dcrat | d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 10:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116.exe
Size

1.3MB
MD5

d2db0669dc071bc3657e461863ccac64
SHA1

fd207cddc70c27eb13fb0ada114667219d11f3f3
SHA256

d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116
SHA512

1aa62b3614e0653b6b90f9c6ef6acbe76033d35ea8a85456c5eadf0050d2745a6e0e567a13b6f1cdb4aeb8689c5e1553661999061d9fd7af1f23516e91b36abf
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1732	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	768	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	2724	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2724	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000018636-10.dat	dcrat
behavioral1/memory/2996-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/2916-41-0x0000000000BD0000-0x0000000000CE0000-memory.dmp	dcrat
behavioral1/memory/556-131-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/2740-191-0x0000000000E80000-0x0000000000F90000-memory.dmp	dcrat
behavioral1/memory/2312-251-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/1340-311-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 7 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2056	powershell.exe
2208	powershell.exe
3008	powershell.exe
2780	powershell.exe
2136	powershell.exe
1668	powershell.exe
2000	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2996	DllCommonsvc.exe
2916	spoolsv.exe
556	spoolsv.exe
2740	spoolsv.exe
2312	spoolsv.exe
1340	spoolsv.exe
1560	spoolsv.exe
1736	spoolsv.exe
1876	spoolsv.exe
900	spoolsv.exe
1932	spoolsv.exe
2108	spoolsv.exe
2456	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
3000	cmd.exe
3000	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
33	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\it-IT\DllCommonsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Journal\it-IT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\it-IT\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\fr-FR\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1732	schtasks.exe
868	schtasks.exe
2812	schtasks.exe
2880	schtasks.exe
768	schtasks.exe
2560	schtasks.exe
1972	schtasks.exe
1488	schtasks.exe
2932	schtasks.exe
1264	schtasks.exe
2588	schtasks.exe
2820	schtasks.exe
2448	schtasks.exe
1948	schtasks.exe
2188	schtasks.exe
2800	schtasks.exe
2636	schtasks.exe
572	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2996	DllCommonsvc.exe
3008	powershell.exe
1668	powershell.exe
2208	powershell.exe
2136	powershell.exe
2056	powershell.exe
2000	powershell.exe
2780	powershell.exe
2916	spoolsv.exe
556	spoolsv.exe
2740	spoolsv.exe
2312	spoolsv.exe
1340	spoolsv.exe
1560	spoolsv.exe
1736	spoolsv.exe
1876	spoolsv.exe
900	spoolsv.exe
1932	spoolsv.exe
2108	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2996	DllCommonsvc.exe
Token: SeDebugPrivilege	3008	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2780	powershell.exe
Token: SeDebugPrivilege	2916	spoolsv.exe
Token: SeDebugPrivilege	556	spoolsv.exe
Token: SeDebugPrivilege	2740	spoolsv.exe
Token: SeDebugPrivilege	2312	spoolsv.exe
Token: SeDebugPrivilege	1340	spoolsv.exe
Token: SeDebugPrivilege	1560	spoolsv.exe
Token: SeDebugPrivilege	1736	spoolsv.exe
Token: SeDebugPrivilege	1876	spoolsv.exe
Token: SeDebugPrivilege	900	spoolsv.exe
Token: SeDebugPrivilege	1932	spoolsv.exe
Token: SeDebugPrivilege	2108	spoolsv.exe
Token: SeDebugPrivilege	2456	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2436	2644	JaffaCakes118_d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116.exe	30
PID 2644 wrote to memory of 2436	2644	JaffaCakes118_d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116.exe	30
PID 2644 wrote to memory of 2436	2644	JaffaCakes118_d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116.exe	30
PID 2644 wrote to memory of 2436	2644	JaffaCakes118_d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116.exe	30
PID 2436 wrote to memory of 3000	2436	WScript.exe	31
PID 2436 wrote to memory of 3000	2436	WScript.exe	31
PID 2436 wrote to memory of 3000	2436	WScript.exe	31
PID 2436 wrote to memory of 3000	2436	WScript.exe	31
PID 3000 wrote to memory of 2996	3000	cmd.exe	33
PID 3000 wrote to memory of 2996	3000	cmd.exe	33
PID 3000 wrote to memory of 2996	3000	cmd.exe	33
PID 3000 wrote to memory of 2996	3000	cmd.exe	33
PID 2996 wrote to memory of 1668	2996	DllCommonsvc.exe	53
PID 2996 wrote to memory of 1668	2996	DllCommonsvc.exe	53
PID 2996 wrote to memory of 1668	2996	DllCommonsvc.exe	53
PID 2996 wrote to memory of 2000	2996	DllCommonsvc.exe	54
PID 2996 wrote to memory of 2000	2996	DllCommonsvc.exe	54
PID 2996 wrote to memory of 2000	2996	DllCommonsvc.exe	54
PID 2996 wrote to memory of 2056	2996	DllCommonsvc.exe	55
PID 2996 wrote to memory of 2056	2996	DllCommonsvc.exe	55
PID 2996 wrote to memory of 2056	2996	DllCommonsvc.exe	55
PID 2996 wrote to memory of 2208	2996	DllCommonsvc.exe	56
PID 2996 wrote to memory of 2208	2996	DllCommonsvc.exe	56
PID 2996 wrote to memory of 2208	2996	DllCommonsvc.exe	56
PID 2996 wrote to memory of 3008	2996	DllCommonsvc.exe	57
PID 2996 wrote to memory of 3008	2996	DllCommonsvc.exe	57
PID 2996 wrote to memory of 3008	2996	DllCommonsvc.exe	57
PID 2996 wrote to memory of 2780	2996	DllCommonsvc.exe	58
PID 2996 wrote to memory of 2780	2996	DllCommonsvc.exe	58
PID 2996 wrote to memory of 2780	2996	DllCommonsvc.exe	58
PID 2996 wrote to memory of 2136	2996	DllCommonsvc.exe	59
PID 2996 wrote to memory of 2136	2996	DllCommonsvc.exe	59
PID 2996 wrote to memory of 2136	2996	DllCommonsvc.exe	59
PID 2996 wrote to memory of 2916	2996	DllCommonsvc.exe	67
PID 2996 wrote to memory of 2916	2996	DllCommonsvc.exe	67
PID 2996 wrote to memory of 2916	2996	DllCommonsvc.exe	67
PID 2916 wrote to memory of 2620	2916	spoolsv.exe	68
PID 2916 wrote to memory of 2620	2916	spoolsv.exe	68
PID 2916 wrote to memory of 2620	2916	spoolsv.exe	68
PID 2620 wrote to memory of 2924	2620	cmd.exe	70
PID 2620 wrote to memory of 2924	2620	cmd.exe	70
PID 2620 wrote to memory of 2924	2620	cmd.exe	70
PID 2620 wrote to memory of 556	2620	cmd.exe	71
PID 2620 wrote to memory of 556	2620	cmd.exe	71
PID 2620 wrote to memory of 556	2620	cmd.exe	71
PID 556 wrote to memory of 3044	556	spoolsv.exe	72
PID 556 wrote to memory of 3044	556	spoolsv.exe	72
PID 556 wrote to memory of 3044	556	spoolsv.exe	72
PID 3044 wrote to memory of 1984	3044	cmd.exe	74
PID 3044 wrote to memory of 1984	3044	cmd.exe	74
PID 3044 wrote to memory of 1984	3044	cmd.exe	74
PID 3044 wrote to memory of 2740	3044	cmd.exe	75
PID 3044 wrote to memory of 2740	3044	cmd.exe	75
PID 3044 wrote to memory of 2740	3044	cmd.exe	75
PID 2740 wrote to memory of 1692	2740	spoolsv.exe	76
PID 2740 wrote to memory of 1692	2740	spoolsv.exe	76
PID 2740 wrote to memory of 1692	2740	spoolsv.exe	76
PID 1692 wrote to memory of 2428	1692	cmd.exe	78
PID 1692 wrote to memory of 2428	1692	cmd.exe	78
PID 1692 wrote to memory of 2428	1692	cmd.exe	78
PID 1692 wrote to memory of 2312	1692	cmd.exe	79
PID 1692 wrote to memory of 2312	1692	cmd.exe	79
PID 1692 wrote to memory of 2312	1692	cmd.exe	79
PID 2312 wrote to memory of 2784	2312	spoolsv.exe	80

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_d7b6d519e949fa6143e226eace524db8c41f85a698c219c9a9847a9611836116.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2436
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3000
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\it-IT\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2916
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2924
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1984
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2428
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        12⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2288
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat"
        14⤵
        
        PID:1336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1784
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        16⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2396
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat"
        18⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2780
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat"
        20⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1688
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        22⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2960
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat"
        24⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2844
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat"
        26⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1224
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\it-IT\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Sidebar\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Sidebar\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93e58daae5225e03a7311b6e0aab415c

SHA1
1f6c1acd8437348d1b989b8701944073cd586a27

SHA256
78802c0eca524b4f940b242f3afbbafc4c0514ec52b9e9efa8ea29414c490b0f

SHA512
9ea1a216e1928006e857a56c9433bdefe1c52c8161004235fa19bc5725b57aadc8952b560afb777685f9220757455fbeff78f9269cad699649786653fbb977fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b31df41f3cfda3cebd2d3e6c5bb76449

SHA1
f9f4a069a5a24fb4f15ca63ca3fe764c3df6d6dd

SHA256
629022d129f996cbbbe9da650edf8f0c7317f671614988b8b16ccb7c13a13413

SHA512
ba25a6f4805d75c145440acca6c78fb7356dcc672e3388b544e03f3efa62c0a86ffdf10a182f92ce0d05a4f494c613889305404e87efe1cc73103f7ed8896695

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d8e64f48157069e675bc0f4558ecf68

SHA1
c6c768b7241dea6245bc7d7024ca1f9b32fe86e3

SHA256
771e407fcfc69f9ae762fa28efaae7349c97906e2d28e7ebf6f94545eafeb03c

SHA512
f28b920c57f670a15c15ea6c4c0f2b07b330f6e3f47a8260725e205ad7dfcc9c76a6499d204641649cd34bf3f5f75bd5175e2e66417de1c3842f01fb90bbf4d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c58e3c0c96a731e9259038e7c1bcc138

SHA1
0a684d9b5d46bcc09039f02b25ffaa75216186a1

SHA256
a7cd838a92d26c06ec5ca219dead7dfe4fa48f699ff87ad9a177db891d3681d8

SHA512
9787ee247dab8e5797d32ae6f40cb7598737a8550e816cad152fc452d22e804675d28a5d908ce40e97c72a0dcb9aa890cb6312b57d0bb27e895045231f9c0177

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33e4409bb1b2bb3b6d4c914e5d36055a

SHA1
60ce23479843f518c7bde557ce29f4c11daef15f

SHA256
78ce204a255eb6fbedad80214224799578247ae504415d43da96ec2f7ee23234

SHA512
6c19a3b98df8b0d6f4d42a25f13e5d817cb2bb64895aa7efcd5152e031e59d486dd46268e9de252961129033550ffe32a25632e32a77d134cb83e2295fa57b00

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e71a4ec5ae0a12e06e37c0f26b14027a

SHA1
034d22bfe4bac67cf31b94c281de7cbc812a8fb0

SHA256
599b61fc330d252bcf1c2ebd5ced27478412157dced38088b6cc64bce4639c32

SHA512
e99e5b4072571d2cf465620633a91174759e042e7a9c0a893d7aac85db1925950856722f44fccb3145cdffd2fb4d7c206f48f9ad0a439efe9c2cddf0e03482ba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e8f34555331a091f16a8d4579e9495f

SHA1
04e201f691be755bf6ac92ac4b32faf15a828d61

SHA256
0841cfee3f10e7da6cd104cb7ff4860b0df02c34f292e4aaa4bf1f370513b329

SHA512
9c305be566257788e3b444382af7b7d297aa58d040694b7a546022782c4eafc79ed14d8c6ad8a13da07af1f312721c410423c0d3bd2ed4d185a4847d858a5f6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1a768d853549bbc1da153ff53f22db05

SHA1
8b0d9aa45295645ad3f9c47cea7a6daae4318197

SHA256
ee81b2caede8ffe79cd5100698e5420737e13b78b96852ff62b25f252d5fe1f1

SHA512
723489b52110ac2230092de2d4ae76d841737f7d8657e4c242f30c7747d6ba3052e6c188654bcce4471893e98d9b84e29b295326edc43592892bd84a39d8ac74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a1bdd7b729d6044cce96eab18db2299

SHA1
5d42ed55465b8cb77dceb7e4c364b897e0490da2

SHA256
66fa2f5aeb7f9a80c3841d03f6ff2e2749774d2e0af08831ed70d62859ba0314

SHA512
7f1847bfc0a6d0fc3fcd301ce08f1d2e458f0c9830107eb0499148b92f643bdad3b098d2a7dad75f933fea1a9197615d8d7371f0edfed9fbc3eb83955aef0daa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6599ab318e23049c4d66a73f383c46cf

SHA1
e33a3c155879fb4d17ff9ed8dd7b84a69a3b0f80

SHA256
ec6865bd11f4c08adb60ac8343cb0e3d3c114a914f5c0bd48c19ff59bf55eb37

SHA512
7f09985884b31ffa6ec96aac9a1822b445f96432cc0c5664ebe7cb81570c9eccad5f22ee4a55658d13987c078406a1dc98c0fe30680e70d4df22e2d8c92cc875

Download Submit
C:\Users\Admin\AppData\Local\Temp\8KwMxVG80h.bat

Filesize
225B

MD5
3e207c947825e97c3acb3ea7cb5d2786

SHA1
a16adcb838fa9d43ee66b4331f98782c31ee1456

SHA256
d40e4875d8e91f32f022cee39feedb09109cf797b97eae387149bb88c07c263e

SHA512
bef7e9a497e7739fbe4cd47e0d2dfe5839c6aa6fd636f06ce8788a67d572455488b8aadba78bf02f48d695a5a14abf082f7942252fec3264e9063372306fc81b

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

Filesize
225B

MD5
287a5ae1c8fd63f6d9d35cd19827bb05

SHA1
73a83334c42981d84d24a0109316d5f9c6a3a241

SHA256
7f85d5980c0b0fd28cd706b0ec917efdf5b6e9ef9046b1c9e010363555c22a18

SHA512
b2c4276624c10e6a748cec3d60922a5d093e54ae7e262299e3985e992a96457806ab99d97bac72f2d6d61b4a67d4722fb660552afdbbf775729029bbb6f96f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
225B

MD5
38183344245fe5c690c0844ce8331227

SHA1
449c0d0dc9f674f8a5fcc937d946e3c32a3243c5

SHA256
da247a301bdc06886ac7944dfd22d2de54622d3a72af9536b57fbe2b2af3ca3d

SHA512
7b65af36070e1b89ea50e684ea3d873f0e6080f2f5584810b040990ce461d198fb2338dfa68498d2841cdb254ad2115965e79b7f73eab7cf1a088fec70ee4f36

Download Submit
C:\Users\Admin\AppData\Local\Temp\9kwbr7Wkdx.bat

Filesize
225B

MD5
d62e8c2e48964a3bab00f15d07013b6b

SHA1
60416ea8529028833d9c3902fcdd1265e89a1e97

SHA256
c55a301a5e82a74bcf44cbc5fa2d71b257ca368475fb6a02b3a8b0e58445b508

SHA512
65918fd26a0f1590cfeb923de347eecc54f1ad8070ee6b6cd96c9c65728fd0a34e436b3c6d519bb53da4b152e687bdbc29e7e0d238530dc81daa5ec358e72cc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab32C6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat

Filesize
225B

MD5
40012f6525e6773d50d7eb5c9e7edcc6

SHA1
95d6359c0cde43c4d39c74005e7c0f2dcb162912

SHA256
c138350628de4422ba8bd2fb7d4753b10f3aa6eb17df5f26717eca06bb2a0947

SHA512
2042d1b00490f85af8b1bfc306d22eeef5235d7386acd858d44c1b582d1851f02614322cec317209c05af50bb81f9897429a6258a0f87263dbaf86660f0c01f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar32F7.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
225B

MD5
95b9211812db4862908f679b19e13b3f

SHA1
90427d61f71041f283b51afeaea7dd19d44e24a7

SHA256
f0de1c5fc1d24742ad3361449e6d96ee7eefac10deac097ce27976b745584b9e

SHA512
b6c860d02f24cfe680cda4546edf4ab5adb0a996b492adf660544d9343efd14f3bc324894a0374d7af115bb49a1ac207f55fa2a3d85f7c921c7478bf529f2dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\cnsnMHUbNI.bat

Filesize
225B

MD5
f1d837ca06bad691a36cac1ef6de86e3

SHA1
de5d0830c8ae1c82a1fc44e88064e8fc3a72aca5

SHA256
1a0f8be92cb653e6192a4b60a8eb0b3e97d2a5fa908dfca870af4bc505512c69

SHA512
787d021fffc56e87d4f27273fefe37d90ecfbad77e78df4ef8620e419f3ecf09573f9fe6f0af26f85d54af0db225644f04ff015a4e046b0845a67b3f91c73dd0

Download Submit
C:\Users\Admin\AppData\Local\Temp\oS12nhm3yC.bat

Filesize
225B

MD5
db11ecf188fa67af12c52673154faa07

SHA1
cf0025b14646d6dfba7f4367337e1e78faa324e3

SHA256
526db3e8fbf16bc8758c5f1997aebc9c820554763ad530940b067e4f952cd97f

SHA512
89889d08a51e2c75f1bbc7d0f23be5c2675c95e0c44e8cc9858b445f11f2d39fed57847f5516996636d96f93a57b275d5494b95a94162259666bc58d8ba47be4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
225B

MD5
6f24272d5263e9125bffcef4d866847e

SHA1
4f91b9e8ecedd520849f9800ee8a19729877152c

SHA256
0e0407533d066d682deded74b6eb011c9265f7d20d375e6138427b536ae9a8f0

SHA512
0a58a6dcbf8b7eb64e53b2cc749539329f2cfc508e3d382d325a4bc51642830b89f66d3a76b91a29a291f6fb0b61f334f17817a75fbe70b987baf2c838a0e3ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
225B

MD5
5134d557e223ad3da694ad53bceca471

SHA1
149d51e0c7be2ac0b8acd2a1c632ff6989499819

SHA256
cbe76a3af3014f5abb4e738e9d1a53a6638cb1d642deabdbe88ca43a19593fc1

SHA512
0928c9704521457bc371ad77969fbd2466f6f475e16c6a21df01dcc9a78a0279865624876366fb15f7244bbcd3cabe140079ff2d9789ef43cced251b6308be3a

Download Submit
C:\Users\Admin\AppData\Local\Temp\zcjutnjrcv.bat

Filesize
225B

MD5
6f74c6f85368f15e208655442788a01c

SHA1
b0bf68e1ff8498a0865270dd79fd85a81ce935ec

SHA256
5be2482dfc8a6ef7f41289e484d490ce2a5fcae56084734a1b857c491c014431

SHA512
00eb33484814be40ae8ee3819060fcbfac3b8a2d2b019b36bf2420b1dbd20296af1512b621036b10e8ffd444fd14a2e20f8eb0dc3d862df4cd086e5290840b9b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6e9cdb0842585b5bbc8a67503b83adee

SHA1
e711bf2d3ebf9859509dfb73892e4941c6bf4da2

SHA256
72e4cbbf861411507e9130221dfb41adbdf6cace20759169223928c2a3f962f3

SHA512
f719624bc7713c23cb55450303abc0f7bae6084551397f20286e59326654017be4e0f335da8c916d5c705b720ed0ddefa7a25bd10dc3e377181d542d42065072

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/556-131-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/1340-311-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/1340-312-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1668-46-0x000000001B6B0000-0x000000001B992000-memory.dmp

Filesize
2.9MB

Download
memory/1736-431-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2312-251-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/2740-191-0x0000000000E80000-0x0000000000F90000-memory.dmp

Filesize
1.1MB

Download
memory/2916-41-0x0000000000BD0000-0x0000000000CE0000-memory.dmp

Filesize
1.1MB

Download
memory/2996-17-0x0000000000890000-0x000000000089C000-memory.dmp

Filesize
48KB

Download
memory/2996-16-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/2996-15-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2996-14-0x0000000000540000-0x0000000000552000-memory.dmp

Filesize
72KB

Download
memory/2996-13-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/3008-48-0x0000000001DF0000-0x0000000001DF8000-memory.dmp

Filesize
32KB

Download