dcrat | a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:22

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5.exe
Size

1.3MB
MD5

f78f7a3c8a3ee285dede42389a3fb450
SHA1

66e820b3aeef849339632b03e32d3e3d1239f295
SHA256

a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5
SHA512

3e843bc84847d48d0b719cceb730189bb0d6ba2121461ba016c78463410c1a51b50aebda6fcbc89e31fd23e3ebd0bb65897f666c5f2f2daadbe98537742dd4a6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2892	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2892	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000162b2-12.dat	dcrat
behavioral1/memory/1852-13-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/768-65-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1728-79-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/2076-220-0x00000000002D0000-0x00000000003E0000-memory.dmp	dcrat
behavioral1/memory/2632-280-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/1124-340-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2860-695-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2656	powershell.exe
2584	powershell.exe
1228	powershell.exe
2404	powershell.exe
1040	powershell.exe
1840	powershell.exe
1304	powershell.exe
1080	powershell.exe
1720	powershell.exe
2096	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1852	DllCommonsvc.exe
768	DllCommonsvc.exe
1728	dllhost.exe
980	dllhost.exe
2076	dllhost.exe
2632	dllhost.exe
1124	dllhost.exe
2480	dllhost.exe
2100	dllhost.exe
2660	dllhost.exe
2672	dllhost.exe
2808	dllhost.exe
2860	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1832	cmd.exe
1832	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Defender\it-IT\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\it-IT\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\services.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\es-ES\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2596	schtasks.exe
2648	schtasks.exe
560	schtasks.exe
1580	schtasks.exe
3056	schtasks.exe
604	schtasks.exe
2076	schtasks.exe
2928	schtasks.exe
300	schtasks.exe
2736	schtasks.exe
2628	schtasks.exe
1692	schtasks.exe
1860	schtasks.exe
1444	schtasks.exe
840	schtasks.exe
2796	schtasks.exe
2356	schtasks.exe
2836	schtasks.exe
2028	schtasks.exe
2632	schtasks.exe
2992	schtasks.exe
1408	schtasks.exe
2792	schtasks.exe
2420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1852	DllCommonsvc.exe
1852	DllCommonsvc.exe
1852	DllCommonsvc.exe
2656	powershell.exe
1080	powershell.exe
1304	powershell.exe
1840	powershell.exe
2584	powershell.exe
1040	powershell.exe
768	DllCommonsvc.exe
1228	powershell.exe
2404	powershell.exe
1720	powershell.exe
2096	powershell.exe
1728	dllhost.exe
980	dllhost.exe
2076	dllhost.exe
2632	dllhost.exe
1124	dllhost.exe
2480	dllhost.exe
2100	dllhost.exe
2660	dllhost.exe
2672	dllhost.exe
2808	dllhost.exe
2860	dllhost.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	1852	DllCommonsvc.exe
Token: SeDebugPrivilege	2656	powershell.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	768	DllCommonsvc.exe
Token: SeDebugPrivilege	1228	powershell.exe
Token: SeDebugPrivilege	2404	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	1728	dllhost.exe
Token: SeDebugPrivilege	980	dllhost.exe
Token: SeDebugPrivilege	2076	dllhost.exe
Token: SeDebugPrivilege	2632	dllhost.exe
Token: SeDebugPrivilege	1124	dllhost.exe
Token: SeDebugPrivilege	2480	dllhost.exe
Token: SeDebugPrivilege	2100	dllhost.exe
Token: SeDebugPrivilege	2660	dllhost.exe
Token: SeDebugPrivilege	2672	dllhost.exe
Token: SeDebugPrivilege	2808	dllhost.exe
Token: SeDebugPrivilege	2860	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2536 wrote to memory of 2540	2536	JaffaCakes118_a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5.exe	30
PID 2536 wrote to memory of 2540	2536	JaffaCakes118_a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5.exe	30
PID 2536 wrote to memory of 2540	2536	JaffaCakes118_a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5.exe	30
PID 2536 wrote to memory of 2540	2536	JaffaCakes118_a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5.exe	30
PID 2540 wrote to memory of 1832	2540	WScript.exe	31
PID 2540 wrote to memory of 1832	2540	WScript.exe	31
PID 2540 wrote to memory of 1832	2540	WScript.exe	31
PID 2540 wrote to memory of 1832	2540	WScript.exe	31
PID 1832 wrote to memory of 1852	1832	cmd.exe	33
PID 1832 wrote to memory of 1852	1832	cmd.exe	33
PID 1832 wrote to memory of 1852	1832	cmd.exe	33
PID 1832 wrote to memory of 1852	1832	cmd.exe	33
PID 1852 wrote to memory of 1040	1852	DllCommonsvc.exe	50
PID 1852 wrote to memory of 1040	1852	DllCommonsvc.exe	50
PID 1852 wrote to memory of 1040	1852	DllCommonsvc.exe	50
PID 1852 wrote to memory of 1840	1852	DllCommonsvc.exe	51
PID 1852 wrote to memory of 1840	1852	DllCommonsvc.exe	51
PID 1852 wrote to memory of 1840	1852	DllCommonsvc.exe	51
PID 1852 wrote to memory of 1304	1852	DllCommonsvc.exe	52
PID 1852 wrote to memory of 1304	1852	DllCommonsvc.exe	52
PID 1852 wrote to memory of 1304	1852	DllCommonsvc.exe	52
PID 1852 wrote to memory of 2656	1852	DllCommonsvc.exe	53
PID 1852 wrote to memory of 2656	1852	DllCommonsvc.exe	53
PID 1852 wrote to memory of 2656	1852	DllCommonsvc.exe	53
PID 1852 wrote to memory of 2584	1852	DllCommonsvc.exe	54
PID 1852 wrote to memory of 2584	1852	DllCommonsvc.exe	54
PID 1852 wrote to memory of 2584	1852	DllCommonsvc.exe	54
PID 1852 wrote to memory of 1080	1852	DllCommonsvc.exe	55
PID 1852 wrote to memory of 1080	1852	DllCommonsvc.exe	55
PID 1852 wrote to memory of 1080	1852	DllCommonsvc.exe	55
PID 1852 wrote to memory of 1500	1852	DllCommonsvc.exe	60
PID 1852 wrote to memory of 1500	1852	DllCommonsvc.exe	60
PID 1852 wrote to memory of 1500	1852	DllCommonsvc.exe	60
PID 1500 wrote to memory of 1284	1500	cmd.exe	64
PID 1500 wrote to memory of 1284	1500	cmd.exe	64
PID 1500 wrote to memory of 1284	1500	cmd.exe	64
PID 1500 wrote to memory of 768	1500	cmd.exe	65
PID 1500 wrote to memory of 768	1500	cmd.exe	65
PID 1500 wrote to memory of 768	1500	cmd.exe	65
PID 768 wrote to memory of 1720	768	DllCommonsvc.exe	75
PID 768 wrote to memory of 1720	768	DllCommonsvc.exe	75
PID 768 wrote to memory of 1720	768	DllCommonsvc.exe	75
PID 768 wrote to memory of 1228	768	DllCommonsvc.exe	76
PID 768 wrote to memory of 1228	768	DllCommonsvc.exe	76
PID 768 wrote to memory of 1228	768	DllCommonsvc.exe	76
PID 768 wrote to memory of 2404	768	DllCommonsvc.exe	77
PID 768 wrote to memory of 2404	768	DllCommonsvc.exe	77
PID 768 wrote to memory of 2404	768	DllCommonsvc.exe	77
PID 768 wrote to memory of 2096	768	DllCommonsvc.exe	78
PID 768 wrote to memory of 2096	768	DllCommonsvc.exe	78
PID 768 wrote to memory of 2096	768	DllCommonsvc.exe	78
PID 768 wrote to memory of 1728	768	DllCommonsvc.exe	81
PID 768 wrote to memory of 1728	768	DllCommonsvc.exe	81
PID 768 wrote to memory of 1728	768	DllCommonsvc.exe	81
PID 1728 wrote to memory of 1660	1728	dllhost.exe	85
PID 1728 wrote to memory of 1660	1728	dllhost.exe	85
PID 1728 wrote to memory of 1660	1728	dllhost.exe	85
PID 1660 wrote to memory of 2428	1660	cmd.exe	87
PID 1660 wrote to memory of 2428	1660	cmd.exe	87
PID 1660 wrote to memory of 2428	1660	cmd.exe	87
PID 1660 wrote to memory of 980	1660	cmd.exe	88
PID 1660 wrote to memory of 980	1660	cmd.exe	88
PID 1660 wrote to memory of 980	1660	cmd.exe	88
PID 980 wrote to memory of 580	980	dllhost.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a72df599b77dfbe58c07f58ffde681cb8de2de035bc967a4961c57007fe247b5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2536
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1832
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1852
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\it-IT\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\glaLsFHc7b.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1284
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Windows directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:768
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1228
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1728
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1660
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2428
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        10⤵
        
        PID:580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:468
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        12⤵
        
        PID:1320
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1544
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat"
        14⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2064
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1124
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        16⤵
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1176
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat"
        18⤵
        
        PID:3024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2856
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat"
        20⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2948
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        22⤵
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2428
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        24⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1680
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat"
        26⤵
        
        PID:2396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2992
        
        C:\providercommon\dllhost.exe
        
        "C:\providercommon\dllhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\es-ES\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\es-ES\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Defender\it-IT\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\es-ES\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Windows\es-ES\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
225d1851385ec355489c5372b8a2a356

SHA1
b840917be84552023cb7b2d7222f81cc991ba2ff

SHA256
be21bf722a0ad3e141b687aa5c01379dc6150c22df499ac354ceb88e8617143a

SHA512
22ca959f0447890d4d7c59f6e4e7b2f3731b91f92fe05317abfa61f0ae5e0b4bc9cad05e460da47b8e46bbf929bdc5eeaabd677ae9ac568b507fb1f84978526f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eba710cb381383fd997b35b75588c2b4

SHA1
28402ac59960c95e96f1ac39c147fb5830517f10

SHA256
1eabaa1cf44cbb0de653c4f8bd5b7e9eeacfbbc71087a441c0fe9d8f019cd339

SHA512
4c979449a07e87e71abea32e022e57bc50157f8d3201c15ae63278f317635d9aae7337c7630141e9417ed59fab70f9b2760c8041f5951526e3b644a85666d9f8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2077ef0db5ce31e816a95a01148dfa1

SHA1
195a3cc839e459c20e70568742e7df983e3fdc5e

SHA256
f63542b149573a93255b218a891cd844c292287d2f2775669a7056678146b240

SHA512
5d43dbe259128156ff8f1da04e849a7236e7f4ee5ed12d145d1c7cce82cde560f2135aae08b4f79ee33523348dda11edd0731ffda78e0899d148f7297cd78163

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f87f26b888720e5ef1c73b8b175b45ce

SHA1
ccd7d1df20068a9581d7009da00de17a8b6042dd

SHA256
7eb7ebf858afd23de591ff8b4f0ef6eb0b7251b865b1c77aa89970f40b462523

SHA512
cd563e09811e177e0860e03aa2f9e36ac357d603a327386c41075c3c0364087606209c01beba0f5df3bc88aca0b3e1a16badee8a97a426a61160340f3f0604f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fe5b870e1a56176823c193ffcf2006aa

SHA1
e0f2a8f28d3e7969909711789c1da1907779c6d6

SHA256
3d9e7d9e3b1b93e607e6301d56c18b5ac991bbe6663a0242d707400f27ceb9a0

SHA512
bc2df5b55579d9b461ed2e427ebc312335bba5c387bda5529be3e0055044596c9b8f2d3aee31779772464b9ca9d90e19cd872837627f0d737bc2a6d0046b46ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e27d62a51aac499b679422107e7e5bda

SHA1
23b3babd47a07eedb12f09676dd503bb55939d07

SHA256
a0db1d17076d501fd6a386b33819dd918c89d25a3589305d8276ae62d03c8240

SHA512
7295bcecfb138f13cde3ba18a7724f9f4d9b97c8102ab35014a8c82b9a990d160dd710a3c4be332d4e39f1d9c9d252884f9f8dc69641d674700ab2dd69a2c4b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
381d4dc330b84f9962ccb5516d7fa020

SHA1
81100889a68323df4cbb7d581031c94ab30c501b

SHA256
538736d21c082664f28661bb9b4235fb3456a7ef29b1f6af2869a34baffad8a1

SHA512
3cac084cc4dba61c95b2a1bbcebecc5b6e94a0a947184baa7ca5aecf35aa32df2d69b563637e01193740e740509922f4ad6eb805b4ccfd86a9ce4cbe7af9ace3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
959ff212d0f4f44d8fe64d4803b633f9

SHA1
3f3558a220c36389cb6074a7f7add9ea5fa79079

SHA256
f196554d696aec0040d18095525ec36185c94a6d24fc387ec726cd09e7f18db4

SHA512
1f670d66bbd9cef35defd68a91eee2420ea79de5ec2ddb8c4b1955b571874b0adc411ae7a00b27865580ae0e7bbc4ca3fca6dd711317986c6d1fd779994eb67b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd281d5b207f1cf6130bdf4a98b8961

SHA1
f81242cb934e6a0d541606f82ded88b851e63b64

SHA256
9c433f2ab5b7928aa24d24364095ffde4877f57db6c2c3da5014dcbe77714458

SHA512
189a55eeb4e3f7f401b05c7172e7e40c8cdefb80735894faa68383c93fd8691dbc7be704dc750b2199e61a3aff20c7dd5bbf25ab4ab8b74a5af3c528d3ae05cc

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
194B

MD5
4643b989b2b8ad1e766385b09fa70121

SHA1
2b6159b3112174bdcaca0739db00c66b93a99548

SHA256
9567d0e3bd5c43ee3f8babe02437dad0b0462feabbdf49acc89a62793e194d3e

SHA512
259f88c63554beda5fe58cd5763398e367d27951c62321f2654c261cec001876bc30bf7dce0d649520071736a3183d802f5a950ad6305d085a37811f0accc9f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
194B

MD5
77cb9095dbb35592ebfc3f98a3e3c924

SHA1
e4a74391d321564d5827bda28eba9a9037dc0748

SHA256
85824c82a823378ab245faad118424d49beb4a7a6b81a71e8085be6d6e9ba0d7

SHA512
1988d7c2fb092d1c714bf265cc125f76ea87bfef75c062323348745d453dd141f8b1dbe5fa0be3191f7b7b93735514a263d5c2e6d847cecb8ce22e40fb4e05b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\CV35gbisF1.bat

Filesize
194B

MD5
9c153156d1c566234c01fde61d57c1d7

SHA1
e43ff9f155bd745859e1a5f29764f43f80ff6553

SHA256
4c27dc7646fea743b1cbb6edab1f6211c83dda080534b857ca062d20cc91c1e8

SHA512
78c71f63f7437f4103321c3659c092b4cb661cf4d47d44f214537ca0ecadb094d54634b287ab51fe533838ad4b118f94e0785b103a84a89ad4269172cd11ca32

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD5E7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
194B

MD5
f74d57454736805d9d722a063c4d8d4b

SHA1
d0bf67eb0ac74774962421d3d740d7615b29a315

SHA256
10745b423e518293cba0af649fa18f67870c0974f809e790468b73fd0c7448f8

SHA512
b2b6b7df3851b2c7ed0cc3b49008d4e806350734e43599b52acf9968306d23a0a3048053b6ae9d27b171fb9fbfffba84ccba615241026805100332210b0bf088

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD5FA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WM6x9zCNT5.bat

Filesize
194B

MD5
c7620d506044917fbb4e1904e1a87b3d

SHA1
24d4235c50248cb72b7fc2233281714cb3ed6281

SHA256
aa74998fc02a6d04979e2c2484399141a6cfc9e3f0d516df63987359e999f039

SHA512
fc32d56b98623d453513cea6950f41a0f79b5c616e628d718fa604489ff8ddcc328a9bf4793b080f03cc9e0fd2896eecd5f3bfa2e991fcb82091033d89fd60d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
194B

MD5
efe42d775f523a6cdc10b05972fe36b5

SHA1
1218e345e2a05124c1a88463509dfa09e4da802b

SHA256
858f6f2cd17977fcb615889a1d6f730ab9d7bd5c66a4f070f822a13936b8a830

SHA512
8876d1d7a613fe2c4a2bd6b4ef4c06b69e620848201903e9f550b98f7eeb8b8ed8cdb9f092c536fa0087a151072515290c771320ff6ac45f8d18278f44ab7255

Download Submit
C:\Users\Admin\AppData\Local\Temp\ctDgUbHuaY.bat

Filesize
194B

MD5
085c769bb026473afa4bce7f58b06e43

SHA1
4f5361e1f7b91b8bf7bc9a6a6aaa83264301cde3

SHA256
7eae792ab788114d6be5874aad1f90594c521a82a53fc5b5ea5e4c6f1818712f

SHA512
74f36acca0848bc65cf5c1080c28c00d65908cb7e93c7ca56cf5bc271eedfbbc473668083d7dad099454ea46c08586a688617168ea11086c85ecd51203147013

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmTXnddwCX.bat

Filesize
194B

MD5
cdbd68fdad6268e69b50918337d62463

SHA1
9719f7f8fa84c8cdaed410ecf0f7a4742dd779b9

SHA256
95a3d34d1f7030348c42c56318ea8d31c8e9c3f8d19275d33a6a92e340aa5f7f

SHA512
f58077f7385d6ce86d008d5635a020bcf1dea516d64a64885ccf5a9ecbc4b567b2f54669d609c6cb771be90afcd0d7dd4f4d23687c3c8243989d2cf244676c8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\glaLsFHc7b.bat

Filesize
199B

MD5
2b4a3821ce7ffe181a1a4747b282a034

SHA1
9ded4f2f07c1a61128ca5f1b651540c6cdb2859a

SHA256
25ca8b8c0bf614c606b5ded8b9da1103e943720b6d2932952f56cd5fe25895fe

SHA512
b28aa2fda08480c5edcda0e8c323d24821faf20ff426e5876d6c69182625bd35e6426e477ce14d83451b2d3bdbd27b3c169cfb7c23bf6f988d9c1a44e684a391

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
194B

MD5
d45fb5caed2f8ec7d5f2dac3a09154b6

SHA1
b8b42a1913929e7ca6c334263655649ae4b0fe75

SHA256
dfbc55eea0e9c0dbbda400d741612b6ad83ff8db11e979045ebcba5851c06c52

SHA512
fda264339b1f93a2dadd9050a9873e76642fef2ea6a9453c1e902a6caea5a39fd1c6c687bd79bf5810b1fae7dd191deb6b371fa68dc4d1a8c3e39a47f223cad9

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8f6623e8d214b653d8072fdcd04c1c2c

SHA1
fbd352ab9c14748c6cbdd289aa2e640d3ef37d59

SHA256
300270672ca08867ef4cb4f9c1b28d98281b108aee516d9b5aa978e524760f55

SHA512
73509e573251f32c4b3f7c74a710fc842a9e57e906a22d6de672c21085118824633dbc425f4d5d0d20240735d6bc4eabe0fa7e5044c6cf659b8d51c10dd4bfe3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/768-66-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/768-65-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/1124-340-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1228-87-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1228-86-0x000000001B870000-0x000000001BB52000-memory.dmp

Filesize
2.9MB

Download
memory/1728-79-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/1852-15-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/1852-17-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/1852-16-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/1852-14-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1852-13-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/2076-220-0x00000000002D0000-0x00000000003E0000-memory.dmp

Filesize
1.1MB

Download
memory/2632-280-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2656-37-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2656-52-0x0000000001D00000-0x0000000001D08000-memory.dmp

Filesize
32KB

Download
memory/2860-695-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download