dcrat | c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725.exe
Size

1.3MB
MD5

ae1e8f7ccbef0f133dd114c607ab109d
SHA1

5b408107da766c6614c47ccfb18acc246eab953d
SHA256

c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725
SHA512

84a4643195bff6800242c8a271397cc188d42f236f9f6cfd490253e63e13192ba245691838e1073d2d29d73ee9d23895585ead316233fb9076d920cbd2da7bc0
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1020	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2936	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2936	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0c-9.dat	dcrat
behavioral1/memory/2912-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp	dcrat
behavioral1/memory/2232-47-0x0000000000A00000-0x0000000000B10000-memory.dmp	dcrat
behavioral1/memory/1540-142-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/1696-261-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1600-321-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1948-381-0x00000000009F0000-0x0000000000B00000-memory.dmp	dcrat
behavioral1/memory/2696-441-0x0000000000A80000-0x0000000000B90000-memory.dmp	dcrat
behavioral1/memory/1728-502-0x0000000000FD0000-0x00000000010E0000-memory.dmp	dcrat
behavioral1/memory/2568-621-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2252	powershell.exe
2180	powershell.exe
2416	powershell.exe
2132	powershell.exe
2140	powershell.exe
2136	powershell.exe
2164	powershell.exe
2404	powershell.exe
2276	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2912	DllCommonsvc.exe
2232	OSPPSVC.exe
1540	OSPPSVC.exe
2240	OSPPSVC.exe
1696	OSPPSVC.exe
1600	OSPPSVC.exe
1948	OSPPSVC.exe
2696	OSPPSVC.exe
1728	OSPPSVC.exe
2772	OSPPSVC.exe
2568	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
1372	cmd.exe
1372	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
15	raw.githubusercontent.com
21	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
18	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Uninstall Information\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Uninstall Information\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File created	C:\Windows\Resources\Themes\Aero\en-US\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\Resources\Themes\Aero\en-US\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\Tasks\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2708	schtasks.exe
1644	schtasks.exe
980	schtasks.exe
1612	schtasks.exe
2568	schtasks.exe
2660	schtasks.exe
2584	schtasks.exe
2856	schtasks.exe
2748	schtasks.exe
2812	schtasks.exe
2428	schtasks.exe
2092	schtasks.exe
2108	schtasks.exe
2944	schtasks.exe
856	schtasks.exe
2012	schtasks.exe
1152	schtasks.exe
3000	schtasks.exe
1976	schtasks.exe
2504	schtasks.exe
1476	schtasks.exe
3004	schtasks.exe
1020	schtasks.exe
2192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2912	DllCommonsvc.exe
2276	powershell.exe
2416	powershell.exe
2140	powershell.exe
2132	powershell.exe
2180	powershell.exe
2136	powershell.exe
2164	powershell.exe
2404	powershell.exe
2252	powershell.exe
2232	OSPPSVC.exe
1540	OSPPSVC.exe
2240	OSPPSVC.exe
1696	OSPPSVC.exe
1600	OSPPSVC.exe
1948	OSPPSVC.exe
2696	OSPPSVC.exe
1728	OSPPSVC.exe
2772	OSPPSVC.exe
2568	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2912	DllCommonsvc.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	2416	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2232	OSPPSVC.exe
Token: SeDebugPrivilege	1540	OSPPSVC.exe
Token: SeDebugPrivilege	2240	OSPPSVC.exe
Token: SeDebugPrivilege	1696	OSPPSVC.exe
Token: SeDebugPrivilege	1600	OSPPSVC.exe
Token: SeDebugPrivilege	1948	OSPPSVC.exe
Token: SeDebugPrivilege	2696	OSPPSVC.exe
Token: SeDebugPrivilege	1728	OSPPSVC.exe
Token: SeDebugPrivilege	2772	OSPPSVC.exe
Token: SeDebugPrivilege	2568	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2412 wrote to memory of 3068	2412	JaffaCakes118_c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725.exe	29
PID 2412 wrote to memory of 3068	2412	JaffaCakes118_c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725.exe	29
PID 2412 wrote to memory of 3068	2412	JaffaCakes118_c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725.exe	29
PID 2412 wrote to memory of 3068	2412	JaffaCakes118_c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725.exe	29
PID 3068 wrote to memory of 1372	3068	WScript.exe	30
PID 3068 wrote to memory of 1372	3068	WScript.exe	30
PID 3068 wrote to memory of 1372	3068	WScript.exe	30
PID 3068 wrote to memory of 1372	3068	WScript.exe	30
PID 1372 wrote to memory of 2912	1372	cmd.exe	32
PID 1372 wrote to memory of 2912	1372	cmd.exe	32
PID 1372 wrote to memory of 2912	1372	cmd.exe	32
PID 1372 wrote to memory of 2912	1372	cmd.exe	32
PID 2912 wrote to memory of 2164	2912	DllCommonsvc.exe	58
PID 2912 wrote to memory of 2164	2912	DllCommonsvc.exe	58
PID 2912 wrote to memory of 2164	2912	DllCommonsvc.exe	58
PID 2912 wrote to memory of 2404	2912	DllCommonsvc.exe	59
PID 2912 wrote to memory of 2404	2912	DllCommonsvc.exe	59
PID 2912 wrote to memory of 2404	2912	DllCommonsvc.exe	59
PID 2912 wrote to memory of 2276	2912	DllCommonsvc.exe	60
PID 2912 wrote to memory of 2276	2912	DllCommonsvc.exe	60
PID 2912 wrote to memory of 2276	2912	DllCommonsvc.exe	60
PID 2912 wrote to memory of 2416	2912	DllCommonsvc.exe	61
PID 2912 wrote to memory of 2416	2912	DllCommonsvc.exe	61
PID 2912 wrote to memory of 2416	2912	DllCommonsvc.exe	61
PID 2912 wrote to memory of 2252	2912	DllCommonsvc.exe	62
PID 2912 wrote to memory of 2252	2912	DllCommonsvc.exe	62
PID 2912 wrote to memory of 2252	2912	DllCommonsvc.exe	62
PID 2912 wrote to memory of 2136	2912	DllCommonsvc.exe	63
PID 2912 wrote to memory of 2136	2912	DllCommonsvc.exe	63
PID 2912 wrote to memory of 2136	2912	DllCommonsvc.exe	63
PID 2912 wrote to memory of 2140	2912	DllCommonsvc.exe	64
PID 2912 wrote to memory of 2140	2912	DllCommonsvc.exe	64
PID 2912 wrote to memory of 2140	2912	DllCommonsvc.exe	64
PID 2912 wrote to memory of 2132	2912	DllCommonsvc.exe	65
PID 2912 wrote to memory of 2132	2912	DllCommonsvc.exe	65
PID 2912 wrote to memory of 2132	2912	DllCommonsvc.exe	65
PID 2912 wrote to memory of 2180	2912	DllCommonsvc.exe	66
PID 2912 wrote to memory of 2180	2912	DllCommonsvc.exe	66
PID 2912 wrote to memory of 2180	2912	DllCommonsvc.exe	66
PID 2912 wrote to memory of 2232	2912	DllCommonsvc.exe	76
PID 2912 wrote to memory of 2232	2912	DllCommonsvc.exe	76
PID 2912 wrote to memory of 2232	2912	DllCommonsvc.exe	76
PID 2232 wrote to memory of 3000	2232	OSPPSVC.exe	77
PID 2232 wrote to memory of 3000	2232	OSPPSVC.exe	77
PID 2232 wrote to memory of 3000	2232	OSPPSVC.exe	77
PID 3000 wrote to memory of 552	3000	cmd.exe	79
PID 3000 wrote to memory of 552	3000	cmd.exe	79
PID 3000 wrote to memory of 552	3000	cmd.exe	79
PID 3000 wrote to memory of 1540	3000	cmd.exe	80
PID 3000 wrote to memory of 1540	3000	cmd.exe	80
PID 3000 wrote to memory of 1540	3000	cmd.exe	80
PID 1540 wrote to memory of 1612	1540	OSPPSVC.exe	81
PID 1540 wrote to memory of 1612	1540	OSPPSVC.exe	81
PID 1540 wrote to memory of 1612	1540	OSPPSVC.exe	81
PID 1612 wrote to memory of 1720	1612	cmd.exe	83
PID 1612 wrote to memory of 1720	1612	cmd.exe	83
PID 1612 wrote to memory of 1720	1612	cmd.exe	83
PID 1612 wrote to memory of 2240	1612	cmd.exe	84
PID 1612 wrote to memory of 2240	1612	cmd.exe	84
PID 1612 wrote to memory of 2240	1612	cmd.exe	84
PID 2240 wrote to memory of 840	2240	OSPPSVC.exe	85
PID 2240 wrote to memory of 840	2240	OSPPSVC.exe	85
PID 2240 wrote to memory of 840	2240	OSPPSVC.exe	85
PID 840 wrote to memory of 1676	840	cmd.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c6dc13b02ec46cdb39b0de98c3f422e3c9f671c80a2cacbd62bd668a1e336725.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2412
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3068
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1372
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Resources\Themes\Aero\en-US\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2232
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:552
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1720
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1676
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        12⤵
        
        PID:784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1264
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
        14⤵
        
        PID:1072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:700
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1948
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat"
        16⤵
        
        PID:308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:772
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        18⤵
        
        PID:2724
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1796
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
        20⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1520
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        22⤵
        
        PID:1808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1608
        
        C:\Windows\debug\WIA\OSPPSVC.exe
        
        "C:\Windows\debug\WIA\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat"
        24⤵
        
        PID:2588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Application Data\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Application Data\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\SendTo\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Windows\Resources\Themes\Aero\en-US\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\Resources\Themes\Aero\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\Resources\Themes\Aero\en-US\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Windows\debug\WIA\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\debug\WIA\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\debug\WIA\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Windows\Tasks\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\Tasks\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73e4c7e973155d1549725e7662c4798c

SHA1
b9cfa293ae651568bcf9cadba84bb9a665d90ba5

SHA256
706bdf9bc69d5cef64acff41afaa852528c9cc2de4c4245dd2ffd6207163b7ed

SHA512
70d0871a1a56659f78e1832f6b72f2d2dd021c01071c8021fad9de6a54fc54c952ae877b729ee77f68a277a8df923a6c8b74c9f2b4c3727405c0d53e6e5a5b28

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ceabc32ab23d1c829c2c139b9e833edb

SHA1
f9f0238035a056cdefa68ff8ebf3a93fb9b7eceb

SHA256
28d75f4fd766eb0ceae43168032564d25ff688a06fba1bebc8a1f555c6637366

SHA512
b45b40c46aacbde75771709f58e7d1f331a812d8ca91349a783fc32a5fba0d56e56510578a7f7be8981958dee72dcf3bd6f92a318b416d96959ff4afe3d94b5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b455e422b8605aca6e406d2bb90431d

SHA1
4704f51015c37ff2facb02592beeaddc79e2c938

SHA256
6ca874b346f3ccfb5d6d026ad21cf1bf4a180057db12c779de4530ae455bb456

SHA512
6120f52e06e8e5f0303551da72d7ac32e450f537d1067bbf7e9d6b35c3578373f93f90d95f1b512c5fcca91ea194587260c29c4cecba9ed17bfbafb9747c3163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eb347c46ca270c80ad6a23b24f8446fc

SHA1
8dbbe63942c1631513daab313e29170863a67778

SHA256
9d6292ed4f914e68451f06ec20d97a871716ffef05b896453df01ddacb3e905c

SHA512
126a7d5951802f8ced272e72db847b6e7dd864a0f38340cd01a0b99f8952e33ad54715b085461f680003a634a4e5d829643bce1b2ab866b7eb36c298345336f9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59c4c0257cb01114f54fc947fb8b1d87

SHA1
fd9a138f68e91f970bb54d8a5d0881b332997fd8

SHA256
685040f1915ba18a63a2724b7d8a6c41b5b9286a88bac0f7b300039f2015a6f4

SHA512
b4eaed815f21acd6a171d86278f70f9cfc40a3e17ba5bbbd90bacb4515786fbb31fb4ed8a09ff8b320d2bf45ed0f77792235f9c478ee5c76ced3522f8d690647

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2dd90be52377f8e7d968688e3f54ef46

SHA1
2ade2dee1b76072119cc89759a20c62ae7a7dccb

SHA256
44bd35705c5c7c187aa4d2e919b4684f72a166a9be61a3e216a3344533fe065a

SHA512
43dcf2cc82dc5651def42ba60548f2e26ea00ec9e1538eac9dbb0f5ccab3aa8c78701a673c8599d097883fc69cf2893b33ef93c1b9d49fad8109f12b382da337

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
478e5c4ed0592713f42a62f44c1eac07

SHA1
df8a3c495771f4709252a384252375f8f9696d13

SHA256
31591eaca5999d2cc6d87b6accfcf2e91636bb326802f7cad69ecb7c29d65c9b

SHA512
c79efc38b76683b7f2eb73384550f0de79ddb9a4933916c52fafbbd0104dbb4e87278e28d58f181e4b585c2384627256e702a6caee0dcf9d5ab8701108c192ce

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a82b45d2f797fa0b386769f7ccdb2ba0

SHA1
3a9f11692a0233ff43d83f8175c55b17fdf512bd

SHA256
e0ca46bdf52a828d15d9b43bef9bf37ec42b9e8c123b0baf60df49d64f1a563e

SHA512
06c612deb8a23e2986ecab6b14accdd32ecdb499e7d8e6ab41e007325081c9950cb47df0df47de0f6298a9a39dc4e10545d2c43b45711210cc2f07e3026ae1f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
25b7d7d6d47b1b8cdf173ce19c42f32e

SHA1
8c341a5731716cb494d2e60c2b52382425031c0b

SHA256
cbeb4025145844e6927a6053591bd05f5d77ad30c462003c1d74191c21d9ef96

SHA512
0f443b4fd8c1dbe8df078111efe1d6b973a48fa011e5e0bdcf2be2d014e7530e19307c75127ea44288182e5e9e3ecb6a52c6ddbb275fa5c99a5e8d2f9b97111d

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

Filesize
197B

MD5
d5c229f4e4ed34ed87d82a283dc79638

SHA1
f390660c9349cefcad13287283ac6676434aa173

SHA256
65959e36b894ca90c0eb4dc663eefd6d54a934eb49d7c822d63d716ae8e1a905

SHA512
357ffffd3b762a2e02655cae2394eb9a67b309118f73dc0785baf4769d356ee159962d052385c43336b8493361df8b57cfc6249254b884d5ba6324a4d9b581f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
197B

MD5
c0724ad227d25c49ed9661a4b7698a1e

SHA1
2445b073e0e6786d543924b0b59bec31faa1a2bd

SHA256
60b7929aca65c4a0951555f7ee89982ad2aa75675dea26758040f1f587946d4e

SHA512
f978db431f55fbfb86cef6180c46203caa8680d6c6e7eae5ee470ce538eb934e28db7d9a2a35c290b90a5cf0db6f61bacd25917ab70c25b2f69e212cf784fca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
197B

MD5
b1ae9412c8162aab35919e3834f06997

SHA1
1a498827bce6c65bb10065da3edf4860dedc6a48

SHA256
5f4512574adae7b534dd7e4dc822566bb512d0da50755d7cf7adac0d5cae02c3

SHA512
287f8c2e421c83e6dbb65439810542b5fd1b69e63831e77cd451057e5f31ecbe9e4ebe278b5bf4ac451c108479ad2642a1f90035a9a0f90f7ed53560aaf20fbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab7551.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EOPCJ2Obyf.bat

Filesize
197B

MD5
750371532ae17657e3825fb490a0dc38

SHA1
6dfe30cf2b43f1c392a2dbc6a570115ac4db7841

SHA256
e814e1af54cbf60f63a705a7c9ae5df8b11ad9231c2531027de65e3e9195b09d

SHA512
03dc9d2d713e73c4b43554a1c43819788fe8ea0d3f8d801bc5d0c29efeebde294898215231e745e6398831e4379b709e3baabe5fddc7adc14131ad592680f3e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar75F0.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat

Filesize
197B

MD5
fc09c79ab2dc9a7cafdc60d4a4d01857

SHA1
f860bcced3b393e58f9997366c5e0e3baa6d5ae3

SHA256
00577895f2215e46fe2e44907370a37c8d717bce32905bef4413a685778e0043

SHA512
42a15534647648428cc6396975dcf149e1fd6d8c3ab3bf2d93296db437af691389c55df9b36bc7de0917b1fee545e1b887ee464b99f3604f565a73d86a68ea94

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

Filesize
197B

MD5
569f0b2ead9784912185c3cb21031a08

SHA1
ce84e92bf688ac18794c096979aa0743544c9e61

SHA256
70b840f439d098d8bbc64342d51741d4f48e37da07cba3ded5b32318453f85fa

SHA512
e1f1a9a8f10ae98430717206e1a2c6d6d2c543080e1969113853ecdc631d52ececb011a5cc0c469b6f3ae113c1fdc7430c67c15b1f5fe5d582aa445264ef799d

Download Submit
C:\Users\Admin\AppData\Local\Temp\j2qd1ZwTnL.bat

Filesize
197B

MD5
98d8bf7529ffd28ee44f35fdea6e633f

SHA1
14cebf4a1fde0ffc4d498fe52ff70a7d930d91e4

SHA256
bf8e746b5bb6f2454d8e4784e2e5502fd4fa595a2c0146e87e19ef6b6a8394f3

SHA512
0c3a48f4395b28056b548135d0873d05bd807f1b4f7f9ec59392527f824fbb72ffb9211cfc13a2236c51fd6f6e693f8de2c2d861716de3ddbc2e291495fcbca2

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
197B

MD5
143a3921c2cafd1b9eeb74385760c18f

SHA1
03a3213784cc481233503a9455c90ddebe75bde4

SHA256
e9b0f763dbe6865163c0c2a42bffd7c5572d7d1c7192198f0213d694c338020d

SHA512
892808bb8dcae1061b4eb7505dcbf18ee2332452438f9dd60f2f54520dbab9c7257ec0e28106169eb7e3e06c529944fd50249a8ba4b0e0861cad2df097e7d447

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
197B

MD5
5f1927a371aea8e2cef7bb2fee4789a1

SHA1
d7af93ec14378f683b8afc500ca193e9c8153288

SHA256
cb64fa739c7f5d43aefe9b58d6d9f9545e9d2d9d0d245d34626469049e7c47f6

SHA512
3ad3fdeada435944d02547837bed21ca9c31680f4f4ec20de3d9cbd56c45c9594a4a0cf9d3ce8b19dd84acb14846eac2d793c1a20e2df55106641ea10e04c3e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\yoQf8QHV2Q.bat

Filesize
197B

MD5
7cef34a45a9acf3c08a1b683ba039cb8

SHA1
4db942035fbed922431bdaa72af05e139a792d7f

SHA256
d880abfc4a1f50e05a6f30acfdab4df663c35f03d57189650913d2ca66c64cf4

SHA512
d9d2c2880d42d3f681b0b7c82e542dc27dac7cc1959f8bd7f74accf3b0e6e308b77c7458802aef0a38cc454fb807a52812552d5aedea7a33a355c1149dfa224f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\0R66CH6XJTISOQH6UW4I.temp

Filesize
7KB

MD5
d6a80810ad3db2db12fcf2c5005d18e5

SHA1
ae011d6beb1f6455d465a54ba3d10f541551dcfe

SHA256
e1fda94a21c0347e7d7260dde40a0ba5d6a672a84261df041a0e9428afc145bf

SHA512
f7a63dfa17977c351a0e160fe320b93e703e6786ce9743529a1f38c78aa34c34376d9798322c04870cc3ea282dfb09dd20fcefd6a00638efaf91fc4117f18e95

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1540-142-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/1600-321-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1696-261-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/1728-502-0x0000000000FD0000-0x00000000010E0000-memory.dmp

Filesize
1.1MB

Download
memory/1948-381-0x00000000009F0000-0x0000000000B00000-memory.dmp

Filesize
1.1MB

Download
memory/2232-47-0x0000000000A00000-0x0000000000B10000-memory.dmp

Filesize
1.1MB

Download
memory/2276-48-0x000000001B360000-0x000000001B642000-memory.dmp

Filesize
2.9MB

Download
memory/2276-51-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2568-621-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2696-442-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2696-441-0x0000000000A80000-0x0000000000B90000-memory.dmp

Filesize
1.1MB

Download
memory/2912-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2912-16-0x000000001ABE0000-0x000000001ABEC000-memory.dmp

Filesize
48KB

Download
memory/2912-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2912-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2912-13-0x0000000000AF0000-0x0000000000C00000-memory.dmp

Filesize
1.1MB

Download