dcrat | fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3.exe
Size

1.3MB
MD5

9cfcdc90526d270648c50edcc5ef0fde
SHA1

33db9c591a926ec4c5531da6485f640b9f10a603
SHA256

fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3
SHA512

723cd617af76dcc7fdd8f08a7176232409bdd3abd18d5ae6f564916c717e07bd21f7e9151e1dc09bded6381b952cf5035a1a89a671c178fc863c0e0b4d8ee782
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	664	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1052	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1112	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2904	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	2904	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d1f-9.dat	dcrat
behavioral1/memory/2736-13-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/1660-34-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/560-122-0x0000000000A30000-0x0000000000B40000-memory.dmp	dcrat
behavioral1/memory/2804-182-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/2992-362-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/840-422-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/984-600-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2632-719-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2372	powershell.exe
1372	powershell.exe
2528	powershell.exe
1504	powershell.exe
2840	powershell.exe
1268	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2736	DllCommonsvc.exe
1660	WmiPrvSE.exe
560	WmiPrvSE.exe
2804	WmiPrvSE.exe
2524	WmiPrvSE.exe
2484	WmiPrvSE.exe
2992	WmiPrvSE.exe
840	WmiPrvSE.exe
1300	WmiPrvSE.exe
2092	WmiPrvSE.exe
984	WmiPrvSE.exe
300	WmiPrvSE.exe
2632	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
492	cmd.exe
492	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
18	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
40	raw.githubusercontent.com
44	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\Tasks\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1112	schtasks.exe
2024	schtasks.exe
2824	schtasks.exe
1572	schtasks.exe
1052	schtasks.exe
2748	schtasks.exe
664	schtasks.exe
2364	schtasks.exe
1448	schtasks.exe
2792	schtasks.exe
2684	schtasks.exe
2836	schtasks.exe
3052	schtasks.exe
2040	schtasks.exe
1744	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2736	DllCommonsvc.exe
2840	powershell.exe
1372	powershell.exe
1268	powershell.exe
2528	powershell.exe
2372	powershell.exe
1504	powershell.exe
1660	WmiPrvSE.exe
560	WmiPrvSE.exe
2804	WmiPrvSE.exe
2524	WmiPrvSE.exe
2484	WmiPrvSE.exe
2992	WmiPrvSE.exe
840	WmiPrvSE.exe
1300	WmiPrvSE.exe
2092	WmiPrvSE.exe
984	WmiPrvSE.exe
300	WmiPrvSE.exe
2632	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	DllCommonsvc.exe
Token: SeDebugPrivilege	2840	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2528	powershell.exe
Token: SeDebugPrivilege	1660	WmiPrvSE.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	1504	powershell.exe
Token: SeDebugPrivilege	560	WmiPrvSE.exe
Token: SeDebugPrivilege	2804	WmiPrvSE.exe
Token: SeDebugPrivilege	2524	WmiPrvSE.exe
Token: SeDebugPrivilege	2484	WmiPrvSE.exe
Token: SeDebugPrivilege	2992	WmiPrvSE.exe
Token: SeDebugPrivilege	840	WmiPrvSE.exe
Token: SeDebugPrivilege	1300	WmiPrvSE.exe
Token: SeDebugPrivilege	2092	WmiPrvSE.exe
Token: SeDebugPrivilege	984	WmiPrvSE.exe
Token: SeDebugPrivilege	300	WmiPrvSE.exe
Token: SeDebugPrivilege	2632	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2404 wrote to memory of 2100	2404	JaffaCakes118_fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3.exe	30
PID 2404 wrote to memory of 2100	2404	JaffaCakes118_fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3.exe	30
PID 2404 wrote to memory of 2100	2404	JaffaCakes118_fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3.exe	30
PID 2404 wrote to memory of 2100	2404	JaffaCakes118_fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3.exe	30
PID 2100 wrote to memory of 492	2100	WScript.exe	31
PID 2100 wrote to memory of 492	2100	WScript.exe	31
PID 2100 wrote to memory of 492	2100	WScript.exe	31
PID 2100 wrote to memory of 492	2100	WScript.exe	31
PID 492 wrote to memory of 2736	492	cmd.exe	33
PID 492 wrote to memory of 2736	492	cmd.exe	33
PID 492 wrote to memory of 2736	492	cmd.exe	33
PID 492 wrote to memory of 2736	492	cmd.exe	33
PID 2736 wrote to memory of 1268	2736	DllCommonsvc.exe	50
PID 2736 wrote to memory of 1268	2736	DllCommonsvc.exe	50
PID 2736 wrote to memory of 1268	2736	DllCommonsvc.exe	50
PID 2736 wrote to memory of 1372	2736	DllCommonsvc.exe	51
PID 2736 wrote to memory of 1372	2736	DllCommonsvc.exe	51
PID 2736 wrote to memory of 1372	2736	DllCommonsvc.exe	51
PID 2736 wrote to memory of 2372	2736	DllCommonsvc.exe	52
PID 2736 wrote to memory of 2372	2736	DllCommonsvc.exe	52
PID 2736 wrote to memory of 2372	2736	DllCommonsvc.exe	52
PID 2736 wrote to memory of 2528	2736	DllCommonsvc.exe	53
PID 2736 wrote to memory of 2528	2736	DllCommonsvc.exe	53
PID 2736 wrote to memory of 2528	2736	DllCommonsvc.exe	53
PID 2736 wrote to memory of 1504	2736	DllCommonsvc.exe	54
PID 2736 wrote to memory of 1504	2736	DllCommonsvc.exe	54
PID 2736 wrote to memory of 1504	2736	DllCommonsvc.exe	54
PID 2736 wrote to memory of 2840	2736	DllCommonsvc.exe	55
PID 2736 wrote to memory of 2840	2736	DllCommonsvc.exe	55
PID 2736 wrote to memory of 2840	2736	DllCommonsvc.exe	55
PID 2736 wrote to memory of 1660	2736	DllCommonsvc.exe	59
PID 2736 wrote to memory of 1660	2736	DllCommonsvc.exe	59
PID 2736 wrote to memory of 1660	2736	DllCommonsvc.exe	59
PID 1660 wrote to memory of 1532	1660	WmiPrvSE.exe	64
PID 1660 wrote to memory of 1532	1660	WmiPrvSE.exe	64
PID 1660 wrote to memory of 1532	1660	WmiPrvSE.exe	64
PID 1532 wrote to memory of 2560	1532	cmd.exe	66
PID 1532 wrote to memory of 2560	1532	cmd.exe	66
PID 1532 wrote to memory of 2560	1532	cmd.exe	66
PID 1532 wrote to memory of 560	1532	cmd.exe	67
PID 1532 wrote to memory of 560	1532	cmd.exe	67
PID 1532 wrote to memory of 560	1532	cmd.exe	67
PID 560 wrote to memory of 2996	560	WmiPrvSE.exe	68
PID 560 wrote to memory of 2996	560	WmiPrvSE.exe	68
PID 560 wrote to memory of 2996	560	WmiPrvSE.exe	68
PID 2996 wrote to memory of 1100	2996	cmd.exe	70
PID 2996 wrote to memory of 1100	2996	cmd.exe	70
PID 2996 wrote to memory of 1100	2996	cmd.exe	70
PID 2996 wrote to memory of 2804	2996	cmd.exe	71
PID 2996 wrote to memory of 2804	2996	cmd.exe	71
PID 2996 wrote to memory of 2804	2996	cmd.exe	71
PID 2804 wrote to memory of 2716	2804	WmiPrvSE.exe	72
PID 2804 wrote to memory of 2716	2804	WmiPrvSE.exe	72
PID 2804 wrote to memory of 2716	2804	WmiPrvSE.exe	72
PID 2716 wrote to memory of 1944	2716	cmd.exe	74
PID 2716 wrote to memory of 1944	2716	cmd.exe	74
PID 2716 wrote to memory of 1944	2716	cmd.exe	74
PID 2716 wrote to memory of 2524	2716	cmd.exe	75
PID 2716 wrote to memory of 2524	2716	cmd.exe	75
PID 2716 wrote to memory of 2524	2716	cmd.exe	75
PID 2524 wrote to memory of 2536	2524	WmiPrvSE.exe	76
PID 2524 wrote to memory of 2536	2524	WmiPrvSE.exe	76
PID 2524 wrote to memory of 2536	2524	WmiPrvSE.exe	76
PID 2536 wrote to memory of 1664	2536	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_fd3be6c1f512462f2a11619720b745d99737fc121d7c62e4efe823fdb254e4f3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2404
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2100
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:492
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1504
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
    - - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1660
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2560
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1100
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1944
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:2536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1664
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
        14⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1020
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat"
        16⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1580
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        18⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1588
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat"
        20⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:908
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        22⤵
        
        PID:696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2752
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat"
        24⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3008
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
        26⤵
        
        PID:928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1364
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat"
        28⤵
        
        PID:2952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Windows\Tasks\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1872d7d9f932b93345a5763edaa1dbeb

SHA1
9d644580b8f0f0dec678bb29795adfe7d7983805

SHA256
46028cb8dfabb106b6510f11b6b49dd6c79114467161b03a8570993e6ef21083

SHA512
c403c24ff60fff0d4e86a399e2c3395352cb033f2ae582fa8263ce9992d04d05ed7263b41e4f02fef4055648fddd8693c215f9cf799eede45d8029a59dd21392

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cc40ba3bdea8351236efec7c52d5a54

SHA1
b915bed4cf4b599d068e78c3847c4bcb9028d7d2

SHA256
39cf5c93af32a8ac813b139d0fdfc84dced4898a998d565105c9e37acc9e9bce

SHA512
805f1b64bec86f201335d1fa5c11a98b8bde51a98728c9806af233f295ef14a9c021e56d76bd940644e8fea60f0bff3e744da4b7113ed8ec9d25af90f844990b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4fe01f4373f5213384e54e0cd80ece31

SHA1
1f1347eb1cac715b9915bc5221957a7fb6c466e0

SHA256
3b05930de7df5dbe7e8af7db382beb27e885cac54afd4d28f3eac199d6dde6af

SHA512
3f4351c00aceeef2d6a4c11f119ac52f625f9ab19f966fce983937895a89a4c0f3e531b75ba2b47fc24e7e1044e8027f2866ae3f023bca9623246030ebf784dd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
796d13d258cdc9ca44e472b2322fc11a

SHA1
0429ec4963175ffd1f54ca95c9376bec2ed67661

SHA256
ab73b2d033fcca3567645c0e61ed5716ced72b42f0d92b58a261ba14d5943a81

SHA512
a14146094c4042c315d403b9536673ccfb53fd20a33aeed658cb923138a5074edc7298428e4bd98e4270b536f1d6d9803088b1712fd7f042a342da0d1dd98767

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e48878bec8096fe87e81fe46cb09458a

SHA1
2171e849c40afff869e9f6635c74c0fda3a613c9

SHA256
b8449610141bc192801ed24c07cefe0fc9db343a1a79e95ca643a9ab2bed1f04

SHA512
ba1004e24768c474d2ff04919d9b781a9f7e4de3b98d8f04215b3d3bf57b0d95fd22d572189d2da0aa13c6fbbf57f01e27539b80dba28e1edb8c1560dc99e37c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8bc4b4f61352767095f22c85d8ddf8fb

SHA1
942d4c619d7ea284ccbdc566de31163fc0c6b3c8

SHA256
9cd6cbc593805d25aef52c34780e999cef2213f6e387d0e952c4d3c88292ba18

SHA512
759cccc8e8ed3a7f2ef4a973425abb8e4f00e8d902f8fe52437e07fdab1ecec6aeb8b6aabca74c53a413aab7ea0d4d04d3e3e6b99478399a652c8df5bc3168d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42d5809eb1024addaeadb60c4587a37a

SHA1
da42986904e985a5cfb63a7205ad8951007f1716

SHA256
cade577a89ed8e5fc360c1eb22c6c0a996faa004b25e16453e8ca21119da6da4

SHA512
1597f0b9f781df02ffe1ad193e92a4552a5bbcc2534de364c78d27d73024435f734b737fc2d9571207280b72d13f3af1125bb88e4b079549a9db7b794d97dad9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90372d5a15f868934ee5506ace1db431

SHA1
8ad73de2c2cb9ee18504f3d25fd2f77d2a665ff0

SHA256
97af49c4eb31dfc3156c90d5c893133a37526218c801a9130926bfa6e92a8ed5

SHA512
8d4e178c74a599d753e0b3282ffcdfc9e1c0fd2060b5adc6f6d995f4e623352ec58a5e6e7f47ae0bdc39bd7d92c1c32485b81b19b97dbc8ce365ed92044cb725

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4ff4e8db1391732aae7a6b74fcf7a368

SHA1
8cab70c5af982e2d990d9bf04bc5bcf42c1bfd5e

SHA256
27a79cfbc952d0d914311995b4b8a6edee2b26c20e1e3fbb2ab9e6fa40d01a5f

SHA512
cb1850f2d4768b9aae60cca37315452370abe2855d2201e0a7e1c5e1975c70b7f2e347b8fdec2cf01ccd121ef084c5496c1d6a8a0c6500c305d86e73d1e5a34d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e25ea8965d6089ff6441b16bdca49a6c

SHA1
f91d94fcaaa068220ff7f532a3903eb1dd92ed38

SHA256
78aa0fa98d3a12bcd9527ff812f8a2e51ae1c9bb63bef5edb6a86b4506c41bba

SHA512
c030b07905c13f1f131b4e3b6abd9ca1035a79196e6cad1162401fa2b253274d00192d01e0f6d62ad414975874280e1bfc807295117ee110d35d85a14665216c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a254aba91699c7cd5a8959cebc901f22

SHA1
f288b96257292f89d9c8c086dfa8d564faa99a63

SHA256
7cc41c9cacd6ed5e858ac080907e36a0d10b112913f19a3a0cfd9c88e329198d

SHA512
08f3db65d767e82909d0b3c971a994ba8852f34a1580816036a3a9a58a22f8f7e83edcd7544dee7f4a76ba40f8a07dae33017af3858624f42d53a02af310520c

Download Submit
C:\Users\Admin\AppData\Local\Temp\3B2OAH3dio.bat

Filesize
240B

MD5
16c85af9a5ecd87e5562972cad8e9cff

SHA1
09d161540e246545a19de6cf17cd23086e90fad2

SHA256
de59499861dae0dccef972c4256d18c21c669b1ff45d0ee79ffbdc5404f57743

SHA512
7df7c23621a12cb824914172cf098db25ceca0c4bfa43823cad2ba8d80aa3d3a542a3caf3ca4aaa4b7ef10a9dde280f8ec341478471265bfa3961846f4a9199f

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
240B

MD5
af392caf27f73f50f1f9e3426814c1df

SHA1
43496cc1ececb3534a40d6349a81eda7edd17537

SHA256
7bea4e300024934ca9dfbfdc61ce3f0b9b6bfb99228c066af18e91d8d69a4b4b

SHA512
8783dc19d60fc78431a53a4d9e8a86cb5d8c2be367d3385dd1349ae39c3248937651c89b2dade7b0ddf60d5ecf4d2375108e7988dd627b3f1a6aea046e0dd470

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dhy3B39XM.bat

Filesize
240B

MD5
d6937b380e02badb91f2efa772218f99

SHA1
8045fd04626d3c327ca31bd5b61c0c09012fd3cb

SHA256
517919f47e200c447cbd0fd1357728405fa42c687e3b1672b66d44f2ffbab5a6

SHA512
4ae5ea62f71df86f616c7e770a323c03ed255bc49a5a2897994ec53bee9a42a0ec215fd8b2b813870b40aca2bcc2c0b3e2f342352debf97e0ba673de44fe6705

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD7AB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GzuRWOxc20.bat

Filesize
240B

MD5
56a26ef45c9da1e652458eb42ba3ff98

SHA1
41d8ef5243645545653901d96ca5fcbb03b7a02a

SHA256
447dacb04eb486ae53654554c73f692208469cfaac6cf3afc76690fda0a610d1

SHA512
c2740123c146f8e46faad7250504200097db194fdd6ab7476d39cc88f16cd634546b811e18883e09b3986c5244bdbaefca94662c92fffcd1e2775b0b2823817f

Download Submit
C:\Users\Admin\AppData\Local\Temp\LBVLNHYHv1.bat

Filesize
240B

MD5
15ab4dccdbb0d93ca48495e60969fd2c

SHA1
c48bb18f47741a837b78467b80d0c83a5057452e

SHA256
7a3d7019fa14078c7f50b810bb4ac1cd6b979c94cc05da996a8d845c26b489ff

SHA512
bb411d6333842b845a3a79366aaca633f7c6c6f4631b802d5b3829b1ac14723fcd5b31cb51179d6571aa729d4d93f5099f156b16648a4b48c03599e22fd81233

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

Filesize
240B

MD5
7eeb805d5ff981d54ffefe38e5daaa53

SHA1
6f583c22af172e94ce96d76b90d65404219264db

SHA256
1708c4050622920ca1ab23e781e2859097dde9996008f3add0c0a9390fe7ac30

SHA512
1e03dc3d8720d68a2531455cda91c403ae683a0c828536a9c28f9e0eebb12d27c52f8574611e840377cb40f84889a7e26fa2fabada5202f582c3a0758a3244c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD7BE.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WzmeI2KvQx.bat

Filesize
240B

MD5
fe25e516a6c0eb6a241e7b9ee036f94a

SHA1
08f2a9f304363d31b88c70c4256bb5e403eb1266

SHA256
1cc0caef86673dabd1d924252d65409ae8a1c5613b4fc0e5bba70125747b6af6

SHA512
e682723c34692de035da8003325ec671be44cd84597ca240439873c0474d8e10c8f09c82b8b04991d41abbf5d6e29e04d99d169aac41dc7347d6cff00f83b3e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

Filesize
240B

MD5
d3976e11320c32a2e1f7a0b8fed63126

SHA1
dbe3524bd79396968ded4e210684218e49d0e787

SHA256
1402e652fd091ceb34ecbba729a0d36e5597bba4132cf506de1014b830070f5c

SHA512
a8d139203a4e5323fb209cdab415f2f3848f45b6e9192fba4c72dad7390668c52bda285e57027cde38396e21aaf18b390eea889bf56e0da617b174f779f9ebeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\jFR8woBO6B.bat

Filesize
240B

MD5
c07ef89efdfa8038cea5d7d9cc9c4431

SHA1
a7810e894ba21d9d5d0009ced2942c0696bba931

SHA256
7a0416d073a42169123263df9eb302857df031b61f6400316d9ea5c7d16fc694

SHA512
2a7ec7118245435853d9ffe3d732ef4f6b1c32f3cbd4fee3ae91e32bc0efed8cadf9f004c498acae2ea2042bf9ff60cbbfd4b63d2549f862d0fc5ebec66a02b4

Download Submit
C:\Users\Admin\AppData\Local\Temp\kOAwrWovpT.bat

Filesize
240B

MD5
ffae5f14afeddcd7dd00533cc691f7d4

SHA1
1b11840c2965d356b1343a69ac8c85c34bf49e62

SHA256
77af5e4a818298d750a479999cbc90eec5496acdb3b71be9677bf8c129d91345

SHA512
e4bbbce05dfa8c109329ad840621f303bfb9cf6751f7c112b856467b28a1d1f41f2619b7ed88e29ede2b0e8cc8379742223f83e34fb8fa91e17cc501fbc289fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\kvUluF99a5.bat

Filesize
240B

MD5
7e6f085a3e7405b372cad0333eb08846

SHA1
6b9624ca5020f17127f92be1190b908fb9b312e0

SHA256
925778ad373c85610de4bdb307e844f89cef6c6a990f56429eee3df7ad049a9e

SHA512
1a9c75335604a0438e0763181b90ffd6442931c7403adfa430790b45c4eb68ac080e1108a949accab83e3154bb1e33fe625ca959df2b3b67f2c28fbb5601314f

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
240B

MD5
caeeef2a6ed49f58e915d29de7329456

SHA1
5b4296820d68a3b799348b4fad25897d04833322

SHA256
6d64bd25e8f3f9ca413049690c9a4a35b1f8b8b6f8978f16bc1704427664bb0f

SHA512
f62d96c11c553f63fe7d7129137a38dfd9394226ecfebfcfb36fb78951b03c393a8d96799143c674c7f354e8c2dc2d6141eccc39e0709262eda433637900d618

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\9GEWSBTG0944EEEL86Y7.temp

Filesize
7KB

MD5
57b6b41920cae1b472b47d6a6a0f0f89

SHA1
3f6f11a174b9c9a8e228129fa997dd1f4d375202

SHA256
c947a2429955c547e6d5ff50bbb13435cce8a663f74b66c19e7777956cd4e93c

SHA512
3b20c1b1c2b42934ec2c86a4d7ab71208ecb9530cc071db4bf4a468c2e3159bcaea62c7de965a8289f41e501153d5b29b52540922380a1bab656eec4d0a77881

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/560-122-0x0000000000A30000-0x0000000000B40000-memory.dmp

Filesize
1.1MB

Download
memory/840-422-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/984-600-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/1660-34-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/2524-243-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2632-719-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2736-17-0x0000000000B40000-0x0000000000B4C000-memory.dmp

Filesize
48KB

Download
memory/2736-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2736-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2736-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2736-13-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/2804-183-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2804-182-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/2840-45-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2840-44-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/2992-362-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download