dcrat | fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0.exe
Size

1.3MB
MD5

eed15f1bfadfe397a5c3a6ac79331f6d
SHA1

3481bafb341386123694cd3bd2ff0269f56dcf38
SHA256

fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0
SHA512

c5608aeab86d0dd62110a4dfd1bc7fa27d207a68694c0172e06d200148ad734b673d9e9c374f779809469bcc864c65efcf45aa3a4d5982a40296899e4fa2f067
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	900	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2724	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2724	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000160da-9.dat	dcrat
behavioral1/memory/2708-13-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/2604-85-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat
behavioral1/memory/2384-203-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2068-263-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2020-323-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2056-383-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/2152-443-0x0000000000D30000-0x0000000000E40000-memory.dmp	dcrat
behavioral1/memory/2876-503-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2188	powershell.exe
1512	powershell.exe
2952	powershell.exe
960	powershell.exe
2144	powershell.exe
2224	powershell.exe
2108	powershell.exe
2128	powershell.exe
3068	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2708	DllCommonsvc.exe
2604	DllCommonsvc.exe
1520	DllCommonsvc.exe
2384	DllCommonsvc.exe
2068	DllCommonsvc.exe
2020	DllCommonsvc.exe
2056	DllCommonsvc.exe
2152	DllCommonsvc.exe
2876	DllCommonsvc.exe
928	DllCommonsvc.exe
1748	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
1960	cmd.exe
1960	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Defender\fr-FR\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Performance\WinSAT\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2884	schtasks.exe
2240	schtasks.exe
1460	schtasks.exe
1680	schtasks.exe
2540	schtasks.exe
560	schtasks.exe
1508	schtasks.exe
764	schtasks.exe
2916	schtasks.exe
2844	schtasks.exe
2636	schtasks.exe
1864	schtasks.exe
2004	schtasks.exe
2908	schtasks.exe
2140	schtasks.exe
2608	schtasks.exe
2568	schtasks.exe
1236	schtasks.exe
2892	schtasks.exe
2372	schtasks.exe
900	schtasks.exe
3020	schtasks.exe
2456	schtasks.exe
2764	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2708	DllCommonsvc.exe
2952	powershell.exe
2128	powershell.exe
2224	powershell.exe
3068	powershell.exe
2144	powershell.exe
2188	powershell.exe
960	powershell.exe
2108	powershell.exe
1512	powershell.exe
2604	DllCommonsvc.exe
1520	DllCommonsvc.exe
2384	DllCommonsvc.exe
2068	DllCommonsvc.exe
2020	DllCommonsvc.exe
2056	DllCommonsvc.exe
2152	DllCommonsvc.exe
2876	DllCommonsvc.exe
928	DllCommonsvc.exe
1748	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2708	DllCommonsvc.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	960	powershell.exe
Token: SeDebugPrivilege	2108	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	2604	DllCommonsvc.exe
Token: SeDebugPrivilege	1520	DllCommonsvc.exe
Token: SeDebugPrivilege	2384	DllCommonsvc.exe
Token: SeDebugPrivilege	2068	DllCommonsvc.exe
Token: SeDebugPrivilege	2020	DllCommonsvc.exe
Token: SeDebugPrivilege	2056	DllCommonsvc.exe
Token: SeDebugPrivilege	2152	DllCommonsvc.exe
Token: SeDebugPrivilege	2876	DllCommonsvc.exe
Token: SeDebugPrivilege	928	DllCommonsvc.exe
Token: SeDebugPrivilege	1748	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 604 wrote to memory of 1704	604	JaffaCakes118_fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0.exe	31
PID 604 wrote to memory of 1704	604	JaffaCakes118_fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0.exe	31
PID 604 wrote to memory of 1704	604	JaffaCakes118_fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0.exe	31
PID 604 wrote to memory of 1704	604	JaffaCakes118_fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0.exe	31
PID 1704 wrote to memory of 1960	1704	WScript.exe	32
PID 1704 wrote to memory of 1960	1704	WScript.exe	32
PID 1704 wrote to memory of 1960	1704	WScript.exe	32
PID 1704 wrote to memory of 1960	1704	WScript.exe	32
PID 1960 wrote to memory of 2708	1960	cmd.exe	34
PID 1960 wrote to memory of 2708	1960	cmd.exe	34
PID 1960 wrote to memory of 2708	1960	cmd.exe	34
PID 1960 wrote to memory of 2708	1960	cmd.exe	34
PID 2708 wrote to memory of 2144	2708	DllCommonsvc.exe	60
PID 2708 wrote to memory of 2144	2708	DllCommonsvc.exe	60
PID 2708 wrote to memory of 2144	2708	DllCommonsvc.exe	60
PID 2708 wrote to memory of 2224	2708	DllCommonsvc.exe	61
PID 2708 wrote to memory of 2224	2708	DllCommonsvc.exe	61
PID 2708 wrote to memory of 2224	2708	DllCommonsvc.exe	61
PID 2708 wrote to memory of 2108	2708	DllCommonsvc.exe	62
PID 2708 wrote to memory of 2108	2708	DllCommonsvc.exe	62
PID 2708 wrote to memory of 2108	2708	DllCommonsvc.exe	62
PID 2708 wrote to memory of 2188	2708	DllCommonsvc.exe	63
PID 2708 wrote to memory of 2188	2708	DllCommonsvc.exe	63
PID 2708 wrote to memory of 2188	2708	DllCommonsvc.exe	63
PID 2708 wrote to memory of 1512	2708	DllCommonsvc.exe	64
PID 2708 wrote to memory of 1512	2708	DllCommonsvc.exe	64
PID 2708 wrote to memory of 1512	2708	DllCommonsvc.exe	64
PID 2708 wrote to memory of 2952	2708	DllCommonsvc.exe	65
PID 2708 wrote to memory of 2952	2708	DllCommonsvc.exe	65
PID 2708 wrote to memory of 2952	2708	DllCommonsvc.exe	65
PID 2708 wrote to memory of 960	2708	DllCommonsvc.exe	66
PID 2708 wrote to memory of 960	2708	DllCommonsvc.exe	66
PID 2708 wrote to memory of 960	2708	DllCommonsvc.exe	66
PID 2708 wrote to memory of 2128	2708	DllCommonsvc.exe	67
PID 2708 wrote to memory of 2128	2708	DllCommonsvc.exe	67
PID 2708 wrote to memory of 2128	2708	DllCommonsvc.exe	67
PID 2708 wrote to memory of 3068	2708	DllCommonsvc.exe	69
PID 2708 wrote to memory of 3068	2708	DllCommonsvc.exe	69
PID 2708 wrote to memory of 3068	2708	DllCommonsvc.exe	69
PID 2708 wrote to memory of 2244	2708	DllCommonsvc.exe	78
PID 2708 wrote to memory of 2244	2708	DllCommonsvc.exe	78
PID 2708 wrote to memory of 2244	2708	DllCommonsvc.exe	78
PID 2244 wrote to memory of 2852	2244	cmd.exe	80
PID 2244 wrote to memory of 2852	2244	cmd.exe	80
PID 2244 wrote to memory of 2852	2244	cmd.exe	80
PID 2244 wrote to memory of 2604	2244	cmd.exe	81
PID 2244 wrote to memory of 2604	2244	cmd.exe	81
PID 2244 wrote to memory of 2604	2244	cmd.exe	81
PID 2604 wrote to memory of 928	2604	DllCommonsvc.exe	82
PID 2604 wrote to memory of 928	2604	DllCommonsvc.exe	82
PID 2604 wrote to memory of 928	2604	DllCommonsvc.exe	82
PID 928 wrote to memory of 1988	928	cmd.exe	84
PID 928 wrote to memory of 1988	928	cmd.exe	84
PID 928 wrote to memory of 1988	928	cmd.exe	84
PID 928 wrote to memory of 1520	928	cmd.exe	85
PID 928 wrote to memory of 1520	928	cmd.exe	85
PID 928 wrote to memory of 1520	928	cmd.exe	85
PID 1520 wrote to memory of 2172	1520	DllCommonsvc.exe	86
PID 1520 wrote to memory of 2172	1520	DllCommonsvc.exe	86
PID 1520 wrote to memory of 2172	1520	DllCommonsvc.exe	86
PID 2172 wrote to memory of 3020	2172	cmd.exe	88
PID 2172 wrote to memory of 3020	2172	cmd.exe	88
PID 2172 wrote to memory of 3020	2172	cmd.exe	88
PID 2172 wrote to memory of 2384	2172	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fccd52c9156b04035a859bc4dbacb06b3c4a8a833c415cdc7608d7117af6a5a0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:604
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2708
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Defender\fr-FR\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IQB66TlCJv.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2852
      - C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1988
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3020
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"
        11⤵
        
        PID:2712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1512
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat"
        13⤵
        
        PID:2616
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2620
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat"
        15⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2208
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
        17⤵
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1740
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat"
        19⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1324
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat"
        21⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:848
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        23⤵
        
        PID:2492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1632
        
        C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe
        
        "C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Defender\fr-FR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Windows\Performance\WinSAT\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Windows\Performance\WinSAT\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3473891ec9d666d75f967620d0b88f01

SHA1
307df826aa92f28a936a413a98abcf337d9c17e6

SHA256
ae28c30823e59ad81adf55babc41fa9abec0a62070f94e633e401cef56324cb5

SHA512
a96ef590d2668a027a269fb2289435f66eb76bfb60b75a0c00077353f08ec5fbf46f653161257d6da7c77d8c55357c42cdcfd0eb61b8b11f6f3a239aa1a08add

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e26b8b949eff1162975234859648ed0

SHA1
111b7eeb0e4f979143b4e9a90174482b0ce69dbb

SHA256
c1953ccfefa229d2d9768d6bd3c21443c5419a23b98feabe2d1c91a7ec217555

SHA512
1ecdb0162a6246f5bbaee6d9d3da70ad9129fb635ff59e0779ab3d640f7d8c1593fc69d6d03d1633f90b46e8d366dbfee2ac2d99b7464e41301d7de00f8258c1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b62d50e036c95efb972aede3a1bf278

SHA1
2ec7c104641b04b6abd522f54de93b57e77f936b

SHA256
5ce50bdfe4a0ff050986fd5c6b2d4ad15339c5f28912534d7332d213436789cf

SHA512
a655f4152a001bb196bcbc608bbed48a8fc70cc703fea8e3dd9ee8892f908a09cfce0d17fb47fe29dd1c86e11beeea7902b359324d5a02a41c366d2fe08fad8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7a8363a01c934d89742c37a911e16180

SHA1
b47fd7d8caf5262c5a866c9c1d613a8a0efff270

SHA256
dc3ef8498d681da20e82dfefdffedc2f70e8444d36543f39acd65e099db54af9

SHA512
b64bbfcde8d04e169b54ddb2097cc1da8090f231ca6ada370fff53f85203a20aa5f2beaa5e42790908731d3df31de5d878d287e188cdaca040f375647e08bb44

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3e8e8fcbd5ed5107ec8736be9e5dfe1

SHA1
6ae7d841bc868f9218cb10d3b211ed4028d22ab1

SHA256
199356abd19a14785a182f6871a56d6f18729dfbfe1b9dcdc0186195cacc3c14

SHA512
3234b52eeb9abee8b7241a1590187a82db9de7e0359113aab7d23df09880aed25b56e2ad193cddcddc8ade302c8f84e5be525923720d5d0effdbe6366d29140f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1bc8fceb5e9c785e5f1ddf581ecc835a

SHA1
a14cca9fe98a76d9b09d666179d39845b9e25428

SHA256
e6985a0e148bab3f24b4e65d32c8fbee4afeb436a9f99cb2a2b0d83951e5ab70

SHA512
ea775760b679148873164187f9cbb6332a18bb7b07ce895127bee6acfa4e55ff0d12308b6b351a44b8f6132c6406a33797096ac59cdf5022b2ae264ed45c26f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bfdfd276ea5bc5af5cbb7407a52bd8cc

SHA1
342bcf605383ef03a4f0b00f1a87270430993c00

SHA256
e9f7058b0838b4e3aabdf5763ccc768fc0ba185d0851224d30e5d86cef1818ac

SHA512
f99acbafe4965bd192193902133eb0a5286f06dce92ba409af3e0a404c14887c13ce336bd59c44e99b8455af48785e55c3504d064ff5d3b62d68ec70ae2c7577

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d9a8704da1a493d96388947e40eb7f3

SHA1
8cc580ebb3f13dde684e60330979ac4b5d6e3788

SHA256
f81dee8a165ea86330a6cb0f3f2632739d912815ac0be5c9a7f50c2aecc224c3

SHA512
608d5387e19bed449a0d08e153ccaa24bf823027b39dd71e546f1da7aca4c5b3da68d21153ef3616943c38115f4ec26550c519fc077624b20e7c76711b93c72f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7lFc7N4hi3.bat

Filesize
225B

MD5
f4dcd6ce84113f88b4548b641d8ee33a

SHA1
d61d0ab18ecd3ca78f39be48f22a9cb9f08be7b7

SHA256
984904d48e4808ddb88fca2fb3a7f9a4e6fce39e0c8fb8e409466c4ba10a884d

SHA512
05c05f2362cb16bebd73c10f82b81621664598473da195e480638da14169a45a7fe0f71d392bf795bc29c473c4e86bc0cb868e569fe6ef4650609fab9e3c1d10

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3CE3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9KWG0zl28.bat

Filesize
225B

MD5
79aecf00a860d3f434ab35a73afd4617

SHA1
6fd9d43ab4a67a86aac41e9e79d49f05d03d1627

SHA256
8b1072b73c5fe3677f86b851e945ac2ba3ef1511ff03fd0e896414f0b58189b5

SHA512
e0e2b71a5891ffbc65ec08dfcd176dd57df733c1728f558fee90b131621c187bd65ee80a299926745aabd8685f78832d2ef1d30d2e01ff7e4d2c06935b9a49bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

Filesize
225B

MD5
e944e9091793b6aa4f91821bd726ce97

SHA1
6c4bbeddb468ebb33bed234d14eb623699f8e160

SHA256
d8656f93e62c64896b357a20e2659aa6eea654343e05ec4d88352facb2aa2b0a

SHA512
abfc4e1d690d64692c716160c51851979855518e6dffc2a448a6158378f0771b795a1784624b0364e9ba64ed57ca4091a7c011a04db062baa104bd0462892a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\IQB66TlCJv.bat

Filesize
225B

MD5
5018fbe96cb46e3f3c91c3454d79f6ba

SHA1
8c1808f68eb4e48112029f4a13cfa30a186dc8d9

SHA256
30bf9e47e0aa4677f411567b626374fd403d20fc598eb2324f2ad0ae6a7bd47e

SHA512
4c0504241571194901ae50e44a0c1e59215e9f9ca08defaf5458fec3c0ad0c90407720a754ad7a957cdf9246a4c0f838496bbfb2929eb0a4a5d9def4366966d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat

Filesize
225B

MD5
3cd7453c952c9750697bb3ede560c6f3

SHA1
bd819772b9f46f09510d91b5cdc1a6249940f9d6

SHA256
6fb555ec244cd92509fa7ae07534f66970536b7a2359a327ead0a9df462c5c52

SHA512
ce5171ce0970050af00d0616415e60947423319f4b7c74f754ecd91f526a5c988b911127ddb7e9feb9bebba74c51a087a57197346ebd2ad78aa44f3eb51796e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
225B

MD5
7adfe5e281951e0f983f3f3bdd5b5dc5

SHA1
94b9bbce898184161f157f1eb06ac9ba295ac7fa

SHA256
08cad8070dc1cfab8354c2acfe566d2bd2a587a950adc5cba4f1dd288f2b80a9

SHA512
93b187b06b8b5a9d65430497f1842603015d999757eca84f71035dea372f6030d973691b9a7ccadbb1e0bc63b7c500b2c4b781db223a607b41f32b707e79d66b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3D25.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gTQuRhIyam.bat

Filesize
225B

MD5
a6b31b979a6209723d9d9ca4692e08f4

SHA1
b68f41e393cd20788cde81e17252b913bb15efc1

SHA256
473fb03d5b2ad6b8ccd901d369b392c19cbd7d6d0302447bfdaed8a992b586d2

SHA512
b83d9be86fef7e98d65a5a37b52a220d51343802510835e3afd65660ece5559ff2336256d1609dbdce2e01fba1edf63f7832dafd64498b922390eb6530b7a6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\hc9iMPvVJ4.bat

Filesize
225B

MD5
efc41209e3acacd9246ea51fc2a5f39e

SHA1
1e4c5e2b74d75902f0d3c87badbf7c47fa0b571e

SHA256
02f765b78f1e7376843d8057e46985b6c9386950bea21b358d5eacbaa6b3e1ca

SHA512
fe755123af745eaa31b71ad91e828445406cee81602169a8d93dc4fa750d0ff30e0c09a7d347ffdb774423b7581a0acf95158c217bab82ce83addfd514baf37d

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
225B

MD5
53628719db96f7153d87e69bd23f1193

SHA1
a5b67eadbb231950f14b69c126f18616552948a6

SHA256
ce050361b2f66bd7e1396ef9a200dd8243b4690bb0106d26e628e58d301c60f9

SHA512
0dae9f685cc316aeb64f6133c50a5df56956564a7d8e55229f13f9c5b3b49256409c419642244d439722475ae40e8ed8f525fd9d12c2613fa3360b9a97841ce1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
225B

MD5
bbb408d2a8851f3e81ca648339e468cc

SHA1
cce4c0d7698a99c278988d1e0a70ebbe65835ec2

SHA256
b3ae83abedf6437f553cd008efa31e931aa7de9b9579103e78bcd5519d575c3d

SHA512
d4cebb7374e2a2f9420208de503289e9771c415b28175938a8705f5d9a6d496d81a104fcac6484044bd1c4bb79b7c0374d37b70dcfbd4c34d653ccea53532002

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
a78eff160d664368c73f9497c54f66af

SHA1
313f35d2dd30caaabea459a851ac837d9cf5b45d

SHA256
1576c9e271a8e2c9a079249ed0fef172af63303be78d9730d3e20bd96abce3af

SHA512
346ac3105bc8284100f04e4adcc2fc53b090f3e7aa54ec5b05bc56e87b7b78a8cfdcf4cacebc554364043982bf6851b0e6890100611fc919df3b907aa9d0e91f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/2020-323-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2056-383-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2068-263-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2152-443-0x0000000000D30000-0x0000000000E40000-memory.dmp

Filesize
1.1MB

Download
memory/2384-203-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2604-85-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2708-17-0x0000000000180000-0x000000000018C000-memory.dmp

Filesize
48KB

Download
memory/2708-16-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2708-15-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2708-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/2708-13-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2876-503-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2952-46-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/2952-48-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download