dcrat | 5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21/12/2024, 20:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9.exe
Size

1.3MB
MD5

e7c8a80ac8e11f4fa552a67ab7f3e846
SHA1

7d1546a03a9323a97ee2b8b437b04f55b036aed2
SHA256

5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9
SHA512

3f7eda3846dc7dff139ee7e8db9c30cd16f235a6fffa8182cbc5d075661e6da990e07d282f09fa376fe5c574abe5d2694fda935b0becb83e67db10d1d392dfde
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	372	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2584	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2584	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0b-12.dat	dcrat
behavioral1/memory/1488-13-0x00000000010D0000-0x00000000011E0000-memory.dmp	dcrat
behavioral1/memory/264-58-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/2844-131-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/1224-191-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/2952-252-0x0000000000860000-0x0000000000970000-memory.dmp	dcrat
behavioral1/memory/760-312-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/2020-372-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/604-432-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/2348-492-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/320-552-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/540-613-0x0000000000830000-0x0000000000940000-memory.dmp	dcrat
behavioral1/memory/2956-673-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1044	powershell.exe
764	powershell.exe
2876	powershell.exe
1040	powershell.exe
2268	powershell.exe
1176	powershell.exe
856	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
1488	DllCommonsvc.exe
264	System.exe
2844	System.exe
1224	System.exe
2952	System.exe
760	System.exe
2020	System.exe
604	System.exe
2348	System.exe
320	System.exe
540	System.exe
2956	System.exe
2444	System.exe
736	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	cmd.exe
2668	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
43	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\VideoLAN\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\VideoLAN\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\VideoLAN\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\rescache\rc0005\dwm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2644	schtasks.exe
1348	schtasks.exe
2128	schtasks.exe
1852	schtasks.exe
2740	schtasks.exe
2844	schtasks.exe
2648	schtasks.exe
2976	schtasks.exe
372	schtasks.exe
2480	schtasks.exe
2768	schtasks.exe
2608	schtasks.exe
2980	schtasks.exe
1104	schtasks.exe
1716	schtasks.exe
1016	schtasks.exe
1728	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
1488	DllCommonsvc.exe
1488	DllCommonsvc.exe
1488	DllCommonsvc.exe
1044	powershell.exe
2876	powershell.exe
764	powershell.exe
856	powershell.exe
1040	powershell.exe
1176	powershell.exe
2268	powershell.exe
264	System.exe
2844	System.exe
1224	System.exe
2952	System.exe
760	System.exe
2020	System.exe
604	System.exe
2348	System.exe
320	System.exe
540	System.exe
2956	System.exe
2444	System.exe
736	System.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	DllCommonsvc.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	2876	powershell.exe
Token: SeDebugPrivilege	764	powershell.exe
Token: SeDebugPrivilege	856	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	264	System.exe
Token: SeDebugPrivilege	1176	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	2844	System.exe
Token: SeDebugPrivilege	1224	System.exe
Token: SeDebugPrivilege	2952	System.exe
Token: SeDebugPrivilege	760	System.exe
Token: SeDebugPrivilege	2020	System.exe
Token: SeDebugPrivilege	604	System.exe
Token: SeDebugPrivilege	2348	System.exe
Token: SeDebugPrivilege	320	System.exe
Token: SeDebugPrivilege	540	System.exe
Token: SeDebugPrivilege	2956	System.exe
Token: SeDebugPrivilege	2444	System.exe
Token: SeDebugPrivilege	736	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9.exe	30
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 1488 wrote to memory of 856	1488	DllCommonsvc.exe	53
PID 1488 wrote to memory of 856	1488	DllCommonsvc.exe	53
PID 1488 wrote to memory of 856	1488	DllCommonsvc.exe	53
PID 1488 wrote to memory of 1044	1488	DllCommonsvc.exe	54
PID 1488 wrote to memory of 1044	1488	DllCommonsvc.exe	54
PID 1488 wrote to memory of 1044	1488	DllCommonsvc.exe	54
PID 1488 wrote to memory of 2876	1488	DllCommonsvc.exe	55
PID 1488 wrote to memory of 2876	1488	DllCommonsvc.exe	55
PID 1488 wrote to memory of 2876	1488	DllCommonsvc.exe	55
PID 1488 wrote to memory of 764	1488	DllCommonsvc.exe	56
PID 1488 wrote to memory of 764	1488	DllCommonsvc.exe	56
PID 1488 wrote to memory of 764	1488	DllCommonsvc.exe	56
PID 1488 wrote to memory of 1040	1488	DllCommonsvc.exe	58
PID 1488 wrote to memory of 1040	1488	DllCommonsvc.exe	58
PID 1488 wrote to memory of 1040	1488	DllCommonsvc.exe	58
PID 1488 wrote to memory of 1176	1488	DllCommonsvc.exe	61
PID 1488 wrote to memory of 1176	1488	DllCommonsvc.exe	61
PID 1488 wrote to memory of 1176	1488	DllCommonsvc.exe	61
PID 1488 wrote to memory of 2268	1488	DllCommonsvc.exe	63
PID 1488 wrote to memory of 2268	1488	DllCommonsvc.exe	63
PID 1488 wrote to memory of 2268	1488	DllCommonsvc.exe	63
PID 1488 wrote to memory of 264	1488	DllCommonsvc.exe	67
PID 1488 wrote to memory of 264	1488	DllCommonsvc.exe	67
PID 1488 wrote to memory of 264	1488	DllCommonsvc.exe	67
PID 264 wrote to memory of 2752	264	System.exe	68
PID 264 wrote to memory of 2752	264	System.exe	68
PID 264 wrote to memory of 2752	264	System.exe	68
PID 2752 wrote to memory of 2588	2752	cmd.exe	70
PID 2752 wrote to memory of 2588	2752	cmd.exe	70
PID 2752 wrote to memory of 2588	2752	cmd.exe	70
PID 2752 wrote to memory of 2844	2752	cmd.exe	71
PID 2752 wrote to memory of 2844	2752	cmd.exe	71
PID 2752 wrote to memory of 2844	2752	cmd.exe	71
PID 2844 wrote to memory of 1304	2844	System.exe	73
PID 2844 wrote to memory of 1304	2844	System.exe	73
PID 2844 wrote to memory of 1304	2844	System.exe	73
PID 1304 wrote to memory of 1768	1304	cmd.exe	75
PID 1304 wrote to memory of 1768	1304	cmd.exe	75
PID 1304 wrote to memory of 1768	1304	cmd.exe	75
PID 1304 wrote to memory of 1224	1304	cmd.exe	76
PID 1304 wrote to memory of 1224	1304	cmd.exe	76
PID 1304 wrote to memory of 1224	1304	cmd.exe	76
PID 1224 wrote to memory of 3064	1224	System.exe	77
PID 1224 wrote to memory of 3064	1224	System.exe	77
PID 1224 wrote to memory of 3064	1224	System.exe	77
PID 3064 wrote to memory of 1420	3064	cmd.exe	79
PID 3064 wrote to memory of 1420	3064	cmd.exe	79
PID 3064 wrote to memory of 1420	3064	cmd.exe	79
PID 3064 wrote to memory of 2952	3064	cmd.exe	80
PID 3064 wrote to memory of 2952	3064	cmd.exe	80
PID 3064 wrote to memory of 2952	3064	cmd.exe	80
PID 2952 wrote to memory of 2836	2952	System.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5a162cb384e58c90f37b8c472661cf99ee103010018001249592b0928a4fcfb9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\VideoLAN\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Desktop\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
    - - C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:264
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2588
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1768
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1224
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1420
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat"
        12⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1608
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat"
        14⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1832
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat"
        16⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1828
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat"
        18⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2724
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"
        20⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:844
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat"
        22⤵
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2648
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
        24⤵
        
        PID:1516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2656
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
        26⤵
        
        PID:1248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:536
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat"
        28⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:448
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\VideoLAN\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Desktop\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Desktop\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a8502a630b8af9e131489b96f53255e

SHA1
1f9680c73d9ae30f6bd5903cd1da8159ebddfae6

SHA256
1c745148183fccaaaea8af925ce45877b6cb80ec26e8155e2fff06036e8399bd

SHA512
a6b86b76b26ee4bb5bea5217eca6352804f8338864078930d2c27b5d74a1021fc0682c102230ad103c92256e450ff11c386fcebeeda0cdde65ceb4429e14f846

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
643202ebd52c262a5145230dca78eb43

SHA1
54d0f3fee84a77b83e8f097d30a070e2dfaad2ab

SHA256
b516993535a14497f3684334ff9f6834806cb7f1e817713b26cbd706ea5653e7

SHA512
0990161454fc97396022c9ccd1b275888b55993725c6c7c4b49668014de9f32abcdcaf05dfca89a6ecee4a3e4f80ada9150509f24554514ae8cd4871ef459471

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
94a67b900133e926b500bd45ff1cd478

SHA1
45dedc8b58846867854b0925ef65e83a592b0580

SHA256
ebbc6c70e2f195cc825408d784cb9ee32ddbf1bacad25ca29c38f9e255b8780e

SHA512
cb14251b9f440089a2b440a71cf5ffef98b02fa310c4ce680df6be8e82d09d18dce3c438ccfd0abfc51c31f428303603fd21ef70317bafa2db3a4eb527eadcd3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cf9f4a4e42a055ebd0e971dcb7dccce

SHA1
367fd235e6f8308806b42a649f82ef557da30474

SHA256
08024192f5af865072648be0cd7eba1d1b791be653b266d1b1e989d1a345aef0

SHA512
59c63a82a5a40aee10e648ad275614a6fb69dbb92e41fd13ba691df9a53d0d52e09f079ebf83cb3d0f106876bffc00e41549ce7f965b543a30588e7946a74dec

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
385feda6687d46c78dc48d536f9b043b

SHA1
ce05c902e8a96340600f74384a6dfaee435a9cc5

SHA256
d1477ac5adad6df8bf0b3e79cc70b9935db3a454eb41682d71d1e657be577444

SHA512
2d9dc1cefe53a463de6f703271d997b3efc1a97632b31b275c15f95f9c6aa2d174eb56dadb009ce5e27fb7352aa7316c2146c5c002c3433ce57597abdf800a6f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb180618a57354fc781b2ad2ec1603fb

SHA1
dc49ea88c3b9b2afd8b8a2a70a1a2619e865070d

SHA256
bc385123ebc926b982dfdd142e8202974e24abbb2d35175140a6be63e84d9ab7

SHA512
a9ff3592d7d1e9b8e12f68fe6e9cf687a333e8d3938c69caec6411c4a323487c31bef464dc461df15ed6b8a965ba161acc94b6e1c2a961b720f93cdae47136e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6de1083c8281ed624105c692b22eb371

SHA1
728add932c95a1897838096d3127eaffda966340

SHA256
48d722e4d1913d177141f72338f05ccd4acc267809fa4e71d69fb4a0a46567de

SHA512
042e471f098093e478a13cef9665aa8f353a388f1c3055bc4db3611cdaa3b08acf7a0e1d0f06c1b4803a09a49352d576e1883d82ac1d10cb924cfb1ce870696a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4eb4748ab982401514bf3c4c27c3b9f

SHA1
08c5dd8dd3bf19ddf32798b1d36823d5064a33cf

SHA256
b94934deda242742775eb7c5eefdc8245cb7668a0f5f0d097132376082c824bf

SHA512
65bae3ccfa1f3e2a6730e01cbb45a32948aef4f69b4481e41c5755e30975e9ee997b4c7f24360996eac8da6003c4b456454a277bf25f592c317a626b81997bd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fbce4007d9dd726e63a495b836845d39

SHA1
7f8d3efc34a620ab90e7ec5dc41576979cceea9f

SHA256
b21905f71dd913030aae6ec0077acdf2fb73fabf13ef4bcf5ca5cf36f1816d01

SHA512
59ef42e117ef088145b0562a958bc42ccede7ccc343334c0f9003d665d741a2c77eb9ab9e5a00d3f644ac1ab7df8a5a5e4f0c2fa8f967f23e573b0d913ca8aa8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eddac07e5c0b2dd502946db94d141b46

SHA1
dc455b7e867e2812f93addee1d1438f4617b618e

SHA256
7a7f059d9f973fe1e6f67139b45e36bc4925c0ab1895b7db47f5bc1a9331714c

SHA512
4d40f616706896cd805be9ea60f05ad59f5bda0e7fa756346d03caf04d21f406f22f5557d2301266e7f2aa76636167f77453a16167c50ba9a115dc05dee8fcc9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
707bcf9acee7be73d027cbb84fa6cc05

SHA1
5354e0c969e859874437d204c86bee3ce5a18fba

SHA256
e558d18080c1947db369548f74e68670842ce9ff6ecafd81ca113db792c08bf4

SHA512
3fc9a0d4e5978709f76d49307cef7b45f0c9ce686656a0a55fd55e21083bcb037948e1df8c7f52339741c95cff703488e79a2be99ce5df050817519b17eca375

Download Submit
C:\Users\Admin\AppData\Local\Temp\4rzlnKig63.bat

Filesize
191B

MD5
efca3600f6f74e1f30381637bf05c893

SHA1
d8c85c7b5edfbd5d815ea3a5c640267f594516ba

SHA256
dd8f915798209c2e49988320b07bf4fc69671f2604159d2d6ba03874b0eb30d3

SHA512
2e623ce1b2de291c0d11e9ef95f4c18c85e93656015add4603f53ea0305a2b59c123c3c3c5d6abd1707488cfe5263aa39bb8473c25c7fadc0fdfb775236be0c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB492.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
191B

MD5
2c734455d8033037efb7e9c54177c1dc

SHA1
6edbb06c906a2d0a3fb35c0b553b540ea3b7e6fa

SHA256
878cf1d14f5e42885ac2819525437c7e426c0d66bbb2ab24a2a378dcdc165909

SHA512
8eba326fc49bb72a6b253350ec1b8bfa96cf7781384562f0881ecd98d28b7eaff4a7f05a8dd743bc1c2fd3f0fcf558a3f888796a41b92137c7597d66b57d2783

Download Submit
C:\Users\Admin\AppData\Local\Temp\IrNnSCw4rJ.bat

Filesize
191B

MD5
9ad6c06a0e17251654bb731a07b3393d

SHA1
8c74624ab534fd391997c705f091a2660f4de924

SHA256
8dd7ee52a1ed155c70114aa9589b1b05d3323f5f097aecada26335e40b8b5a00

SHA512
9c60fabb03c2cfa41969b9ba228cfb801a28ef5594820431d7f12c399d2d967c53f8bcccf02470032a3c6133f6f8eeb69e45f98f6573a0c6418a0efa1b694640

Download Submit
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

Filesize
191B

MD5
f9a5acac2b24c4df8103532cd0ca75ab

SHA1
77e090c4b82714a28b1d35f28402e5a2de0b0ee0

SHA256
12ce354bdbe154f25bceba64845a1c960ff70d4b0259e2278daf1f6fbe20eb0b

SHA512
0f14ea358b1f722297c773b721753f3868c1e73a80360491740a5fb207ae2a0bd9017f116942a7bd04334a1d71df2f0ad26f9ad17fafc7a3e28ccd2e4b77441b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Pbn0SniZDX.bat

Filesize
191B

MD5
972151444b578076abdd3660082fd631

SHA1
ac43cf8b367059642a4e7f8b83edd580d9a2902a

SHA256
c5fba28766edd15028a6fae498c850cb695f91584cad7d0b59350570086a18e3

SHA512
64c157be6164623f09d0b40e9fe8c594a3b383ab2f06491aa601d4545b45165c45835c86a2452c760d203fc39381b0d233ae57ffcb6ccd86510395c0b3ee04de

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB4B4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
191B

MD5
8e8e85b459f0abc77cc58eb08954dba4

SHA1
dbfbb6abbf69516aa75ce4150456b90a02cb14a1

SHA256
34beca0da7999ce18db7f5dae7c1af0c3476f3177ed8670c69edf9a58c00c2ab

SHA512
96a2104006e8cdd3904c313fc2924d56efacbff42d7146834687e3b1e499ec46eb093b7810f44f49d18406452083564c8c226c08064011ea37af3d42334f024b

Download Submit
C:\Users\Admin\AppData\Local\Temp\k2jNhBdkgg.bat

Filesize
191B

MD5
cb9a7f39ecbf46ad293ec1a5f2060625

SHA1
ff7e238766cac1f5fdf008ecaf57ef9cd5144ee6

SHA256
e468193badacc0ce237d3d9d8901b1da20b5a4a0bc2204632092a6cd608e620c

SHA512
92b1708c03badfa9e06a5cca1ac3b7a077309a67df91d5486a7a72ac444d905fecadd1ba6496200253f8c5dc6b6c3378d5537890ddce9be07f3e53b3d6591cb4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kXH0MsH7jV.bat

Filesize
191B

MD5
379beafbafea002048c2754792f7e8f2

SHA1
342cb7ed1ce8db4023a1a9cfb0510af7be3c1448

SHA256
825811feed49ded77f33a2e9baf6dc86e1536a99fe5a33060c96f78876a9fca4

SHA512
a8065c311f893821d3f02484884b9dfcd38bfa04fff201185a43b24e83bc72e5cddb9cd877bb4912d65a19ef1dbdfb0691237a2d9e650b44ee95b927c2bc07a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat

Filesize
191B

MD5
f1f328c7929567406703959ac60a03f0

SHA1
4e41c48a612d73e24ca76c4f56232fda00bcb22f

SHA256
eed765b77e8b05c60c2ed5a45537bcb456500965dab82791f8bbb7c2344c6a31

SHA512
ebc3e1f4badc76030195e93985e849a703fd3a7e77bf11914c9a489421867a7e0b91ee3dd67f2fad121d729c9b8be7ccebbff7f130efaea0ec7c7ff8bd2d1879

Download Submit
C:\Users\Admin\AppData\Local\Temp\rfuxuqwfwI.bat

Filesize
191B

MD5
2ad53d24e6f8aae1fa8f868967e89729

SHA1
20471aa98b4e0ca367f5777bb9391525848d57a7

SHA256
04eba54138ac8df8b2d1ca9c74e404d0ad7d76cbcdc86441195a82bbbd593135

SHA512
8c273c63d59adcd73ef6407c02446f3fdc2062750ebba9b7cdc0ed2064a6053060909391e3aa66e62e17fc1d0a05e08a195966fda1af0acb48c241e9876e00a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\uq0hdwOOBc.bat

Filesize
191B

MD5
79b175fafafc384518c91a711d13572c

SHA1
24480456b616f86889b6c1b998b493d75c475e6f

SHA256
e699169056e3f108ee3fd1c8788002b5d07fc1cb9c835145eb9631f521c4c9be

SHA512
6b362c14bc9cbbbd7109782fa66b8104d834aaf527539be4ca256a503b2a8a21e94a048abde66f724ec1a31e1bfebfa0bd0dd8afa2db3b1f4755096af7209dd7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat

Filesize
191B

MD5
3eeacc12e8b1c49189a6ced0933d0852

SHA1
cf09177150b1db64f765f1eb5d9544f45d059337

SHA256
0467527bf71576c1765626d80f4dd7532fe66944ac69994bd00b9fc82590e459

SHA512
afc08deed2a5c96c02db65cfd8c7f3214a6941dd788f66cbc042378e7e5abba2bd81cbf431493daec942783e6598561aa2f3bc400ee84174690a663106945ac9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
1d288fb531b194ceb794ab09de7556ac

SHA1
8ff94f68cafa2456a4a5e6e4629f5e1a1eca449c

SHA256
49c00f5882bbd772b47d131a8286e8394879571449dc9e671ac3701cb5b5bed4

SHA512
b68348445c2ccf472b0a3a5ed8e85b12f6df4a5693ffa7b075aca4a16599b2319d92bd3e52aec490ff209c136a2620361a98f43a91f525b88938deb325fe6035

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/264-58-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/320-553-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/320-552-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/540-613-0x0000000000830000-0x0000000000940000-memory.dmp

Filesize
1.1MB

Download
memory/604-432-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/760-312-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/764-57-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/856-55-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1224-191-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/1224-192-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/1488-13-0x00000000010D0000-0x00000000011E0000-memory.dmp

Filesize
1.1MB

Download
memory/1488-17-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/1488-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/1488-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1488-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2020-372-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/2348-492-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/2844-131-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2952-252-0x0000000000860000-0x0000000000970000-memory.dmp

Filesize
1.1MB

Download
memory/2956-673-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download