dcrat | d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55.exe
Size

1.3MB
MD5

01e4b77bcda3f08a13f4276c75e0f804
SHA1

7adfce6a162d872f363670660e08b013b1e8e52c
SHA256

d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55
SHA512

6538e8c0af8efd6ba110f04f29966a94f35417fe838622b73106bff6dc1bb07ef3448d347ee94ef752626c90c84d072d08078e9bd34f5afac208daa1b6b02aaa
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2884	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001920f-9.dat	dcrat
behavioral1/memory/868-13-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat
behavioral1/memory/1396-62-0x0000000000A60000-0x0000000000B70000-memory.dmp	dcrat
behavioral1/memory/2544-138-0x00000000012D0000-0x00000000013E0000-memory.dmp	dcrat
behavioral1/memory/1920-435-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2232-495-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/2336-555-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/1640-733-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1032	powershell.exe
1196	powershell.exe
1452	powershell.exe
2844	powershell.exe
2860	powershell.exe
2964	powershell.exe
1188	powershell.exe
2820	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
868	DllCommonsvc.exe
1396	dllhost.exe
2544	dllhost.exe
2420	dllhost.exe
1828	dllhost.exe
2116	dllhost.exe
1892	dllhost.exe
1920	dllhost.exe
2232	dllhost.exe
2336	dllhost.exe
2836	dllhost.exe
2424	dllhost.exe
1640	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	cmd.exe
2400	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
40	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\DVD Maker\it-IT\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\services.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\it-IT\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
828	schtasks.exe
1120	schtasks.exe
2848	schtasks.exe
300	schtasks.exe
1956	schtasks.exe
1364	schtasks.exe
1884	schtasks.exe
2372	schtasks.exe
2636	schtasks.exe
2420	schtasks.exe
664	schtasks.exe
2304	schtasks.exe
1680	schtasks.exe
1616	schtasks.exe
1868	schtasks.exe
2676	schtasks.exe
2512	schtasks.exe
2532	schtasks.exe
2984	schtasks.exe
2684	schtasks.exe
2488	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
868	DllCommonsvc.exe
1452	powershell.exe
1188	powershell.exe
1032	powershell.exe
2820	powershell.exe
1196	powershell.exe
2844	powershell.exe
2964	powershell.exe
2860	powershell.exe
1396	dllhost.exe
2544	dllhost.exe
2420	dllhost.exe
1828	dllhost.exe
2116	dllhost.exe
1892	dllhost.exe
1920	dllhost.exe
2232	dllhost.exe
2336	dllhost.exe
2836	dllhost.exe
2424	dllhost.exe
1640	dllhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	868	DllCommonsvc.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2820	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	1396	dllhost.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2544	dllhost.exe
Token: SeDebugPrivilege	2420	dllhost.exe
Token: SeDebugPrivilege	1828	dllhost.exe
Token: SeDebugPrivilege	2116	dllhost.exe
Token: SeDebugPrivilege	1892	dllhost.exe
Token: SeDebugPrivilege	1920	dllhost.exe
Token: SeDebugPrivilege	2232	dllhost.exe
Token: SeDebugPrivilege	2336	dllhost.exe
Token: SeDebugPrivilege	2836	dllhost.exe
Token: SeDebugPrivilege	2424	dllhost.exe
Token: SeDebugPrivilege	1640	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1016 wrote to memory of 2388	1016	JaffaCakes118_d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55.exe	30
PID 1016 wrote to memory of 2388	1016	JaffaCakes118_d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55.exe	30
PID 1016 wrote to memory of 2388	1016	JaffaCakes118_d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55.exe	30
PID 1016 wrote to memory of 2388	1016	JaffaCakes118_d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55.exe	30
PID 2388 wrote to memory of 2400	2388	WScript.exe	31
PID 2388 wrote to memory of 2400	2388	WScript.exe	31
PID 2388 wrote to memory of 2400	2388	WScript.exe	31
PID 2388 wrote to memory of 2400	2388	WScript.exe	31
PID 2400 wrote to memory of 868	2400	cmd.exe	33
PID 2400 wrote to memory of 868	2400	cmd.exe	33
PID 2400 wrote to memory of 868	2400	cmd.exe	33
PID 2400 wrote to memory of 868	2400	cmd.exe	33
PID 868 wrote to memory of 2820	868	DllCommonsvc.exe	56
PID 868 wrote to memory of 2820	868	DllCommonsvc.exe	56
PID 868 wrote to memory of 2820	868	DllCommonsvc.exe	56
PID 868 wrote to memory of 1032	868	DllCommonsvc.exe	57
PID 868 wrote to memory of 1032	868	DllCommonsvc.exe	57
PID 868 wrote to memory of 1032	868	DllCommonsvc.exe	57
PID 868 wrote to memory of 1196	868	DllCommonsvc.exe	59
PID 868 wrote to memory of 1196	868	DllCommonsvc.exe	59
PID 868 wrote to memory of 1196	868	DllCommonsvc.exe	59
PID 868 wrote to memory of 1188	868	DllCommonsvc.exe	60
PID 868 wrote to memory of 1188	868	DllCommonsvc.exe	60
PID 868 wrote to memory of 1188	868	DllCommonsvc.exe	60
PID 868 wrote to memory of 2964	868	DllCommonsvc.exe	61
PID 868 wrote to memory of 2964	868	DllCommonsvc.exe	61
PID 868 wrote to memory of 2964	868	DllCommonsvc.exe	61
PID 868 wrote to memory of 1452	868	DllCommonsvc.exe	62
PID 868 wrote to memory of 1452	868	DllCommonsvc.exe	62
PID 868 wrote to memory of 1452	868	DllCommonsvc.exe	62
PID 868 wrote to memory of 2860	868	DllCommonsvc.exe	63
PID 868 wrote to memory of 2860	868	DllCommonsvc.exe	63
PID 868 wrote to memory of 2860	868	DllCommonsvc.exe	63
PID 868 wrote to memory of 2844	868	DllCommonsvc.exe	64
PID 868 wrote to memory of 2844	868	DllCommonsvc.exe	64
PID 868 wrote to memory of 2844	868	DllCommonsvc.exe	64
PID 868 wrote to memory of 1396	868	DllCommonsvc.exe	72
PID 868 wrote to memory of 1396	868	DllCommonsvc.exe	72
PID 868 wrote to memory of 1396	868	DllCommonsvc.exe	72
PID 1396 wrote to memory of 1652	1396	dllhost.exe	74
PID 1396 wrote to memory of 1652	1396	dllhost.exe	74
PID 1396 wrote to memory of 1652	1396	dllhost.exe	74
PID 1652 wrote to memory of 2292	1652	cmd.exe	76
PID 1652 wrote to memory of 2292	1652	cmd.exe	76
PID 1652 wrote to memory of 2292	1652	cmd.exe	76
PID 1652 wrote to memory of 2544	1652	cmd.exe	77
PID 1652 wrote to memory of 2544	1652	cmd.exe	77
PID 1652 wrote to memory of 2544	1652	cmd.exe	77
PID 2544 wrote to memory of 1180	2544	dllhost.exe	78
PID 2544 wrote to memory of 1180	2544	dllhost.exe	78
PID 2544 wrote to memory of 1180	2544	dllhost.exe	78
PID 1180 wrote to memory of 572	1180	cmd.exe	80
PID 1180 wrote to memory of 572	1180	cmd.exe	80
PID 1180 wrote to memory of 572	1180	cmd.exe	80
PID 1180 wrote to memory of 2420	1180	cmd.exe	81
PID 1180 wrote to memory of 2420	1180	cmd.exe	81
PID 1180 wrote to memory of 2420	1180	cmd.exe	81
PID 2420 wrote to memory of 2052	2420	dllhost.exe	82
PID 2420 wrote to memory of 2052	2420	dllhost.exe	82
PID 2420 wrote to memory of 2052	2420	dllhost.exe	82
PID 2052 wrote to memory of 1552	2052	cmd.exe	84
PID 2052 wrote to memory of 1552	2052	cmd.exe	84
PID 2052 wrote to memory of 1552	2052	cmd.exe	84
PID 2052 wrote to memory of 1828	2052	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d6505d9ac693bb462b099f79e8bad098d8ab100bb7372bd1e2c4dabed9d66e55.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1016
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2388
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2820
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\it-IT\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
    - - C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2292
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:572
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1552
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat"
        12⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1904
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat"
        14⤵
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1740
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat"
        16⤵
        
        PID:984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2752
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
        18⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2308
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        20⤵
        
        PID:844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2700
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat"
        22⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2056
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        24⤵
        
        PID:2384
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2768
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat"
        26⤵
        
        PID:2576
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1280
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\it-IT\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\it-IT\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
27b1719b0f5e16c63ab445e891348939

SHA1
e67cb19d7e83a62bc721bdf772dc1ec87365b28a

SHA256
d3f3e58681e1ddef2a96b14d2b8e2eddbbb8bd401cc855aae9663358121204f6

SHA512
36040f2aad7d9792f903eb73b8d20ba10c7b763786caae0dccc4112b21945f62ecd04f71134bf013dcd8cdc7b9175722a7708a6a765000c43c1911b6b1abb077

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2bb1836cd46b5f3fd0977be2ce81376

SHA1
f7be277591c92cd42af4ed20ccd19bf5236ae3e9

SHA256
2743f0258471610971fc4fc9a0156330c5e5a8e1a3d490ba2b47b7b581f4f581

SHA512
3326629b68d3941c653d149b64e625e5bd0621d5b5ca7ad2884e466bdb077b20bf26d7fc187312dff5686380de6b610862320e9f1d497b7fbbb39df2872f5b4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
845a489d7c5543cf14e9da97fae05e3b

SHA1
5d21157d4828ba4390f33744b488ce68a4afdf70

SHA256
6ccbc8f7de9d33db4d8dd4edc2c9d38ba856cfd14bf0a3cc6dc4a4fa41835303

SHA512
7365dde42e4b70387b515c690753e7c79779b9eceeafb5ff6668c35c561ffed4bccf3ed53bdc614e47107eef3c93a18c03545dada05baacd1146c08530a19a84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71ccfe041a2de27b94c32c76d61cd778

SHA1
5397b18708b482162204059f2aca21328d78dcf0

SHA256
f0e5b1414838011da49815047ad80b90bb508f25f2d4078ca176ff0743e6647d

SHA512
58d4a096985a407d5dfc11222bb8fb11ac2eb2bffa8975b34f71079419ac5b5a932d4a1f563c320d45f26d26e691221f8b0013759bd5fa89c571bf70a408d9b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3019119a6b4a6c3151fa527ec1c8f07

SHA1
b94310733710c9a1422dbf4fa72c4cbc77f46a58

SHA256
3b40f3357e72779d59be9a01806b5632455de3f9fc875c1c446b4320fd4a93d7

SHA512
0bc03573b7a99629720276d45d642dcbd111208486f3da74059ec140a3c576ea81972e3bfd78bf222940a555ab626cf406864df5dec3c3d46b589d4a072c11b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57eb3bb21a628b5d8de2adb89c5930aa

SHA1
b293c6ceff75d86def37149721dc7a1d67091140

SHA256
39bc974e9ababc2a6c1aa719a346b23f3946ec61ef85531b18d8f4ef629dd70c

SHA512
e6294ed4f0d6818240d443692a0d588b97f3630d5ec54d248fc0f51cf5ea64ffa48d074bb30ac833c04aa87331701881a7b919acf1a9bfc565f4e9953b1afb93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7783ff685850527a888adcef2eca6cfb

SHA1
33353ec84db473bff188d8704afc72d8a75e9bc5

SHA256
565edd3bcd051d5b6cd2a7f65c5301076c611dbd9a646e28f19d18f41b79a36d

SHA512
8f95523d4051034e91c5b51ca0211c4ea13d2b38644ef31ae37465141e1133f77264f4e1a1371eda992bcece7a6666b1d7514ad8581eb0f42ae80df165e23679

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1ea8b5004bf3d0300b31a91358b8b9c5

SHA1
aaeae0c2b3700c371516ea9d3154f29560afce98

SHA256
b931da1460171741b24cb42d18143ac5bff9e4f389d9f5c3f5e318177c44b77c

SHA512
30411bd744bdfd6de6f98d29dfa663496b1fa3fca3ae9442fda839e3de1c2ecc28741f6904fd2fc50e833421ab5a63aeba9e2b0993c1f476186abee8e759141c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
83096713e82df958787c24126a0b15e1

SHA1
bd594bccba56ade8fe32c2a04716ae9bd23271fd

SHA256
aca2d30c9603b0552f52a406bd7549f8fb008f7ef43f00fc6a7ce9cfdf5b5b76

SHA512
8736645c77bbed858c18ddf2892d7ebd2886cebf41ad8991eefe0d58438156b8490c7004eee2e0bc7df3d067cfe1ccedaa78de9b87a2e34d3a71a627ca932f33

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fda1bbae85ce5628b27f82f027affcba

SHA1
0d54fdad0850b80ce973a0351a4ec8c80fa2ec0c

SHA256
b2e87e1271b949bbe31b39f219f8e2a7e36e81453a3bbabc4d9a76c8dd547824

SHA512
33de0928471288fd28b6482c541a0a4292d76a0cc2ba96e2904fe1f82fcb305079dfce7e9997636a7ddb49efa016b152484ebd38312adf126a8c1f80e8b4a132

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

Filesize
194B

MD5
da6542a7d6854391323ffbfbe6bec22c

SHA1
f00bb236e335c720aef1882a8c3e06faf355efdb

SHA256
3a61c7aa3bb449229f57ed3c17647b12948a435611fc0f138b26cc8fe5ded9b3

SHA512
48c133eaae23f491962a4142932d3c4f8dfc64a72baad5e921c34ecab71025d29483cbe816103cc1e26f611e96efbc25ef38dd2ee86f0288b6d188431cc26d21

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
194B

MD5
77cb9095dbb35592ebfc3f98a3e3c924

SHA1
e4a74391d321564d5827bda28eba9a9037dc0748

SHA256
85824c82a823378ab245faad118424d49beb4a7a6b81a71e8085be6d6e9ba0d7

SHA512
1988d7c2fb092d1c714bf265cc125f76ea87bfef75c062323348745d453dd141f8b1dbe5fa0be3191f7b7b93735514a263d5c2e6d847cecb8ce22e40fb4e05b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\AMKHlt6LWj.bat

Filesize
194B

MD5
2b468de710b98ad57e078aa4342979df

SHA1
dfcdbb025a3444390f811cb928e37fe0daab0a4f

SHA256
009554a3f05567ef0106e2d244c4a891ebb3fefdac04100e1fa54c84bfb365ec

SHA512
393e02c8fb6de51cc7500f31ee45722109b3b350789ffc922889aaf37a274ac020d4ac213e43e84c47cea974450b95ab046d416be2f3bb202b71fbc6b292e63a

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE4B6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

Filesize
194B

MD5
d5a14d9f1818d1b96bec38cf4899f11e

SHA1
94c27e0f50a9078c1f77e0d8772b57f946c44992

SHA256
ab70a944c5560c539a3d4a04cd87d2e66533d8a93d7ded08a5d45a38e5539974

SHA512
a195cf9f24bfa0f30c26f4fb5a13e8a2e6b1b0b6c36527ee9a6b97cdac56399f53334e217ade54777111a3f49f8616bc4e9a54c7549bd70bfa81f4206b4b504b

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
194B

MD5
29e3f658fe9701cd1e140b4be458dd2c

SHA1
5830bc4154576d585640d6fd977d6cbad7662b7d

SHA256
b19f092a216d12910054d66952193d78241368e28956164ada9105ad8445a593

SHA512
abd763cb63ff4a183d996897d0b592cf3871445eed2d2cb95f58e5f8d98bbd02a1625ee5a6d18353ad69d6a073fcc08debc08469951762138b87bcf7f6240dcf

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
194B

MD5
1f9b81e731121542812be3bca44706d3

SHA1
7996ea5e204a3967fa4234955dcd1a9ddf3c370b

SHA256
2d658b2fc55680caae79478db926e89d775bed401b555a8d06b067c178e2edcb

SHA512
c30f82010e7e2be1167b397944f9379469302b2738152383faa7a0f38b3892d7ef28e4a19b795a86690dfc38e1189c8d3654266a0228f7c958f1b25f7f3acb8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE4D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VoHf0I0Wzs.bat

Filesize
194B

MD5
b36786ca64b92170a03eb0c850470532

SHA1
33842900a80a0e108fc1adb0d052ff0c00199c11

SHA256
a0450a3a083487c2f4007688f2c46f0505d5ea5cb01a94777983ef059a40c6eb

SHA512
5e4361823a464f597068d94e2b61e1351bdf6f91314cd7d198a27fdfdc9b7bfbe983b3fdad8437497dc154c2a0a42a57bfb0def5459e483e709747f795dfc53d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhQfvaPZ4N.bat

Filesize
194B

MD5
2cd43f1cb11e578d6cc8d523b1daac7e

SHA1
1014f2064b383abdea84fd02a9056b7e6516bc54

SHA256
051ab6c4686ff69667b513295ad80025dafc3c8bb7343775f1133c11c8ef87e0

SHA512
68fc3857d4175f8eabdf0818c4f9a9c1fb17c574d639859ba04e4519d82207896d6861559f201f9ab6b6c854a5858e6f78ca581936bf6c87bf377497ce9e018d

Download Submit
C:\Users\Admin\AppData\Local\Temp\gZmmY05In2.bat

Filesize
194B

MD5
17a2ef34c89338e7d1818417669aee05

SHA1
d49412a30c4fec47343cb664cb258d78a49cd86c

SHA256
8dd6f1c45d41278365553b906d47a5ed474aaadfbec6653506bab7f3b23b56d1

SHA512
f3821d61b1b9aa707fb85540a84eab713803ada298fc910a890bc3856cd5a0cf519aba5ae1da8fed4fc7af8a2e4d9587f83c4338237a4d699dfac84dce7a93f5

Download Submit
C:\Users\Admin\AppData\Local\Temp\lZfwAG7KGX.bat

Filesize
194B

MD5
d9f0a1b54668674aefabbe0d8fd27f50

SHA1
5f3d9fb078055e09c00e9ce25b113219ff0005ad

SHA256
1d242235b192631c53fbf92e6aed50a9112cb5b83d8f288783890ac2c253b73d

SHA512
e5420bba99db0121a580cda8c4d3b07dd636379beed20c037dfeab65e1a282b9849d83f785a21247d3b4eab9725632e767c2ef16847f418a5eaa68dc27bf688d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
194B

MD5
288065600cb3e759be3df0543f2f8a16

SHA1
0d13e4a688106f01221ac2b0a9b0d1576a7afde3

SHA256
77bf94a48f3fb56b0360ab1a7cd0714d8b4f7e312414b3c73f18db5cd697dfc3

SHA512
c925a784071172963f4eebd94dffade9f845c48b1ad0bbcc597b5f3fd4da643027eba81ae7023eba2733d115b97b3e8ee8ccaed0da3855bf2b9c23042210ba54

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
72d4afc5d3072fe6a2c383246df657e7

SHA1
2096a0640942ff59dc1b33a8eb41096abe33de74

SHA256
960e564887beebbfd73f25ff6937607bc8421a48de5b47c432306fb2dd1bd26b

SHA512
8322440d9aa473ae59616861d8c74df33926a9d98ab870009918979c36649a145ebb149d3fe9e899dfd48b6ed94d1fddf94fc928bdade401e25a00e95fd96e07

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/868-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/868-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/868-16-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/868-13-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/868-17-0x0000000000AC0000-0x0000000000ACC000-memory.dmp

Filesize
48KB

Download
memory/1396-62-0x0000000000A60000-0x0000000000B70000-memory.dmp

Filesize
1.1MB

Download
memory/1452-65-0x0000000002140000-0x0000000002148000-memory.dmp

Filesize
32KB

Download
memory/1452-63-0x000000001B5E0000-0x000000001B8C2000-memory.dmp

Filesize
2.9MB

Download
memory/1640-733-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/1920-435-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2232-495-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2336-555-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2544-139-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2544-138-0x00000000012D0000-0x00000000013E0000-memory.dmp

Filesize
1.1MB

Download