dcrat | ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31.exe
Size

1.3MB
MD5

5915c8c9480901e54dd8cc0689a7ac9d
SHA1

f915ec288aa5ea288df3ab81fc4fdbb9a2c9b138
SHA256

ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31
SHA512

00d3f6c6cb93c61e90caef1ef669b81f255ea731af5b45729b4dd220c655d4b5126ac55ae174b1afe87a064c2a497d27162a1fc26b0a5db68d8ddc2f8f744b04
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1208	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	756	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2588	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001686c-9.dat	dcrat
behavioral1/memory/2688-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/1920-87-0x0000000000CB0000-0x0000000000DC0000-memory.dmp	dcrat
behavioral1/memory/984-146-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/1596-206-0x0000000000230000-0x0000000000340000-memory.dmp	dcrat
behavioral1/memory/2732-266-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/2868-327-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/984-387-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/300-448-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/1612-567-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2208	powershell.exe
2120	powershell.exe
1696	powershell.exe
1680	powershell.exe
1388	powershell.exe
2140	powershell.exe
2364	powershell.exe
2496	powershell.exe
2224	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2688	DllCommonsvc.exe
1920	lsm.exe
984	lsm.exe
1596	lsm.exe
2732	lsm.exe
2868	lsm.exe
984	lsm.exe
300	lsm.exe
2828	lsm.exe
1612	lsm.exe
1720	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2904	cmd.exe
2904	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\TAPI\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\TAPI\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\TAPI\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2620	schtasks.exe
1476	schtasks.exe
1308	schtasks.exe
576	schtasks.exe
2928	schtasks.exe
2348	schtasks.exe
2132	schtasks.exe
692	schtasks.exe
2100	schtasks.exe
1868	schtasks.exe
2452	schtasks.exe
1068	schtasks.exe
1504	schtasks.exe
2188	schtasks.exe
1992	schtasks.exe
2356	schtasks.exe
1208	schtasks.exe
1300	schtasks.exe
448	schtasks.exe
1644	schtasks.exe
2788	schtasks.exe
3020	schtasks.exe
2008	schtasks.exe
756	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2688	DllCommonsvc.exe
2140	powershell.exe
1696	powershell.exe
2496	powershell.exe
2208	powershell.exe
2224	powershell.exe
2364	powershell.exe
2120	powershell.exe
1388	powershell.exe
1680	powershell.exe
1920	lsm.exe
984	lsm.exe
1596	lsm.exe
2732	lsm.exe
2868	lsm.exe
984	lsm.exe
300	lsm.exe
2828	lsm.exe
1612	lsm.exe
1720	lsm.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2688	DllCommonsvc.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1920	lsm.exe
Token: SeDebugPrivilege	984	lsm.exe
Token: SeDebugPrivilege	1596	lsm.exe
Token: SeDebugPrivilege	2732	lsm.exe
Token: SeDebugPrivilege	2868	lsm.exe
Token: SeDebugPrivilege	984	lsm.exe
Token: SeDebugPrivilege	300	lsm.exe
Token: SeDebugPrivilege	2828	lsm.exe
Token: SeDebugPrivilege	1612	lsm.exe
Token: SeDebugPrivilege	1720	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2116 wrote to memory of 2864	2116	JaffaCakes118_ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31.exe	30
PID 2116 wrote to memory of 2864	2116	JaffaCakes118_ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31.exe	30
PID 2116 wrote to memory of 2864	2116	JaffaCakes118_ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31.exe	30
PID 2116 wrote to memory of 2864	2116	JaffaCakes118_ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31.exe	30
PID 2864 wrote to memory of 2904	2864	WScript.exe	31
PID 2864 wrote to memory of 2904	2864	WScript.exe	31
PID 2864 wrote to memory of 2904	2864	WScript.exe	31
PID 2864 wrote to memory of 2904	2864	WScript.exe	31
PID 2904 wrote to memory of 2688	2904	cmd.exe	33
PID 2904 wrote to memory of 2688	2904	cmd.exe	33
PID 2904 wrote to memory of 2688	2904	cmd.exe	33
PID 2904 wrote to memory of 2688	2904	cmd.exe	33
PID 2688 wrote to memory of 2208	2688	DllCommonsvc.exe	59
PID 2688 wrote to memory of 2208	2688	DllCommonsvc.exe	59
PID 2688 wrote to memory of 2208	2688	DllCommonsvc.exe	59
PID 2688 wrote to memory of 2120	2688	DllCommonsvc.exe	60
PID 2688 wrote to memory of 2120	2688	DllCommonsvc.exe	60
PID 2688 wrote to memory of 2120	2688	DllCommonsvc.exe	60
PID 2688 wrote to memory of 2496	2688	DllCommonsvc.exe	61
PID 2688 wrote to memory of 2496	2688	DllCommonsvc.exe	61
PID 2688 wrote to memory of 2496	2688	DllCommonsvc.exe	61
PID 2688 wrote to memory of 1696	2688	DllCommonsvc.exe	62
PID 2688 wrote to memory of 1696	2688	DllCommonsvc.exe	62
PID 2688 wrote to memory of 1696	2688	DllCommonsvc.exe	62
PID 2688 wrote to memory of 1680	2688	DllCommonsvc.exe	63
PID 2688 wrote to memory of 1680	2688	DllCommonsvc.exe	63
PID 2688 wrote to memory of 1680	2688	DllCommonsvc.exe	63
PID 2688 wrote to memory of 1388	2688	DllCommonsvc.exe	64
PID 2688 wrote to memory of 1388	2688	DllCommonsvc.exe	64
PID 2688 wrote to memory of 1388	2688	DllCommonsvc.exe	64
PID 2688 wrote to memory of 2140	2688	DllCommonsvc.exe	65
PID 2688 wrote to memory of 2140	2688	DllCommonsvc.exe	65
PID 2688 wrote to memory of 2140	2688	DllCommonsvc.exe	65
PID 2688 wrote to memory of 2224	2688	DllCommonsvc.exe	66
PID 2688 wrote to memory of 2224	2688	DllCommonsvc.exe	66
PID 2688 wrote to memory of 2224	2688	DllCommonsvc.exe	66
PID 2688 wrote to memory of 2364	2688	DllCommonsvc.exe	67
PID 2688 wrote to memory of 2364	2688	DllCommonsvc.exe	67
PID 2688 wrote to memory of 2364	2688	DllCommonsvc.exe	67
PID 2688 wrote to memory of 2336	2688	DllCommonsvc.exe	73
PID 2688 wrote to memory of 2336	2688	DllCommonsvc.exe	73
PID 2688 wrote to memory of 2336	2688	DllCommonsvc.exe	73
PID 2336 wrote to memory of 2716	2336	cmd.exe	79
PID 2336 wrote to memory of 2716	2336	cmd.exe	79
PID 2336 wrote to memory of 2716	2336	cmd.exe	79
PID 2336 wrote to memory of 1920	2336	cmd.exe	80
PID 2336 wrote to memory of 1920	2336	cmd.exe	80
PID 2336 wrote to memory of 1920	2336	cmd.exe	80
PID 1920 wrote to memory of 944	1920	lsm.exe	81
PID 1920 wrote to memory of 944	1920	lsm.exe	81
PID 1920 wrote to memory of 944	1920	lsm.exe	81
PID 944 wrote to memory of 2472	944	cmd.exe	83
PID 944 wrote to memory of 2472	944	cmd.exe	83
PID 944 wrote to memory of 2472	944	cmd.exe	83
PID 944 wrote to memory of 984	944	cmd.exe	84
PID 944 wrote to memory of 984	944	cmd.exe	84
PID 944 wrote to memory of 984	944	cmd.exe	84
PID 984 wrote to memory of 1528	984	lsm.exe	85
PID 984 wrote to memory of 1528	984	lsm.exe	85
PID 984 wrote to memory of 1528	984	lsm.exe	85
PID 1528 wrote to memory of 808	1528	cmd.exe	87
PID 1528 wrote to memory of 808	1528	cmd.exe	87
PID 1528 wrote to memory of 808	1528	cmd.exe	87
PID 1528 wrote to memory of 1596	1528	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ae99a01c04557a432c5f193bc66c33c1f23c73eb386f0d1ec715e193db09bb31.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2116
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2864
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2904
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\TAPI\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6U7x4Q8tQA.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2716
      - C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2472
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:808
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat"
        11⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2572
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat"
        13⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2784
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
        15⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1784
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"
        17⤵
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2436
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        19⤵
        
        PID:2228
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2272
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"
        21⤵
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1504
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat"
        23⤵
        
        PID:2664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2412
        
        C:\Windows\SchCache\lsm.exe
        
        "C:\Windows\SchCache\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\TAPI\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\TAPI\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\SchCache\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\SchCache\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cca3eaec9be85cf24e2d3ef71089bd90

SHA1
47c2fdeacfe8b0a90f8760a028b86775fa5e3602

SHA256
1d0e708597623699f5dba62bd0565d5d5ec63b90d64c9ef3f340345fe2b31caa

SHA512
486a8c51a869842d56917e39ec098d2329f30e453fe042323c33e4f7026830a506df81b0ce0cbcf1da785d7e9840044df2febccc04158ea11d098dea04035669

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0239a8eb27906a76b5fc66ff57a08ad2

SHA1
0861404453452fe9f4f703a11669024460d7cb04

SHA256
fb918c2c00777b46e90211c978e854d05c688d57abf63b66054bbe9cee5e60a5

SHA512
7fb8a91def849f97b2588a0916e9166499a12a1132c8c5ec3b597b71bd48ad2c242702c1b6c77862b4d68653a07592ea324d09cbc5b217bfd3e107d8da3d0dfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4e5c7b51dacbb561b0a5ad78712ac24

SHA1
7739b245bf7112175af8be7bc64e2de69202721d

SHA256
1837ba1531266d552dc8034de4e0541ce7b9dba505b33f787a5d8005f361b71a

SHA512
d43cc0eea0a89b112be93eaf1544e659d11ae0086f2e5cf1dcb8cc4b85c940b021b418b86121a5fb7cac7f472d91bf56b66970b419be3db58d81fd4cc5e8df67

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3490d976031bfc96874ba5129c996bf7

SHA1
fe11d867c391cf60160e65ecdbed1dbfbe0ddaa0

SHA256
d962138592cc6f7ad066739c2a74d5d5fef3171f43dccaa8783fed4903a95cc1

SHA512
e2b50971e88fc76e7bed5221fa5cf663ca05f60edeb958fd08a8081116892ab05f33d976edc23c78a2947c4d7ed36a3759352519362866cd226cc1f8cc6372a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d455001533c408f5adec54b6c4778a09

SHA1
5214525d170dff2493b45799b43004852c9d53b3

SHA256
344aebc2f58bedc7fe9334d3f29bd28f13330fbf0e90853b974b36581806ba5c

SHA512
7aa8f8435f1d9168bde9c043f0313b213938f303e1c3a523ea4937aa4c193d40afe95ce7102a6ceec528c8247c63264a9ab6f81386b3093017ed2213e1e5adaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
101dac99fe57d04a4cfac79cda916b0e

SHA1
00111045e141a6e5a2b11b58ad306dc68c472b3e

SHA256
606edd2037e9d791980972bc2a88c0429e2eb4f0b65f79feca9907b113b7ad9f

SHA512
456b2cfa4a942cf7884e34999467674532cedee78c900ff1b5ccbad4ecac3987109e03493d34eb37a79fc28763293c66351f2231b58e43348ff937f8e8eecc80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
019adaebac35bdcefeffbe96146439bb

SHA1
fd6682389c3fdc626be86bfd67dcfbf3d173412e

SHA256
cd9f7b43c4c15b6698957d24e4b62b0a9ed838cbed429eba383ea0d7c2cdfefa

SHA512
386ee4f8baf8abb4577d95dba7b7f5f8bdec416bb939e056a312f567c89c709a111599fc5686313d7b32785bc8be76ebe835c61051ff56b880b87b535f48f62c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46bb481fb71b921162e5184947a32984

SHA1
32c6791b5459d12ad80f6de3db340ae98794aefc

SHA256
b72003c96c028543e2a39cac8ed4cc569b21ac60cda56854a717e2fe3f97dec5

SHA512
031bf1ce6a43c9b3dc2c2335fe89f81bf8a346a869740741b8f998e6e2f7e036a906bfbc42858a2a02c0332c7dadcb5f4f42e8af3e0ae0921b324b045cb73f02

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2f3f5666b45264f973d7fd30866911bc

SHA1
ae4dd795756dd5d28df1214fd8850526db61df5d

SHA256
e5580b017ecd3839cdbe0c4eefe31c4373b2180e6e4c40cac8e22c80edabae28

SHA512
5243a582682f68d51453517472cb7fd83fbfce3945c976d5921b65bd1b8969df1e6b2c2f5fc52e8bb06a2e94240281970be4508610679648d3e19b8c8d179c72

Download Submit
C:\Users\Admin\AppData\Local\Temp\6U7x4Q8tQA.bat

Filesize
192B

MD5
84f0b21466d394046096bb1782a65781

SHA1
a738e46ca452a7d304627904a18cfefe7d6fce9f

SHA256
fc817af23e9ae6fee40bbf38bfcc2d7ed55010efb2fd7c8416cb4e7cddcf3d34

SHA512
534664d789fdb7081a3859edc3fbccc3579d6d7a01746f84023269883679482211959f2d5ac3730d7ba848fe7472c256b181a7e586948e6f55849dbe86378b4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\826UXRAQMN.bat

Filesize
192B

MD5
acaa5066c6cf1fee5cf7c5ff1bc9e99b

SHA1
e92226ff09c0df9f5a9a993ba8afffbb3f510d5f

SHA256
44cf5cf529a020ef53c7bea8288b652264795d69de59e20d698660a729e147c1

SHA512
995016ca05974becf0e5af0f6bad2b198a4a15dba01398293b99d6a50a648e0b73821e0498fe918ecddc722883618b14045a6a22083aa1670d25fb36b04068df

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
192B

MD5
1c33e5949aa2d9ddd2fcc1d823e9e98c

SHA1
b3329e51ca368ede28a86e311e6bec5a63b115e1

SHA256
28672a4062066f7256294b23ee0cf5957d6d0e2b3a113b96aad5bf6ad5a599c4

SHA512
85117baa1c330008f9cc0b3adf545ebe71e03b02e0886293c86f888654a8a1584b20603ced4d6da8c876a1a25086b3062c0cfc0bf91b084bd88d7abf42ea8822

Download Submit
C:\Users\Admin\AppData\Local\Temp\AQ0EpYUV7r.bat

Filesize
192B

MD5
b43e27fc31d271fc7cfd4a909cb03553

SHA1
caa9b67d1f9e2c1e0084f04f8724e6477fd01cb6

SHA256
f9bae4536103a032d6711dda14005f9ca5241a7ebd9cf3ceca9b063edf771371

SHA512
7cbf23204fffee5fd8629d8fd5e694afb142aff24e3e5e6323c8e51a6938d366704cbbe28c4a28ab48230f25a16159963a08451fd59c49ac4b81ddb8176a3923

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab70EE.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
192B

MD5
20f92af0ce5c4c04cc6cc41419d21212

SHA1
55e07945ac10e1213c4157c814808ebd162886b9

SHA256
c36553f9cfac7e618018652c70837220160f1b597443f712dbb8688ba0f34e0d

SHA512
84a8d4b148dce3f12b22df93ccf054af629ceba036102d7af23392c0f0551561dc2999457d05335db71d30c51caca75840d3e6d0908e5ba769ce458ff9adc7b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat

Filesize
192B

MD5
d8151c1dfaa1357a1a587330da31c99b

SHA1
1a2d15f5389ea16649a2ee2e10a59e93ca083a55

SHA256
39cad5172273a2d351b6ec31a16992baba9f3e06b75d15c403020b2fc4ac0c33

SHA512
722626cdf80c4f368613a5f6416a457fec95a5b8e277ecdeac3f1ec1d09db1d2c250ce7bc3504174611ac6a139a305176966a7fe4cd47a4ef8f3d025bdcea5a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
192B

MD5
45880f16dbd9a061a9118b08d50d752a

SHA1
e91503179162a12f6ee88ec61a257468e4c945e4

SHA256
da63cad929d770ee72dd245abd4ee8bf42bb96a1fc1bbbeb8910e0cb5866580b

SHA512
e2ab9b4a56ddd647fc921ba24074af4be5e127805105218679d127dae29a1e491a20cc1ffead5f2c7cfdfcbe8048eeffb047434c5ebe5bb23616e64d32f92ef3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar7110.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\mQe7zIwqSA.bat

Filesize
192B

MD5
9e4c275aab1cdb7f21ec49160e8e72d4

SHA1
4514155a805376e813796d9ac92cba00eb5bc6d4

SHA256
754205d87631baa2f8c54a008a0b95dbcec98663130806a1053bb8f0728f9ddc

SHA512
cd17177fcec017049b4dd7525be1397e26185cabd23f86a2aedffd6f227a0b0139e801670dbf106f911989ba960b965c6f07e55e54c969a6da31b5a035f455bb

Download Submit
C:\Users\Admin\AppData\Local\Temp\qzxbGmHcY3.bat

Filesize
192B

MD5
23e44abcf0d37a5372092a6502ed1b76

SHA1
bcfae162e88305a8a4257722f530c529535bf158

SHA256
9726025b9d32033a22b27ac059c7fdfe2a8b81e55b13adc0a2faed97b50d2d56

SHA512
4eab571fa278dc9e0a35c07730bd9c7a60ce0d1dddafa731f71d21f8c1ffa127c3cb311eb55cd11f089c01f021b7e1758fa1fce1b0c3f98d18c562d92f86a4dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

Filesize
192B

MD5
383535293f5cb1f36afd16847e4e485f

SHA1
40cd9956f758a07a69202b7ca471a454f22e3012

SHA256
4cc9b4da0fc0201ba560899256f24e3a0f9ae4608bb83658adae7185831aa407

SHA512
b433be0692844848ba895819edd7807ecc56ea6d453baa909f65ce8256d75a4217f56270221540c4c2edd6fd57d45bc6c4c1c607fd8e175c4007133641931502

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6936cc285f8f6692e6d1a691b0ff99e4

SHA1
c80796b2cc854d09d5ec869193b4102cc6f08ed6

SHA256
bb0e771b89795bd91defa881ad681cceaadf037d92ff08338a4d8860935a024b

SHA512
94a252d28a19b2373534137a679837c21d422d2673e6884af4a58f5c4cb3c50feb7a0d0c58de6b0d086e74853c5405e7726aa685f4402f0d3af26d021462c3db

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/300-448-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/984-146-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/984-387-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/984-388-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/1596-206-0x0000000000230000-0x0000000000340000-memory.dmp

Filesize
1.1MB

Download
memory/1612-567-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/1920-87-0x0000000000CB0000-0x0000000000DC0000-memory.dmp

Filesize
1.1MB

Download
memory/2140-49-0x0000000002070000-0x0000000002078000-memory.dmp

Filesize
32KB

Download
memory/2140-48-0x000000001B7F0000-0x000000001BAD2000-memory.dmp

Filesize
2.9MB

Download
memory/2688-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2688-16-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2688-15-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2688-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2688-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-266-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download
memory/2732-267-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2868-327-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download