dcrat | 1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe
Size

1.3MB
MD5

41359465ffcf4cf42b56797e9cfe2b19
SHA1

699753485526fbb1d0b0e84c961a6202bd254a84
SHA256

1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80
SHA512

1b66e6984a4850671b84e36dcec0878d500f9c3eb7c6b104207bcdad8e0ae27ed966340ed63531323e9ca29c8afb88eab3de06c884d059ac764328ef99052404
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	684	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2788	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2788	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018bf3-9.dat	dcrat
behavioral1/memory/2344-13-0x0000000000950000-0x0000000000A60000-memory.dmp	dcrat
behavioral1/memory/1512-73-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/1904-192-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/1412-252-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1608-312-0x0000000000D60000-0x0000000000E70000-memory.dmp	dcrat
behavioral1/memory/2748-372-0x0000000001360000-0x0000000001470000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1144	powershell.exe
1148	powershell.exe
1456	powershell.exe
1940	powershell.exe
1620	powershell.exe
1040	powershell.exe
1412	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2344	DllCommonsvc.exe
1512	Idle.exe
2724	Idle.exe
1904	Idle.exe
1412	Idle.exe
1608	Idle.exe
2748	Idle.exe
1620	Idle.exe
1392	Idle.exe
2852	Idle.exe
2900	Idle.exe
2772	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2128	cmd.exe
2128	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Windows\addins\75a57c1bdf437c	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
660	schtasks.exe
1256	schtasks.exe
1568	schtasks.exe
2968	schtasks.exe
2872	schtasks.exe
2696	schtasks.exe
1500	schtasks.exe
2856	schtasks.exe
2948	schtasks.exe
1528	schtasks.exe
2624	schtasks.exe
3048	schtasks.exe
1968	schtasks.exe
2456	schtasks.exe
2616	schtasks.exe
684	schtasks.exe
2392	schtasks.exe
1904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2344	DllCommonsvc.exe
1620	powershell.exe
1040	powershell.exe
1148	powershell.exe
1144	powershell.exe
1940	powershell.exe
1412	powershell.exe
1456	powershell.exe
1512	Idle.exe
2724	Idle.exe
1904	Idle.exe
1412	Idle.exe
1608	Idle.exe
2748	Idle.exe
1620	Idle.exe
1392	Idle.exe
2852	Idle.exe
2900	Idle.exe
2772	Idle.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2344	DllCommonsvc.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1144	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	1412	powershell.exe
Token: SeDebugPrivilege	1456	powershell.exe
Token: SeDebugPrivilege	1512	Idle.exe
Token: SeDebugPrivilege	2724	Idle.exe
Token: SeDebugPrivilege	1904	Idle.exe
Token: SeDebugPrivilege	1412	Idle.exe
Token: SeDebugPrivilege	1608	Idle.exe
Token: SeDebugPrivilege	2748	Idle.exe
Token: SeDebugPrivilege	1620	Idle.exe
Token: SeDebugPrivilege	1392	Idle.exe
Token: SeDebugPrivilege	2852	Idle.exe
Token: SeDebugPrivilege	2900	Idle.exe
Token: SeDebugPrivilege	2772	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2472 wrote to memory of 1728	2472	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe	30
PID 2472 wrote to memory of 1728	2472	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe	30
PID 2472 wrote to memory of 1728	2472	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe	30
PID 2472 wrote to memory of 1728	2472	JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe	30
PID 1728 wrote to memory of 2128	1728	WScript.exe	32
PID 1728 wrote to memory of 2128	1728	WScript.exe	32
PID 1728 wrote to memory of 2128	1728	WScript.exe	32
PID 1728 wrote to memory of 2128	1728	WScript.exe	32
PID 2128 wrote to memory of 2344	2128	cmd.exe	34
PID 2128 wrote to memory of 2344	2128	cmd.exe	34
PID 2128 wrote to memory of 2344	2128	cmd.exe	34
PID 2128 wrote to memory of 2344	2128	cmd.exe	34
PID 2344 wrote to memory of 1040	2344	DllCommonsvc.exe	54
PID 2344 wrote to memory of 1040	2344	DllCommonsvc.exe	54
PID 2344 wrote to memory of 1040	2344	DllCommonsvc.exe	54
PID 2344 wrote to memory of 1620	2344	DllCommonsvc.exe	55
PID 2344 wrote to memory of 1620	2344	DllCommonsvc.exe	55
PID 2344 wrote to memory of 1620	2344	DllCommonsvc.exe	55
PID 2344 wrote to memory of 1940	2344	DllCommonsvc.exe	57
PID 2344 wrote to memory of 1940	2344	DllCommonsvc.exe	57
PID 2344 wrote to memory of 1940	2344	DllCommonsvc.exe	57
PID 2344 wrote to memory of 1456	2344	DllCommonsvc.exe	58
PID 2344 wrote to memory of 1456	2344	DllCommonsvc.exe	58
PID 2344 wrote to memory of 1456	2344	DllCommonsvc.exe	58
PID 2344 wrote to memory of 1148	2344	DllCommonsvc.exe	59
PID 2344 wrote to memory of 1148	2344	DllCommonsvc.exe	59
PID 2344 wrote to memory of 1148	2344	DllCommonsvc.exe	59
PID 2344 wrote to memory of 1144	2344	DllCommonsvc.exe	60
PID 2344 wrote to memory of 1144	2344	DllCommonsvc.exe	60
PID 2344 wrote to memory of 1144	2344	DllCommonsvc.exe	60
PID 2344 wrote to memory of 1412	2344	DllCommonsvc.exe	61
PID 2344 wrote to memory of 1412	2344	DllCommonsvc.exe	61
PID 2344 wrote to memory of 1412	2344	DllCommonsvc.exe	61
PID 2344 wrote to memory of 2160	2344	DllCommonsvc.exe	68
PID 2344 wrote to memory of 2160	2344	DllCommonsvc.exe	68
PID 2344 wrote to memory of 2160	2344	DllCommonsvc.exe	68
PID 2160 wrote to memory of 1648	2160	cmd.exe	70
PID 2160 wrote to memory of 1648	2160	cmd.exe	70
PID 2160 wrote to memory of 1648	2160	cmd.exe	70
PID 2160 wrote to memory of 1512	2160	cmd.exe	71
PID 2160 wrote to memory of 1512	2160	cmd.exe	71
PID 2160 wrote to memory of 1512	2160	cmd.exe	71
PID 1512 wrote to memory of 2196	1512	Idle.exe	72
PID 1512 wrote to memory of 2196	1512	Idle.exe	72
PID 1512 wrote to memory of 2196	1512	Idle.exe	72
PID 2196 wrote to memory of 1692	2196	cmd.exe	74
PID 2196 wrote to memory of 1692	2196	cmd.exe	74
PID 2196 wrote to memory of 1692	2196	cmd.exe	74
PID 2196 wrote to memory of 2724	2196	cmd.exe	75
PID 2196 wrote to memory of 2724	2196	cmd.exe	75
PID 2196 wrote to memory of 2724	2196	cmd.exe	75
PID 2724 wrote to memory of 2672	2724	Idle.exe	76
PID 2724 wrote to memory of 2672	2724	Idle.exe	76
PID 2724 wrote to memory of 2672	2724	Idle.exe	76
PID 2672 wrote to memory of 836	2672	cmd.exe	78
PID 2672 wrote to memory of 836	2672	cmd.exe	78
PID 2672 wrote to memory of 836	2672	cmd.exe	78
PID 2672 wrote to memory of 1904	2672	cmd.exe	79
PID 2672 wrote to memory of 1904	2672	cmd.exe	79
PID 2672 wrote to memory of 1904	2672	cmd.exe	79
PID 1904 wrote to memory of 1940	1904	Idle.exe	80
PID 1904 wrote to memory of 1940	1904	Idle.exe	80
PID 1904 wrote to memory of 1940	1904	Idle.exe	80
PID 1940 wrote to memory of 1340	1940	cmd.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1a2168b06845d49bb7795286dde7bbe052b15dc19cacafa3cf0188f5ac2d1b80.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1728
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2344
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1456
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jgzc8Qt4RW.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2160
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1648
      - C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2196
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1692
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:2672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:836
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:1940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1340
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat"
        13⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1964
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat"
        15⤵
        
        PID:760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2928
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat"
        17⤵
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2456
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
        19⤵
        
        PID:3052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2028
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        21⤵
        
        PID:1748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:3048
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        23⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1704
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat"
        25⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2640
        
        C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe
        
        "C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Windows\addins\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Windows\addins\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 9 /tr "'C:\Windows\addins\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a14da5bbb17261003f54b0e8e0e3e7d8

SHA1
2f700b07e53d19418974f398335a6951ae979840

SHA256
d90b94c659638ace7feaf76749408f8d505f998adf97c9ef61c8a6835294a1b8

SHA512
4f52843fb56e853a50e98ee1c93455b87d4ecc38c2dbedd38b29e7e69d8b0b2720b1d00ae879a9ae1ef11ea7928d912a5e0c9816cb6fdd1ddeb86d1b1515ec3c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c7ad60822ec48b4dbea7b604e10eda7b

SHA1
a257ffaa2d09d4513f1d04c25ee50077e80b1aef

SHA256
39bada7156523d534ae1a3f1a6582e3298816d458ab1979d2379a820698dda1e

SHA512
ea7d442bab16e51f2a540128c105fbe5c6ba89340303481d530c471fcc20fe78d5474f90b48a119e825dddc80e37326120f670038ae546f5aa1dec67f362b25a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b16bdab8d5505180e8cd21f731fa5e4

SHA1
55c54dd844d60c6aadbc1690ccbcc310c04d1e9c

SHA256
6b051b7f554d1905484f5b5344cf22146eda7ad52a850db37a9ed6dc75fe5fab

SHA512
09de7b6fc5c5642c47512cb298cca14c8834b5740ad06d5fd99459c9869bc8fd8a01b564929b85b2d9d6ec58e553243ad25308976a879a1a6702b5893783d943

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46de60ed69c0cde1e4a699ed3cc9c966

SHA1
5600ab2931f6be7b1b489ca3f37079ba42192781

SHA256
fdfc26ba327cc2e4f6829a0763e8b363b7a501a63c9e39739234f0d33055fea0

SHA512
11744102651dc4a59d232e86e9771a8033d70637cc8343132ba46acce8e3e907952ba1681160886720e77dfe44c38f370a192ed04676a32f2b329dd1b4345131

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a94ede577bd674e2bb8fbd6df278eb2

SHA1
d69af8721ca123dba61979cc91a52bc5477a7a41

SHA256
a5718db52afe6c2481769f4926ed35930fe2a4192e811759863de44dbdcb8e65

SHA512
198c838a333b8abaa5e53bbe415cfff81b0d18a45aadb36e755aea73c8f2e4d33378cd217888c054bed4eb95e4059eaa7c947e78cfbe421935aba994e639e39f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f52a623bd9170c8017fed51ca180fbfa

SHA1
1e17fa992a1476bab51b687f6eeea795cf7dbc3d

SHA256
89e37e73848d4fcc386b7aefdad14e0f8204e72edcf9d4b38cc1be2538fdeaad

SHA512
48ea19c3368e19ab2a7c60b2b0ebc286a2ac981d26421de0327b166514a4d493969cce42efe015f3c378ba2c264175b677b15ebc881439833d6806170f24b2bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa0161748d7f805b8e3f47d21615533e

SHA1
4d18cc40d6d2eb016426cbc4756aebf8381e8909

SHA256
02d7458a8631ca6a04cb0753ae883be68d4d0126737a9df50f398a36b95a448e

SHA512
2353ca7f55485c513e573501b08428b4d75c8ed0ac5e1f7a5eba2f08db8648c560e9351a9fe819bb396552767b044e45d061870eb143f1167d2255dfd68bc74d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7950c5399c7e2139298d0c53dcb9a6cf

SHA1
a234e761ee2e7db95d78c50e4d9ed6d5640be5b9

SHA256
f16ccd5bd1b7688ee63cb703e5ae4cad30b3cfd15db4ccecf6e731f3816a3225

SHA512
519a355cff979bd053e1431154c855a6688bc3a8256e882783451ed1f0041067ed88c27bf275bf4e2584c77820929fb5b03e743554ec80889354723f6f96577a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d495c25c1855f483e264d0de66ef9bf

SHA1
873b6e6ee88afc0d8dbe47084fe1669f8fcba46b

SHA256
248f93cd2a2cf171f3891b6e5b3ca5e523745b7271b2eb46b1d4691b33dfd6b0

SHA512
486e1a807efa61b40513fc9d6bc39c27ee15998b52c5b56e9d8152824840f808f8d4a773adb352f56f9c46071e526b4da4d7e6d9ac93f15c4249f503316f1778

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e66f7f184ae4680df868ea8f1e7619b

SHA1
e335d8ddd10faa7d7ba26813df3c531b2ddc63e0

SHA256
50b7c4d59eb351414f2fc8a61eece7c6bd020837a04046cf93ef8b04e6a7df97

SHA512
2089075192af37ce99c6ef6e1804c1f078ea959551f7b1add3036b690a6bdc31b1b066fbfd0c17d1eb2aed2a4a8909545992e224426a4d13c3f9920d7ed25b60

Download Submit
C:\Users\Admin\AppData\Local\Temp\2zdeBu3xOP.bat

Filesize
236B

MD5
e5f2ad6a0627421a2acab24a50b68fd0

SHA1
0fb880cd41b1784756420c6851d064478ed9e9b6

SHA256
6472fc6af54c76c0137c9c62e426c80d89c2bcdd10cc24fe78b1553e8f990fc0

SHA512
8e65a61a735bbfb321637df9d7685d1dc815ab49b5686d4980746aa8b13b1c0d424441fba12a541d5a3b22ef90b5030a311d67ae5aee605c7a7c9999556f9f57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1518.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
236B

MD5
9d6a73e9766f20e8273b2c71ea00fe73

SHA1
e8931c8456e732a8b4257496948efca53e0cc436

SHA256
a735f63e9f3d90d24f6348b1123fddb8a91e6b53eda8c48233dcdcecd1b7a6c2

SHA512
69054ce6b552ede6b812573203be8b565c88f5c2a917275908b6a949b7ca5d5d772f00a620e5c1de84552a07e775045b272dbefcf239168d8a9ba1899b13c45a

Download Submit
C:\Users\Admin\AppData\Local\Temp\HfroAScfQF.bat

Filesize
236B

MD5
bf9b51b311ad0452c0981c2f233b3ef9

SHA1
7f29b374015c3faba46bfd02cf475d94827dd683

SHA256
99602e292de9c02520809b0c72021ddd4e93db4424ecd73786886f77bfc5883d

SHA512
345ddedb15c0a505bc6f993d3804e6cf0d5954c6659d90d31ff14db5d61a30605b74912534bc5b276da9bd080ef07d158c2911c21bc48b288a8f6f40be20ac7e

Download Submit
C:\Users\Admin\AppData\Local\Temp\IMpAoVHioU.bat

Filesize
236B

MD5
e2fd4aaab8e21c42d498e3c67923d3a3

SHA1
9b6fa3a8cb288af78fc96018a41ea595f6aa92fa

SHA256
f29d844c072d7ad4e21bafcf8cdacc5b7cdfb3163acaf6f1b7c9117b4e633838

SHA512
7b5486dd7074fa38419a738596fd9a402d2fd5793d61dfba8d279227b88bacae92f128f5a6c94e03ddcca98381b98cc7bd7d9043d57848481a29d8321587ccbf

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
236B

MD5
975f9644fbd77b4f784a3613e7a41cd0

SHA1
3a2c6e684105e23a62b35b0fa62fc12ca2aaf33b

SHA256
c12d913403c7cfaed0c4aa804668f957c3919ee34ce1fedff097ac5be557e19b

SHA512
e36ef81e41969a886bf95999011555bb9a6685a83b078bb7823b439510facb9a3517e2f354dfd986ec6e09e16c2bd10a8612984494ca9e95da11d48475a84a89

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar152B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\V61H6ynXXY.bat

Filesize
236B

MD5
ee354d966204ea87dd1d71588392bb3b

SHA1
7ff86ae7fdb52c949cb9aaef94e703e14a18ef1c

SHA256
7897946c73f4f1082cc80a5a02d4d5205de1dea2d41344cfb22c855a7fe85f03

SHA512
750aef638855040aabeb37c7a23cab7805410b5234afdcc0f36e68daec1fde88a4121eab103a95206cfe34bf6b8c98e422c13a2df5e40974599e8fd5f68b079d

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat

Filesize
236B

MD5
5bfa7abc916c0b8ccc18057cfc96bde8

SHA1
58a7d8f64149957217a93024b584be5450adcb3a

SHA256
26aaf2c45c256dc24c9da80ebe10d635c9ceb7b3418bff8c75eaddd55e5e9986

SHA512
8cf2b55390bd4bda5db905c7d6017a31f70eadf7c2b48c28fb9fa0367a1c8d6b9b8e3ad4927a78c858edaa045e7e331d56d61cf58d56d9e4be50c2f5792618fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

Filesize
236B

MD5
83ae50d683202204401df4c838424dab

SHA1
2a5821c94fb4217b50baa5dcbc40d09e73f72764

SHA256
7f339881bac28211093cc77336ba22f2af67a02043c06c3fac75c3430a196bb5

SHA512
e5e9102e571aa35172331448ee8e0be1816f4031e81807fb0f4c6e739618cf020552b822dcb2b576b2718c559c168c55345eb04272b4c3ef82b490717da394c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\jgzc8Qt4RW.bat

Filesize
236B

MD5
2ea3e1021482d0b1b8762c7fc10c92de

SHA1
3e546a3260e3fd67eca8f3d950e54601799f2b03

SHA256
ad6cfdfc3431d0f034786bf30e6342d4731b06a152f4c60480f5ecca149f4d73

SHA512
f818b55d627aef67dbc8de02a5993d7ccccf2cd57f40ac8de266c886ea235c8e1624845c343a0816cab93f1a9a81e5b9d551d41b70ec12c666020f0fc5abb268

Download Submit
C:\Users\Admin\AppData\Local\Temp\pCeLVPpGxY.bat

Filesize
236B

MD5
99702e15999ee16121e2a9d5b5670f36

SHA1
e816ce709d4ee7549c21b73bd6bbcc128a67a8ba

SHA256
5038a452fe1b01dbfe9838cca850d1020b90b8c96afefcd15fdb006954b83ba4

SHA512
b4e9cf140c2081f7c04e4b91598980a64d727a83405d6fce6c31031f20576ad490c2ba82e84ebc26eab23635fc3e53fc890ef3f0f4dac60d940b47c4d393abd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTtrehocny.bat

Filesize
236B

MD5
c05f603db14ff5a4d931f324684d446c

SHA1
1e98bfc83967f7f37dc864204bb28279dd2fa01d

SHA256
a98886f4a1a7470cbf7acece88df3f57e52924055fa6722a6e7d343e346f18ba

SHA512
ce7aa7035fa520b174fcb3e006e64bbb6f9da89c336311536d81152248b431c1b9ffadfa977e5eb0813ef96eabbc8e11ef6f0cfb66c8e957734af7eb898fdf1e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b9912c2bf6b32ef058f339d29045a377

SHA1
80bd2293d66674058c4d0bad45231c8bb4f7164c

SHA256
9f0ebc7c3b49855790823c7d63e1e951239d1eaf22ccd444e9e7c3198a104594

SHA512
99b8faf55924793e3ebcd29eae0dcefcab0181b527920cdeafafb5dcbb3a43eafe876fb302c75d08d33424195eb540c20da921980f0662a4e10d52db3d2ab0cb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1412-252-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1512-73-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download
memory/1608-312-0x0000000000D60000-0x0000000000E70000-memory.dmp

Filesize
1.1MB

Download
memory/1620-49-0x000000001B760000-0x000000001BA42000-memory.dmp

Filesize
2.9MB

Download
memory/1620-50-0x0000000001D20000-0x0000000001D28000-memory.dmp

Filesize
32KB

Download
memory/1904-192-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/2344-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2344-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2344-13-0x0000000000950000-0x0000000000A60000-memory.dmp

Filesize
1.1MB

Download
memory/2344-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2344-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2724-132-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2748-372-0x0000000001360000-0x0000000001470000-memory.dmp

Filesize
1.1MB

Download
memory/2772-669-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2852-550-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download