dcrat | 87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368

Analysis

max time kernel
143s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368.exe
Size

1.3MB
MD5

1688f7eda68329150d3b786ed56dd32b
SHA1

be81966522800089b2ce26c191ca142a7e10dbb9
SHA256

87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368
SHA512

1447837c15dab8149d2d0f33afc742f6e60c1ac8753568b9d410953b0db578129a9982844a8773f96bc7cadfd43a81b845bdae9d9acbaec1c90f7e2f7096d599
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	548	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2084	2852	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	2852	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016141-12.dat	dcrat
behavioral1/memory/2724-13-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/1372-57-0x0000000000920000-0x0000000000A30000-memory.dmp	dcrat
behavioral1/memory/624-145-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2316-265-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/604-384-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/940-444-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/1160-504-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2664-683-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2444	powershell.exe
576	powershell.exe
2236	powershell.exe
2924	powershell.exe
692	powershell.exe
1332	powershell.exe
1608	powershell.exe
1612	powershell.exe
2968	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	DllCommonsvc.exe
1372	Idle.exe
624	Idle.exe
1380	Idle.exe
2316	Idle.exe
2100	Idle.exe
604	Idle.exe
940	Idle.exe
1160	Idle.exe
2628	Idle.exe
760	Idle.exe
2664	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2320	cmd.exe
2320	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Games\More Games\it-IT\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Games\More Games\it-IT\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\6ccacd8608530f	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1488	schtasks.exe
2084	schtasks.exe
1784	schtasks.exe
2760	schtasks.exe
2672	schtasks.exe
2836	schtasks.exe
1620	schtasks.exe
3052	schtasks.exe
2132	schtasks.exe
1844	schtasks.exe
2196	schtasks.exe
1904	schtasks.exe
1312	schtasks.exe
2696	schtasks.exe
2832	schtasks.exe
2348	schtasks.exe
548	schtasks.exe
1664	schtasks.exe
908	schtasks.exe
2600	schtasks.exe
2080	schtasks.exe
1648	schtasks.exe
828	schtasks.exe
1836	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
2724	DllCommonsvc.exe
1608	powershell.exe
2968	powershell.exe
576	powershell.exe
2924	powershell.exe
2444	powershell.exe
1332	powershell.exe
1372	Idle.exe
692	powershell.exe
1612	powershell.exe
2236	powershell.exe
624	Idle.exe
1380	Idle.exe
2316	Idle.exe
2100	Idle.exe
604	Idle.exe
940	Idle.exe
1160	Idle.exe
2628	Idle.exe
760	Idle.exe
2664	Idle.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	2968	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	1372	Idle.exe
Token: SeDebugPrivilege	2924	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	1332	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	624	Idle.exe
Token: SeDebugPrivilege	1380	Idle.exe
Token: SeDebugPrivilege	2316	Idle.exe
Token: SeDebugPrivilege	2100	Idle.exe
Token: SeDebugPrivilege	604	Idle.exe
Token: SeDebugPrivilege	940	Idle.exe
Token: SeDebugPrivilege	1160	Idle.exe
Token: SeDebugPrivilege	2628	Idle.exe
Token: SeDebugPrivilege	760	Idle.exe
Token: SeDebugPrivilege	2664	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2540	1984	JaffaCakes118_87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368.exe	30
PID 1984 wrote to memory of 2540	1984	JaffaCakes118_87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368.exe	30
PID 1984 wrote to memory of 2540	1984	JaffaCakes118_87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368.exe	30
PID 1984 wrote to memory of 2540	1984	JaffaCakes118_87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368.exe	30
PID 2540 wrote to memory of 2320	2540	WScript.exe	31
PID 2540 wrote to memory of 2320	2540	WScript.exe	31
PID 2540 wrote to memory of 2320	2540	WScript.exe	31
PID 2540 wrote to memory of 2320	2540	WScript.exe	31
PID 2320 wrote to memory of 2724	2320	cmd.exe	33
PID 2320 wrote to memory of 2724	2320	cmd.exe	33
PID 2320 wrote to memory of 2724	2320	cmd.exe	33
PID 2320 wrote to memory of 2724	2320	cmd.exe	33
PID 2724 wrote to memory of 692	2724	DllCommonsvc.exe	59
PID 2724 wrote to memory of 692	2724	DllCommonsvc.exe	59
PID 2724 wrote to memory of 692	2724	DllCommonsvc.exe	59
PID 2724 wrote to memory of 2968	2724	DllCommonsvc.exe	60
PID 2724 wrote to memory of 2968	2724	DllCommonsvc.exe	60
PID 2724 wrote to memory of 2968	2724	DllCommonsvc.exe	60
PID 2724 wrote to memory of 2924	2724	DllCommonsvc.exe	62
PID 2724 wrote to memory of 2924	2724	DllCommonsvc.exe	62
PID 2724 wrote to memory of 2924	2724	DllCommonsvc.exe	62
PID 2724 wrote to memory of 2236	2724	DllCommonsvc.exe	63
PID 2724 wrote to memory of 2236	2724	DllCommonsvc.exe	63
PID 2724 wrote to memory of 2236	2724	DllCommonsvc.exe	63
PID 2724 wrote to memory of 576	2724	DllCommonsvc.exe	65
PID 2724 wrote to memory of 576	2724	DllCommonsvc.exe	65
PID 2724 wrote to memory of 576	2724	DllCommonsvc.exe	65
PID 2724 wrote to memory of 1612	2724	DllCommonsvc.exe	67
PID 2724 wrote to memory of 1612	2724	DllCommonsvc.exe	67
PID 2724 wrote to memory of 1612	2724	DllCommonsvc.exe	67
PID 2724 wrote to memory of 1608	2724	DllCommonsvc.exe	68
PID 2724 wrote to memory of 1608	2724	DllCommonsvc.exe	68
PID 2724 wrote to memory of 1608	2724	DllCommonsvc.exe	68
PID 2724 wrote to memory of 2444	2724	DllCommonsvc.exe	69
PID 2724 wrote to memory of 2444	2724	DllCommonsvc.exe	69
PID 2724 wrote to memory of 2444	2724	DllCommonsvc.exe	69
PID 2724 wrote to memory of 1332	2724	DllCommonsvc.exe	70
PID 2724 wrote to memory of 1332	2724	DllCommonsvc.exe	70
PID 2724 wrote to memory of 1332	2724	DllCommonsvc.exe	70
PID 2724 wrote to memory of 1372	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 1372	2724	DllCommonsvc.exe	77
PID 2724 wrote to memory of 1372	2724	DllCommonsvc.exe	77
PID 1372 wrote to memory of 2284	1372	Idle.exe	79
PID 1372 wrote to memory of 2284	1372	Idle.exe	79
PID 1372 wrote to memory of 2284	1372	Idle.exe	79
PID 2284 wrote to memory of 2496	2284	cmd.exe	81
PID 2284 wrote to memory of 2496	2284	cmd.exe	81
PID 2284 wrote to memory of 2496	2284	cmd.exe	81
PID 2284 wrote to memory of 624	2284	cmd.exe	82
PID 2284 wrote to memory of 624	2284	cmd.exe	82
PID 2284 wrote to memory of 624	2284	cmd.exe	82
PID 624 wrote to memory of 1928	624	Idle.exe	83
PID 624 wrote to memory of 1928	624	Idle.exe	83
PID 624 wrote to memory of 1928	624	Idle.exe	83
PID 1928 wrote to memory of 2348	1928	cmd.exe	85
PID 1928 wrote to memory of 2348	1928	cmd.exe	85
PID 1928 wrote to memory of 2348	1928	cmd.exe	85
PID 1928 wrote to memory of 1380	1928	cmd.exe	86
PID 1928 wrote to memory of 1380	1928	cmd.exe	86
PID 1928 wrote to memory of 1380	1928	cmd.exe	86
PID 1380 wrote to memory of 2016	1380	Idle.exe	87
PID 1380 wrote to memory of 2016	1380	Idle.exe	87
PID 1380 wrote to memory of 2016	1380	Idle.exe	87
PID 2016 wrote to memory of 2524	2016	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_87907908a43920ef4cd666aa7978831f8253c5ceadebd835102de90ee6ce4368.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2320
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Updater6\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Games\More Games\it-IT\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1332
    - - C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1372
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2284
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2496
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2348
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2524
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat"
        12⤵
        
        PID:1852
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1848
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat"
        14⤵
        
        PID:740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2820
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat"
        16⤵
        
        PID:2500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1600
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat"
        18⤵
        
        PID:2708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2232
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat"
        20⤵
        
        PID:1112
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2748
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
        22⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:692
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat"
        24⤵
        
        PID:3020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1388
        
        C:\Windows\Migration\WTR\Idle.exe
        
        "C:\Windows\Migration\WTR\Idle.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Adobe\Updater6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.en\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files\Microsoft Games\More Games\it-IT\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Microsoft Games\More Games\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Games\More Games\it-IT\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47222a682af3395f3694c1398f2dbedf

SHA1
fb34c6a81053b5a332304bc655e56241b89e64d0

SHA256
13a2c51cc9c4735f8fb6b97cab0ad5d32cbfe5b73f71e34a6146fb36725f8f37

SHA512
db1a0c7043036451aac5180dd9b1fcbac4685bed377348a208a5a5fb2c550a960a019b7068190adc79eb6bffcaf13e9606ddc507cd54de930fffd6e711214fd2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b2d0eabeb96e6d91671df771af844bc

SHA1
634a4e476a3e85e60a5316a14336fddf135d640c

SHA256
39f54490399327ba07b2694239dfb93c87320f9fecf8a2783c1ac39943d9c5e6

SHA512
7317d6d162274413c876b1328d6c1528d3a6bb1a7d307730127f4ff7225d2004c7e4d4c5c8ef9b760b6748db6c15cee722a2a86d581f8abd88bcf9da760ef4b0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dabb4aa3e7780afcb70f13386384375b

SHA1
8f4c9378920912bd337e64926a1ecd4b6003e864

SHA256
9ca94f4b76b9cea79cb47643b602c3f592ac1700f5004fee3e66da58ac42055f

SHA512
054bbeba17e83ba794ef769e06f007308afdeebe011e038716fd8ec68c4500de61a7bff62579ef87e0c3cf7d77378651ab399ed25570c3e74a6bf35e470bac07

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fedc21993471b3c60b723f3b8cacee45

SHA1
0183ff1ded6e6ef2012cab4cca866092af920861

SHA256
0fce8247175457135b8d9abd98453b0c84ab4e465975d4b7a9c04b7ff1c42987

SHA512
6bd0f0870544d669ad58ee5af40f4496da2e268e4ae4e91110a7092dd18a01aec2372f64074139f99af53a03ad035d8afedf56c25d5e3b2357cc5dab28d516ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5a3f8cca844ec6048e382513df5ba4e8

SHA1
2e05e149c0f651120e6127f9b47f36e6d8c1a0b1

SHA256
024a84b0251bfafd0fd7b921861bd372144971654b40a120c9d8c397ca7643e7

SHA512
61310b5ba6d44da1fa5344cb90fbd7a913935c28847e655d9a6c0f48164ca96005f8628ca811e6d05d07ba8c9d3058b2ff979d370455c4c601f8d443f766f49f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16e35ccc4c04d3f819ec53cc3323d0bf

SHA1
552df8980067b5614373064ea383dbc44cfdf845

SHA256
8f7b45e0528a33210af05c826094f8e1e6a27238e53c9ec9431a8e6486613cd4

SHA512
ef55baa7dd368e4661c018af935d49c5e71a196bd89db4a9540b3bd57ee1c8b5173e92cf22999f7fd857dbe73b24ca3735c76ed8a6216fd7c45f59d70f5d7e2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
400a60e3f35a92af4de4c9d7bc6e39a6

SHA1
af495e051f8edc4de795ed9daf7569cb54d3c2b2

SHA256
dd5c245c76bc146d69242bafdc61a0e7c26441fa67808537a2b4746e9e62d578

SHA512
e487f081da3d3ed49b7e27886a409e48352e2f9b7f65a3855cd341bde4e89a7a451bdfaf4407867febe2ca769c9c969f277ad6d8a0c99d71d5d55e9ed3bfe662

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b1873ba84f11267e0b872ae145c23ba

SHA1
9149c29cdd86fe6a59fe14436e4a8e1241a1ec0d

SHA256
147bb355354f859abcb51d2f0f94a05f3d6eaab2c9789247ba39ff711937152c

SHA512
effebce8251a4a6417a8c82da1d71fee6a9f5b1b73fbdae7f20123a9901c5b3f06f7f08fb754a31a36e7c79b63b8724e62986793fda8e3d0cff691750b4ab5b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c042b40e48079b8b90928c0abad1c83

SHA1
f4302b8919d5c676f6cde21dd09dad56ea2144a1

SHA256
dfd7d8a336976d657b62f0a9dc80999f14c10566d4dc8ae5b14b55800a92bc72

SHA512
01265e4e9cd60202ced6d86d7e1185d8177b3f3cf75d50a1f6b7cf3c1ab27335b1c2aae360c73b44ecec9ee2b6a096d299fe7e00746c19003d8726a3ea301e67

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCE1A.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db6xYfwFNB.bat

Filesize
198B

MD5
bea74b43859fbd825ddd3d99d22869a0

SHA1
a35cb6a41198a1f25d604c0606d3848088331fb7

SHA256
d58668879e0d09fe5ca79dd0f5a13b88c419f05f7cbd8f861c6551cac05a4d82

SHA512
ac8f0ea26ae93393c8e0470bf1aecba952f74c6297d18854368ec8d27b42529aff7a4c8476aa0cef4cdb8f72565b11b577f901b57de85909de4fc21a5c08b4de

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBIFf9IaIr.bat

Filesize
198B

MD5
ecd1b847da9187aa766b59062decdf60

SHA1
404d7c96d464c5f1745ed861f731827afad0b11b

SHA256
240915616169a878874446fa036174e1b6f4a2bef7e38ae0b21f7bf414348b1b

SHA512
9db5953d778d8f443f17bddee8fec85de4c8f3498a9a895bede287bb9d61d5d8c38d920ad45ce94867b32d650bbddc8ca855070a383789f00ef9e595f9738a95

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE5C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

Filesize
198B

MD5
d8605069b72481be681c5f894204b55a

SHA1
2d86e805f76e3f41815322ba0a53a6c42db2723a

SHA256
ce9e045e67132c536d401bc890a0045883a5609374af254afe339d1f812cfb39

SHA512
3360e67a8f493071d4edd4ed3615856148073c7756e599129bcff265a4f1342e011d2606d6c0692186b9b7a71c8ff51a2e6aed0b62d915f5be3584af5515fd2d

Download Submit
C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat

Filesize
198B

MD5
a2d114eba277588dbe833d0fb568bf7a

SHA1
3369f0be2bbd80b757a91d8a26408234eada634e

SHA256
e8487b0848cbde867a80217506d73c7abc32897b70f5e33accd0f64eec6ce510

SHA512
d3da564d66b660912dc69751d5628827037f3f2275552fa81bcfebd5ac3d30f7cd4de0a5dafbe15300e0b47edea4ff12c4ba7f5156e9388d3dea2a05af5963e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\aPx44ABVco.bat

Filesize
198B

MD5
cb286db05e9e1630bed16ce159d7f358

SHA1
6031bf7818f3f88ff0a43cddaa1484cb68b9d19f

SHA256
25184e94eee897bb0c0f6e318b01294698f0874a1967614b48c4eefb1ad5de14

SHA512
bbd2eed088ca003922c6e894003c576f109844445658dbaa1ca174d7ecec4de6bdaa7d16974e8822ac8e14676747b46eab202edb9bd11c2aeb801442c3aa9b95

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

Filesize
198B

MD5
a867d9b7952fceff54203979ca7d5588

SHA1
ff6766df3baf4b9f1d51e8b4410fc464d9a694d7

SHA256
a797cd4e65080f4f4cb2372400dc57dda07b5e8211d56aff90c311fdebd65c4b

SHA512
971559b6123f95307536f84ea24e34576e69ba69e7bd25cbf4f72d3fc4a95b733ca017ba576f61162d932e53863a1aabf7c4aa6d16cc9370316a038a5064b88f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gPrDhQDX5J.bat

Filesize
198B

MD5
3d3a407c48049ea0c96dbc0ef685b2ed

SHA1
468efd086b2de4fc36f2ede22ce9801a91bf79be

SHA256
7198aadadaf0384d0403af1f441ce6ef8c16eeadfe0959d6103b5e69b3f1dc03

SHA512
59ca3374cfdc51f26753e68c79e78e6f7622c9816688d64bd887da33c95676737ee2bf9994770fbfea90edc65c0b204db786ba576dac75cb489e094e0db2dd6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\grdey4A1QM.bat

Filesize
198B

MD5
24c63d0de763323286c69b7ccbf4e401

SHA1
0d743950c999c5928adbef11147e5e6b072780d9

SHA256
91488bd6bf2375903d0157746181afd9069451271c3890cd5e8c2c08266d2291

SHA512
4804cddc3e3a9899c088ee0bb132546befbfb19f404c74ccc4a5c7fdafd036f15eb56701b979f3f431cf5a1feba7e66b103ded04bf934fbcc0c7d47589fee37c

Download Submit
C:\Users\Admin\AppData\Local\Temp\iYTmIkWLiw.bat

Filesize
198B

MD5
1d3dc4844c4c96e8ca895f3e63ebfae2

SHA1
6b9033f033d3c84a0aec955ec8a04860f8a5da01

SHA256
7e931aca55b5d1d7e7dc229d930f03034e0c3de083f67997c0a32ce8862c63eb

SHA512
36d4a6586b846894eff12ebe3c2c917a7a8a57996d0048751005c979c6bd04a81bc4b05ca51893fa61f9d5b686d5dd39d9e45d7266b638f0d07809a9d3dd87ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\svsOdT1nlB.bat

Filesize
198B

MD5
63d13a84c435d759bb8e2592e773cce9

SHA1
343b5c5442780098914397d7228628f74d95ca90

SHA256
95168be1cff2bac56f03051d427f0bb0e7b306ca5a9d87fbd4758b15129b9e44

SHA512
232b29f9fae669a35ec9f4948e6a0c6a5816ab0c5ac9d9b28d686543faa492fb37f6c5733f75d5882ef418a889e6e77fc863bb3d368a3b3bdbd61ef2d3c931a5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
561f0a4cca49774012ee391edc5b7c66

SHA1
e882af84a1f0d0b886b7e4e37077a5b971f2ddbf

SHA256
13889656c1919463b96ceb0f5e06bdc0aa8eb56836e763fb7445f99771274e8d

SHA512
ed190762cee44e1b7be4d44de56eef1af7924b4f4dde3074de0dea40c1b0de2e0e1048c6869476e31ab511ea742df85210376d8782760c03ee229824a72a0d62

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/604-384-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/624-145-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/624-146-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/940-444-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/1160-504-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1160-505-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1372-57-0x0000000000920000-0x0000000000A30000-memory.dmp

Filesize
1.1MB

Download
memory/1608-56-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/1608-55-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2316-265-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2664-683-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2724-13-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/2724-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2724-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2724-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download