a2a4206953bf78e91aa91289de3fea5070bc222aaa2c94344a6f8c48905c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ffabfa76ffa9d50930182b25e9aef586

SHA1
bf27a265bafd25fdf2a0124900712a3307458cf5

SHA256
6df7fd8120aaec238741db12041610170adfc80b76c2f6eb31d8aacccc0c7b3c

SHA512
32b673a7ab3ef610b6dfcc92a52dd0ba547ea26dba332c187d57b602dfd31e01bf7f83e50908f57e09e5af863a35e389bc5cf87cf3e9db6471769c5a6a769223

Download Submit
C:\Users\Admin\AppData\Local\Temp\9Z120WfzwF.bat

Filesize
188B

MD5
3239a9109d088b190525c9ee8406a119

SHA1
04ee9969ea1937d5ebb35a23c050a277c7df65f5

SHA256
7409d58179c2b57fd4f67e051abdcb3ca479cffd8ff319b932da0e86fd87bd64

SHA512
817321a9714ca67760b9acb806ddd28c604bc65d568132386d5815a440b9bc0b90785f73f94274d503fb03711c7fbb203b83074db7dd91b3658291e41799af48

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

Filesize
188B

MD5
cd8e609647a808015e882081704f2ea5

SHA1
b0b08518e57cec8cedd99b276e18c2366b861ede

SHA256
dbfb43c8d64a877b4f2bf69c4de9b4a93cc5a0ec0b4d5a4671b038534603e5a4

SHA512
651c15f274d5bb4bf25327cf2df994868a9ae3bdb6335854e681f77fea21f962f50446d5bf552aebc81d88fd509962dd40d9dd0fe3679ffd6008bedcee863789

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA843.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

Filesize
188B

MD5
83bacfaeb41c04fb9b66c57a2fb71c3d

SHA1
8df2b3eab3dc0aabbd76f0a98f115ee4c8b4f982

SHA256
41f7487d4859be3003d4a617e04ca4e1e928d2f6e9ed79d02a3c0e2ecb0f34b9

SHA512
48ca15277d32ecd734c18747dcd2d4e85fb4dbd7dc5a7e652e1271c81464a980ecbae12f8e0756166005461e4783b3dee8cf2014987eef8f808550bf3cd8141a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA855.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat

Filesize
188B

MD5
f31ada6f42a106092814cee58d61bacb

SHA1
d6934b0ee5964588239afcc735d0b6d29ee37841

SHA256
f65f3987375c16c98143286794721e8884a67a2091ff6861cda33474be9c3468

SHA512
2a71cf0b641a784f47d3e7edf8844b7df0511138e6d134af42e7e411e9a005473be65ea3de5187a51b734330fa456ca6cf5ffdf890eef993f3e9605c53806931

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
188B

MD5
ae564a903308e6e585ed162e408a12d0

SHA1
7c89083e9f17c9b2c350abda7011b1963aa5c5b2

SHA256
e753aa6c8757cb9ea22de406ee05eeb457244733ddab3009aa393233db58d46e

SHA512
e095c3a95c8898073971db3208d75060d06ef4f426a266fffef28b7485a05b0d75e8526e6946630016edac5a22d2092861007e02d52dd2c3e69a7d01f59321c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5pWA5YIY7.bat

Filesize
188B

MD5
aa0b2568a7eba820a8f17e0c414ad837

SHA1
6d5464c3adc395f65e3dd39480a62fd535bb570f

SHA256
dae9b89e41400ac8a4bb443d1ac35e2991eb9ab4242d25e5487df6ff2f788b39

SHA512
c1be77eb1eb62cc3dce9dc06a36ad4590c0e99df2cadf3ed30b9ea7cd2d6b5c17c8af5e304c23c059da65e07096ebc962394a1cdeee03bc4e6f2ef4d74310f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zj0hR7WTEZ.bat

Filesize
188B

MD5
c101dc230c2cd0a1544678b04694faed

SHA1
3b057ad754aab5aa846c1853fa7e7f1bd5d5a105

SHA256
2f081b228986f1fb93c53b360136cc039c7e55746589c3661fb0188706e89e77

SHA512
a793b7317bb35b880ea0fd9600d2d325d27f0e78a61dab5aad9fbf693225e8af5af55506ccef2413668a817072194325d6133b72480715170e623ee4f5d80dd8

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
188B

MD5
e720fe1ce2d398504120386f03599905

SHA1
c56e2e154e7a67f5c2335b2cd1ef3ca2cbe5d670

SHA256
5106ba1e24a643d56a6f377c79b8c45b5e754677cd7ac36809d9f5540fac08ff

SHA512
e04b7289b004c2e66c3953e3077ce248c2e9efc50b00558d2e793687320d53afd754bf2079b154b97435fcf15f46fa5073a5d2734333de148da8c40bf71053db

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

Filesize
188B

MD5
73d07ac68baa1dfebd09b78c42068714

SHA1
538b83db91162146bd9f85d41d2ec8b5aa100d66

SHA256
aeec1a91b9a1984f742a274921c836dde8b09eb0e7e748b8dd72f97f9a493a04

SHA512
0dcd32e88a901c16a9078f130d6adac2845df3ef08d604a18dd89d08cd069c65e3bfb73e8310957b7872a5859aa78dd22e4436cf6a67bbe55e3e93cb7e06aa74

Download Submit
C:\Users\Admin\AppData\Local\Temp\t6OOvELCCF.bat

Filesize
188B

MD5
694452096eb759b437823cfa349415ec

SHA1
3b9a326c7c2d60704c4b5e22984553e507fef228

SHA256
6a2f4571daf18cdbd7c98685160f07f532dff30501b2a947867179dea05aa517

SHA512
aa72987e1846cfffa0e6357c98f0f5ce5427d81949440443e8fe9193fb9414bf2f2e96542675caf1436371775634d7e536e8f3ba0df09942a3d34c92ca72648c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ys6bB5gfdY.bat

Filesize
188B

MD5
61a616785a6973a109eb057e9bd95705

SHA1
44a5eedff3569eb75ec08fc19a5078fbe8290275

SHA256
3abd1cedcf8d7413508d1614635bf8336c09749de0cfc431ad4f9776e5ffd112

SHA512
207599ea508b74f5149b7695db15d6d9ba511d15fe3800826b484160d9e0447447d930bddae27c6edb274c5677d3f84aada00a828fc674694da519acd8dca8fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
08ccb51a5a3d4d4f53dd8d7fe08e3275

SHA1
cd8c366cb2a61af11c28496767d280367107b7d5

SHA256
65a7cd88f56f15510e321e60c510ca7c9c0bfcbd35acaccf88c1245cfb72a207

SHA512
b77a41cd5b99e6967e3b43ccda76c3b3b7e5912a915900af294502a65f227df60303794ed0b962debc9a55b709f2b114691c1df79affb15ba4dfd5ddf1aa9070

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1160-141-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1160-140-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/1232-680-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/1660-561-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2052-441-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2120-201-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/2180-501-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/2264-55-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2404-81-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2404-80-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/2676-261-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/2740-16-0x00000000005A0000-0x00000000005AC000-memory.dmp

Filesize
48KB

Download
memory/2740-17-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2740-15-0x00000000005B0000-0x00000000005BC000-memory.dmp

Filesize
48KB

Download
memory/2740-14-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2740-13-0x0000000000B90000-0x0000000000CA0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-49-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2872-381-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2872-380-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download