dcrat | 9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 21:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650.exe
Size

1.3MB
MD5

a608a629857389ea7f6a23778601cddb
SHA1

f5576643125cadd86b26eaac42a4a1c1dcf273f2
SHA256

9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650
SHA512

34cf043103468de109d6d9bbaf13e5f659e10052647cc85d7b419625527aa517d068465585adec258e31e4e213561ea15b8dea29e5b32739393e640c32722b97
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1376	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2372	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2372	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016de4-9.dat	dcrat
behavioral1/memory/2676-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp	dcrat
behavioral1/memory/2832-80-0x0000000001240000-0x0000000001350000-memory.dmp	dcrat
behavioral1/memory/112-139-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat
behavioral1/memory/2080-200-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/1976-260-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/536-321-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2548-381-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/2728-560-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/844-620-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2108	powershell.exe
1992	powershell.exe
2100	powershell.exe
2716	powershell.exe
3020	powershell.exe
1860	powershell.exe
2132	powershell.exe
2300	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2676	DllCommonsvc.exe
2832	Idle.exe
112	Idle.exe
2080	Idle.exe
1976	Idle.exe
536	Idle.exe
2548	Idle.exe
2676	Idle.exe
2324	Idle.exe
2728	Idle.exe
844	Idle.exe
2684	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2140	cmd.exe
2140	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
25	raw.githubusercontent.com
31	raw.githubusercontent.com
5	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
28	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Temp\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Temp\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Web\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Web\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\tracing\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2808	schtasks.exe
2672	schtasks.exe
2988	schtasks.exe
3000	schtasks.exe
1560	schtasks.exe
496	schtasks.exe
2648	schtasks.exe
1488	schtasks.exe
2840	schtasks.exe
1764	schtasks.exe
1376	schtasks.exe
2556	schtasks.exe
1404	schtasks.exe
2604	schtasks.exe
1980	schtasks.exe
1824	schtasks.exe
2612	schtasks.exe
1620	schtasks.exe
2596	schtasks.exe
2712	schtasks.exe
2968	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2676	DllCommonsvc.exe
2716	powershell.exe
2300	powershell.exe
1860	powershell.exe
2100	powershell.exe
2132	powershell.exe
1992	powershell.exe
2108	powershell.exe
3020	powershell.exe
2832	Idle.exe
112	Idle.exe
2080	Idle.exe
1976	Idle.exe
536	Idle.exe
2548	Idle.exe
2676	Idle.exe
2324	Idle.exe
2728	Idle.exe
844	Idle.exe
2684	Idle.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2300	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	1992	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	3020	powershell.exe
Token: SeDebugPrivilege	2832	Idle.exe
Token: SeDebugPrivilege	112	Idle.exe
Token: SeDebugPrivilege	2080	Idle.exe
Token: SeDebugPrivilege	1976	Idle.exe
Token: SeDebugPrivilege	536	Idle.exe
Token: SeDebugPrivilege	2548	Idle.exe
Token: SeDebugPrivilege	2676	Idle.exe
Token: SeDebugPrivilege	2324	Idle.exe
Token: SeDebugPrivilege	2728	Idle.exe
Token: SeDebugPrivilege	844	Idle.exe
Token: SeDebugPrivilege	2684	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1800 wrote to memory of 304	1800	JaffaCakes118_9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650.exe	31
PID 1800 wrote to memory of 304	1800	JaffaCakes118_9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650.exe	31
PID 1800 wrote to memory of 304	1800	JaffaCakes118_9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650.exe	31
PID 1800 wrote to memory of 304	1800	JaffaCakes118_9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650.exe	31
PID 304 wrote to memory of 2140	304	WScript.exe	32
PID 304 wrote to memory of 2140	304	WScript.exe	32
PID 304 wrote to memory of 2140	304	WScript.exe	32
PID 304 wrote to memory of 2140	304	WScript.exe	32
PID 2140 wrote to memory of 2676	2140	cmd.exe	34
PID 2140 wrote to memory of 2676	2140	cmd.exe	34
PID 2140 wrote to memory of 2676	2140	cmd.exe	34
PID 2140 wrote to memory of 2676	2140	cmd.exe	34
PID 2676 wrote to memory of 3020	2676	DllCommonsvc.exe	57
PID 2676 wrote to memory of 3020	2676	DllCommonsvc.exe	57
PID 2676 wrote to memory of 3020	2676	DllCommonsvc.exe	57
PID 2676 wrote to memory of 1860	2676	DllCommonsvc.exe	58
PID 2676 wrote to memory of 1860	2676	DllCommonsvc.exe	58
PID 2676 wrote to memory of 1860	2676	DllCommonsvc.exe	58
PID 2676 wrote to memory of 2132	2676	DllCommonsvc.exe	59
PID 2676 wrote to memory of 2132	2676	DllCommonsvc.exe	59
PID 2676 wrote to memory of 2132	2676	DllCommonsvc.exe	59
PID 2676 wrote to memory of 2300	2676	DllCommonsvc.exe	60
PID 2676 wrote to memory of 2300	2676	DllCommonsvc.exe	60
PID 2676 wrote to memory of 2300	2676	DllCommonsvc.exe	60
PID 2676 wrote to memory of 2108	2676	DllCommonsvc.exe	61
PID 2676 wrote to memory of 2108	2676	DllCommonsvc.exe	61
PID 2676 wrote to memory of 2108	2676	DllCommonsvc.exe	61
PID 2676 wrote to memory of 2100	2676	DllCommonsvc.exe	62
PID 2676 wrote to memory of 2100	2676	DllCommonsvc.exe	62
PID 2676 wrote to memory of 2100	2676	DllCommonsvc.exe	62
PID 2676 wrote to memory of 1992	2676	DllCommonsvc.exe	63
PID 2676 wrote to memory of 1992	2676	DllCommonsvc.exe	63
PID 2676 wrote to memory of 1992	2676	DllCommonsvc.exe	63
PID 2676 wrote to memory of 2716	2676	DllCommonsvc.exe	64
PID 2676 wrote to memory of 2716	2676	DllCommonsvc.exe	64
PID 2676 wrote to memory of 2716	2676	DllCommonsvc.exe	64
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	73
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	73
PID 2676 wrote to memory of 1944	2676	DllCommonsvc.exe	73
PID 1944 wrote to memory of 872	1944	cmd.exe	75
PID 1944 wrote to memory of 872	1944	cmd.exe	75
PID 1944 wrote to memory of 872	1944	cmd.exe	75
PID 1944 wrote to memory of 2832	1944	cmd.exe	77
PID 1944 wrote to memory of 2832	1944	cmd.exe	77
PID 1944 wrote to memory of 2832	1944	cmd.exe	77
PID 2832 wrote to memory of 1924	2832	Idle.exe	78
PID 2832 wrote to memory of 1924	2832	Idle.exe	78
PID 2832 wrote to memory of 1924	2832	Idle.exe	78
PID 1924 wrote to memory of 2720	1924	cmd.exe	80
PID 1924 wrote to memory of 2720	1924	cmd.exe	80
PID 1924 wrote to memory of 2720	1924	cmd.exe	80
PID 1924 wrote to memory of 112	1924	cmd.exe	81
PID 1924 wrote to memory of 112	1924	cmd.exe	81
PID 1924 wrote to memory of 112	1924	cmd.exe	81
PID 112 wrote to memory of 856	112	Idle.exe	82
PID 112 wrote to memory of 856	112	Idle.exe	82
PID 112 wrote to memory of 856	112	Idle.exe	82
PID 856 wrote to memory of 2300	856	cmd.exe	84
PID 856 wrote to memory of 2300	856	cmd.exe	84
PID 856 wrote to memory of 2300	856	cmd.exe	84
PID 856 wrote to memory of 2080	856	cmd.exe	85
PID 856 wrote to memory of 2080	856	cmd.exe	85
PID 856 wrote to memory of 2080	856	cmd.exe	85
PID 2080 wrote to memory of 944	2080	Idle.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9e55f89f5b8838ccc07dcd9cc5755a70faa6fd80bed165a465dd84e0933bd650.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1800
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2140
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Temp\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1944
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:872
      - C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2720
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2300
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat"
        11⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:448
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat"
        13⤵
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2540
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        15⤵
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2712
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat"
        17⤵
        
        PID:1376
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2428
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"
        19⤵
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:372
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat"
        21⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1752
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat"
        23⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1624
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        25⤵
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:568
        
        C:\Windows\Web\Idle.exe
        
        "C:\Windows\Web\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Web\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\tracing\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\tracing\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Microsoft Games\SpiderSolitaire\fr-FR\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Google\Temp\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8b03d814c4f59de53711c9015ec40ca

SHA1
1ef01ca36cfeabde6c2ba89fd41104ba51955d5a

SHA256
6e655a32608a9a5f3e4ee3111d5c67fb66ea1f91c523580a9d32417994465f2f

SHA512
5ec69e7459a223caafacab3902e6cf648802c6d3cdd9d5efa89af4b933659ee4879a5988467eb04bf170ddc814f698f15e143107181267b37f71a799e076444b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
390b7f6be9293863f91f7e7da0339abe

SHA1
559f70c06c8602a583b08d3ccedec6b376f01656

SHA256
a9b4c247cb3389b0f6a5b3066246a080e33ff4ec16b1fd2fbd760a4a7797ad24

SHA512
118cd7915070581bc443d114aec6208f0385af21e73f2290e5622f0b8a62ff4ec65aef1a149a572f2c359b202b6460e3f614ed548580a0beb4edbb1db690a871

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8890de638ce9b11c21cdd194411b77d0

SHA1
d61b58c7184fd85d27cfc1338db093b2deb119f3

SHA256
42f5f6be0430b37c8ab3a1f350f0e2901a348518b22523f0aaf4d3dbce4981f6

SHA512
e6f1cae6cf85384e8fa0458a0d46012ce850f071f8755379d472d07062ca6e4640ae66cba5bbcfdc8e92a9c953bc19955762e6f079e70529cef23a154202b7fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6bd13738e16d51ef53acc1da9ef18956

SHA1
53ce172586bc7edf909363ef2558ab45ad5033c4

SHA256
327fd3c6900301a0afb6fcb60637a3b4090917ea47d157325b4f71702fc18226

SHA512
ec3bac3b1c56729d8628884ec590fa623b4304aec67f6a76dc14b3155794cd036df380fdddfc2c34364fcd8a127b1a4e8584123092246d184946424833534cab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d0c7ee4267ea0db8ffa39dc23da6d35

SHA1
9b29638943490f6ab944b6feb6af0fd616b9277f

SHA256
3b63790b3f310343111fb7aae3f56e4486246986ab5238611ad9bf0011e308fd

SHA512
e7ffa28dfabac465658b255fd46666acbf104b6ecb5f29506ccf22b24462406270f26d1e3ce3afe6ada7b88a3142c00ab48fcc156ae1795ff60c8809816a6154

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1263abe3cc99c25ab964b5e878442ac7

SHA1
3d4556fce4dbf1efbaa62e671113eb0cd09cf6bc

SHA256
98b89a2f43824f94e68b6af9c6f052c64afc3280a3ba870b7c4d8a55bafeb361

SHA512
b191d4eabd1e67952e6f9b0ada2e15f7139b4db6fbbe446602e6f02473a0f69e0bc6471ca62ad2c61c7e9e82090b8eb0b883da878131cf3b11a3b8addbf8cab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83c0b2b5e3d3270acc678c99db70610a

SHA1
69bf120df286aa5d038915c0018b4917eebccd37

SHA256
256ad872ded003715173acaf13eb204bf75f7ee4b31f406941078f8244252244

SHA512
77105b8d68b31d7f81d1e9216bbce91f73387c303b45ef8f981f44aed4175b7534a8c12eec98f447cd27675ffb0a354cdfc272f851938325adf16aadc72bc830

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
797ed2fd77f2d2d08fe3933a7ff92345

SHA1
a52bfa42110638cbbbebb5f089b833cf670c9dfa

SHA256
e80e7f334148fab549c976443a107ed38c66054ef95d7e50bf33a779980518e3

SHA512
d7b9ad2b2e36da04eff30d4f5c6c3d99a57cd3aa20b41ed22080aab215ea53203639a8a291437b0a19ba601a23c21be486f21cc5b1edd744489e265e7aeaa0ac

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a14ce6eaf32ce4ec7924a6f6447bc29d

SHA1
8700c534b685a17340ee9e03c4066c541d91a96b

SHA256
edea25b317a7916299855f52f0cfc1b193ee24b540c83f139e6e68785557c9c7

SHA512
16308f5875f089fcf9e2b72fa1b46b3d9e4958f917ec5dd3a4d1164418f01cd3c65ca41aaf9824ec80bfb73bfbc32eaab39b94fa8f6959b21a831ac397dbcf36

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
188B

MD5
fd08a5ff28ff0c0dc0da756417b048cf

SHA1
364c02c0e5f96033e02e2d6432c1ede288443beb

SHA256
a2ad736cbd068bc0cd6adadfa2aa28abf0cf29c3361fb96f62d1dc67b453422c

SHA512
af3fc3bbac9192d4201b10106e64a09c1cde696e952bf5fab036d465f5422f8227b1cbb71fbcd0fc2ccef233a10558a074aa5fd57b4757642f3d1e82efcc2fbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
188B

MD5
f3b5104658e8c7ba50837a60a6a5c824

SHA1
15d8e86b484c7dff3581bbfe6c80838e84f66187

SHA256
c8c703cc2b9926df498824779fbf2fcd9155a4be46ba7b72bbc51226bc00561d

SHA512
f4df13e6a05f5af067b9004d9884040b90e12b76afd8c52d89731286d9e4458bf8e042074af54bf967a695ea3d2679784e74013471b5d1e44f270c09abad0fb9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab173A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat

Filesize
188B

MD5
0a85033f2fcc4b63a1271640eb1a34a6

SHA1
3bd8217c0094a70a0ea378fbb81f05439d36328a

SHA256
ba3be17436301c7dc7ee5f922a727e61239357580d0a33c186381b05e5ceee5d

SHA512
d3c2f755cf263870642a75da88b65f6cb0e2505a919db8baf0dc9e7f3ff1db8be05104ebc807710e02c321fe88a1b0582f737f10af83013b4b7f69c401407e40

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar175D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UbyABZCdRu.bat

Filesize
188B

MD5
f31ada6f42a106092814cee58d61bacb

SHA1
d6934b0ee5964588239afcc735d0b6d29ee37841

SHA256
f65f3987375c16c98143286794721e8884a67a2091ff6861cda33474be9c3468

SHA512
2a71cf0b641a784f47d3e7edf8844b7df0511138e6d134af42e7e411e9a005473be65ea3de5187a51b734330fa456ca6cf5ffdf890eef993f3e9605c53806931

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
188B

MD5
2c1c0f67a758a6e93d01c09c27383644

SHA1
961a41ef3cbc06a3439de6107cc7987b4ad7e1b7

SHA256
7c4542f19d114f0c0925332cd7840610ded15294d40260f025bd26b76ece20a9

SHA512
fc3ff80ca487368a799fd61d052be58b5089e6af35f3972a1fa43733c572cf97139d39867a25e23e9e50e73ceb57039d8dca7469fad3d9a53de1d5b1d6ae9e4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
188B

MD5
02a0eb2c4b596129f14f7e81cec232ce

SHA1
b2af86579cfd2a86b80169632b7b9a01b7ce2d23

SHA256
0bfb62da3bc206b2771b3fcdfbee0a7f0e381c923355cc7a148cee926cc80cf8

SHA512
131f7aedb9c7ee6a4cec87690d7b40152d52d35aaf1fda7e2885e810d1b47361a2a7a73361c66aee67d8701c5d6cae62481f166261ea9fab1c60c79a50d69abd

Download Submit
C:\Users\Admin\AppData\Local\Temp\hD3D8PLBZ9.bat

Filesize
188B

MD5
7f50fe69d76e1bc7f0bf351d27a8698c

SHA1
7124fc357318a7cc33f37fb8f352b67a5e91aa9a

SHA256
1a011a768723e4f5b4ab6628d394da285e449db63c2ec29c13b68f8173678ba9

SHA512
7d6c3016f8c11a1d33140695959d7d3ed2310d6781fb27e2c7904bd20ff250141f4a7ebb6287d7449981e1686e286c86575ef4cd1a524d9f5621528ae1177567

Download Submit
C:\Users\Admin\AppData\Local\Temp\jBrSCX6wbi.bat

Filesize
188B

MD5
ac2aae99c873df46503b80b9d950390d

SHA1
03c3f896367fa7f7828b3b774702a656015ce0b9

SHA256
4859055e42e9d061042bcfbef4800b77e4bd7752e12cdd52d42e3a502e3b1652

SHA512
320e5f5348f3aff6b03bd68ce7166fc3d3b9dff38cea321dd21f3fabc0f420adbc2a643b6863455efd59b9fd9f11fe4ce63ea9d90026d0ed41ba817f3d23d111

Download Submit
C:\Users\Admin\AppData\Local\Temp\kRqsvBC5Qb.bat

Filesize
188B

MD5
5ad83d2f83dc920208ae9c9c095c6722

SHA1
b636ce652ed746f41fb7c28600d3da87487e8bbd

SHA256
fcf79e26e434892ce22d4176bec60329f904199d0cc9e66c7f5ca82ecad4301f

SHA512
fe39618580de7f2267ce7e90552c593e2d2838175400ac4be9cff3b845fcffa13fea39c21da283da850171898a88974ba22effb4cd295fc6c736060c2db5d8ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\n9GQh003RW.bat

Filesize
188B

MD5
74eb8a1db997eeb0596a1b49a939ca60

SHA1
fd593ae01ae7dd774395dacf3a440f3d7c23a109

SHA256
2bb1f7a42e464e28ffc4ea740e8c99631fcbc39b3a1720563ca1f27019cfee11

SHA512
0c7cc1567242bf4402c2d494d37a84295131ebe7b84ef97edbcfccc922a35d2d3b9eab127bad8eaf8bcd5d79b7046b8eaa37e2a4ae475fe0508923c1d28c8ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\xdvgpfy6bM.bat

Filesize
188B

MD5
3c29ebbc2e667dee811b5421da5187fa

SHA1
360011b61d3a2f88be68c993b8ddd9c005ccdc62

SHA256
036b9431570a7902e0630ca9feff17027affafa3453a872d0ab1e0885c95cda7

SHA512
a7bdca36f1ef9e71eed34047a906dd1c4e3cb0c494daca00dbddbfec0da8399e1f7aa73dd829898d0f5d465a2366252e79c7ab13ef67c6c6564030df35ab4c62

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
dad81e81bc9c6e833dc18a51bbbb8e23

SHA1
58982e21b9354ef8fa8dfd069c133c88a827b4f5

SHA256
3794d2430f5bc6c5f7cbcfdde2a925ee47de26c1d78cef24827a4f2189e20f91

SHA512
e7e4e2ff5adf95fcc80127f758383301c43ff92a3282412e5812b8f9ade6ef31d53b6e1d04a7ea47ea5bc474a932ed45b95e4466ccf130386533fca11bcf69a1

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/112-140-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/112-139-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/536-321-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/844-620-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/1976-261-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1976-260-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/2080-200-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2548-381-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-441-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2676-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2676-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2676-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2676-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2676-13-0x0000000000EB0000-0x0000000000FC0000-memory.dmp

Filesize
1.1MB

Download
memory/2716-41-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2716-40-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2728-560-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/2832-80-0x0000000001240000-0x0000000001350000-memory.dmp

Filesize
1.1MB

Download