dcrat | ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe
Size

1.3MB
MD5

5459f21169d40bd5368f12480400dde5
SHA1

84e58ac7c0bef5d3efe29d94511bf700520c1121
SHA256

ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3
SHA512

c38c88cdf945b2e10a728e2e39ea6dc5bdf6a39f205dbef827377737b1f59d5881bb1a86477464a5fd26d7439b8c3823032fa1099c4d45a4cca408e8deff2c7b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	388	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	1520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1520	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016458-9.dat	dcrat
behavioral1/memory/3028-13-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1008-61-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/2428-155-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/2928-215-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2840-275-0x0000000000AE0000-0x0000000000BF0000-memory.dmp	dcrat
behavioral1/memory/1672-335-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2000-395-0x0000000000870000-0x0000000000980000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
648	powershell.exe
3060	powershell.exe
2092	powershell.exe
788	powershell.exe
2264	powershell.exe
928	powershell.exe
1796	powershell.exe
1040	powershell.exe
1464	powershell.exe
2408	powershell.exe
324	powershell.exe
1768	powershell.exe

Executes dropped EXE 8 IoCs

pid	Process
3028	DllCommonsvc.exe
1008	services.exe
2428	services.exe
2928	services.exe
2840	services.exe
1672	services.exe
2000	services.exe
816	services.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	cmd.exe
2916	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
27	raw.githubusercontent.com
30	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\en-US\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3012	schtasks.exe
2096	schtasks.exe
2880	schtasks.exe
2888	schtasks.exe
580	schtasks.exe
1036	schtasks.exe
1692	schtasks.exe
388	schtasks.exe
1672	schtasks.exe
2028	schtasks.exe
2232	schtasks.exe
2176	schtasks.exe
2024	schtasks.exe
760	schtasks.exe
1572	schtasks.exe
544	schtasks.exe
880	schtasks.exe
1812	schtasks.exe
1072	schtasks.exe
1844	schtasks.exe
1076	schtasks.exe
2284	schtasks.exe
1640	schtasks.exe
2396	schtasks.exe
2196	schtasks.exe
1948	schtasks.exe
824	schtasks.exe
2512	schtasks.exe
2968	schtasks.exe
2156	schtasks.exe
2596	schtasks.exe
2132	schtasks.exe
2816	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
928	powershell.exe
1464	powershell.exe
324	powershell.exe
2092	powershell.exe
1768	powershell.exe
2264	powershell.exe
1040	powershell.exe
648	powershell.exe
2408	powershell.exe
1796	powershell.exe
788	powershell.exe
3060	powershell.exe
1008	services.exe
2428	services.exe
2928	services.exe
2840	services.exe
1672	services.exe
2000	services.exe
816	services.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	DllCommonsvc.exe
Token: SeDebugPrivilege	928	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	1008	services.exe
Token: SeDebugPrivilege	2092	powershell.exe
Token: SeDebugPrivilege	1768	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	2408	powershell.exe
Token: SeDebugPrivilege	1796	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeDebugPrivilege	2428	services.exe
Token: SeDebugPrivilege	2928	services.exe
Token: SeDebugPrivilege	2840	services.exe
Token: SeDebugPrivilege	1672	services.exe
Token: SeDebugPrivilege	2000	services.exe
Token: SeDebugPrivilege	816	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe	30
PID 2740 wrote to memory of 2180	2740	JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe	30
PID 2180 wrote to memory of 2916	2180	WScript.exe	31
PID 2180 wrote to memory of 2916	2180	WScript.exe	31
PID 2180 wrote to memory of 2916	2180	WScript.exe	31
PID 2180 wrote to memory of 2916	2180	WScript.exe	31
PID 2916 wrote to memory of 3028	2916	cmd.exe	33
PID 2916 wrote to memory of 3028	2916	cmd.exe	33
PID 2916 wrote to memory of 3028	2916	cmd.exe	33
PID 2916 wrote to memory of 3028	2916	cmd.exe	33
PID 3028 wrote to memory of 3060	3028	DllCommonsvc.exe	69
PID 3028 wrote to memory of 3060	3028	DllCommonsvc.exe	69
PID 3028 wrote to memory of 3060	3028	DllCommonsvc.exe	69
PID 3028 wrote to memory of 2092	3028	DllCommonsvc.exe	70
PID 3028 wrote to memory of 2092	3028	DllCommonsvc.exe	70
PID 3028 wrote to memory of 2092	3028	DllCommonsvc.exe	70
PID 3028 wrote to memory of 648	3028	DllCommonsvc.exe	71
PID 3028 wrote to memory of 648	3028	DllCommonsvc.exe	71
PID 3028 wrote to memory of 648	3028	DllCommonsvc.exe	71
PID 3028 wrote to memory of 1796	3028	DllCommonsvc.exe	73
PID 3028 wrote to memory of 1796	3028	DllCommonsvc.exe	73
PID 3028 wrote to memory of 1796	3028	DllCommonsvc.exe	73
PID 3028 wrote to memory of 788	3028	DllCommonsvc.exe	75
PID 3028 wrote to memory of 788	3028	DllCommonsvc.exe	75
PID 3028 wrote to memory of 788	3028	DllCommonsvc.exe	75
PID 3028 wrote to memory of 1768	3028	DllCommonsvc.exe	76
PID 3028 wrote to memory of 1768	3028	DllCommonsvc.exe	76
PID 3028 wrote to memory of 1768	3028	DllCommonsvc.exe	76
PID 3028 wrote to memory of 1040	3028	DllCommonsvc.exe	77
PID 3028 wrote to memory of 1040	3028	DllCommonsvc.exe	77
PID 3028 wrote to memory of 1040	3028	DllCommonsvc.exe	77
PID 3028 wrote to memory of 1464	3028	DllCommonsvc.exe	78
PID 3028 wrote to memory of 1464	3028	DllCommonsvc.exe	78
PID 3028 wrote to memory of 1464	3028	DllCommonsvc.exe	78
PID 3028 wrote to memory of 2408	3028	DllCommonsvc.exe	79
PID 3028 wrote to memory of 2408	3028	DllCommonsvc.exe	79
PID 3028 wrote to memory of 2408	3028	DllCommonsvc.exe	79
PID 3028 wrote to memory of 324	3028	DllCommonsvc.exe	80
PID 3028 wrote to memory of 324	3028	DllCommonsvc.exe	80
PID 3028 wrote to memory of 324	3028	DllCommonsvc.exe	80
PID 3028 wrote to memory of 2264	3028	DllCommonsvc.exe	81
PID 3028 wrote to memory of 2264	3028	DllCommonsvc.exe	81
PID 3028 wrote to memory of 2264	3028	DllCommonsvc.exe	81
PID 3028 wrote to memory of 928	3028	DllCommonsvc.exe	82
PID 3028 wrote to memory of 928	3028	DllCommonsvc.exe	82
PID 3028 wrote to memory of 928	3028	DllCommonsvc.exe	82
PID 3028 wrote to memory of 1008	3028	DllCommonsvc.exe	93
PID 3028 wrote to memory of 1008	3028	DllCommonsvc.exe	93
PID 3028 wrote to memory of 1008	3028	DllCommonsvc.exe	93
PID 1008 wrote to memory of 2652	1008	services.exe	94
PID 1008 wrote to memory of 2652	1008	services.exe	94
PID 1008 wrote to memory of 2652	1008	services.exe	94
PID 2652 wrote to memory of 880	2652	cmd.exe	96
PID 2652 wrote to memory of 880	2652	cmd.exe	96
PID 2652 wrote to memory of 880	2652	cmd.exe	96
PID 2652 wrote to memory of 2428	2652	cmd.exe	97
PID 2652 wrote to memory of 2428	2652	cmd.exe	97
PID 2652 wrote to memory of 2428	2652	cmd.exe	97
PID 2428 wrote to memory of 1360	2428	services.exe	98
PID 2428 wrote to memory of 1360	2428	services.exe	98
PID 2428 wrote to memory of 1360	2428	services.exe	98
PID 1360 wrote to memory of 992	1360	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ea60a712b05cc76fc5def65eb63d390ec0b2381e8697a2e4ab5b35a92d5ccae3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2740
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\en-US\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:928
    - - C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1008
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:880
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:992
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat"
        10⤵
        
        PID:736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1376
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat"
        12⤵
        
        PID:2984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:880
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat"
        14⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:928
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat"
        16⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1720
        
        C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe
        
        "C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat"
        18⤵
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Users\Public\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Mail\en-US\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Mail\en-US\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d796b0c5bbdb20a6fbe0394ac8a4121

SHA1
48f87abaff5e72115df1f50c6a369d99c43cb541

SHA256
d4e6170cdedcf01d2c4c369049bfab0f8417e43107e9e7449902bb10c1629c6d

SHA512
deaac6c40e9c0c7530b2d3784ea6d580101c377bb281b4c787f1ec51da93a537b83c43f9b20ae6f4905bd382e5d8f5e2cc6519199c238bc6f9b5e8deab6bfaa5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a1ed0a6ff4f39df6991e9f226680e3da

SHA1
239a9977d63c33de2637063a3b6d4e3a45a1c748

SHA256
15e857420fc3c1f2119a229f6b3587e6ae305fc3f7a4ac2dfeedb1c4d5b77386

SHA512
8b243aeef25dfced071aa87a917ad34cccfd374e9750adf7058b4f38769771d5d9bac64c2bac8ca2a4277548e0678ec96255d9b7151168756b0d86f60f6fa49c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1bdfd4c3f08e9b0e5b2d4a821929179

SHA1
d6d27b7383ad0f863b8aed68da33b64c09630ac2

SHA256
c443b231388f94b1372a8e8fe98d7747f741ba663eddd18992d720e4c0914b3e

SHA512
efc09361c911df62b215926a337716d26c018b05c49abe92fec1ba367507efbedda0e7a998a8064b8216ee0c78a4bd0bcf9cf744562fc432ef5ba96e879b4738

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51e5f53ff574da4e0ad31d1b8c86f647

SHA1
5cf3cc8bcb79014b3f1bf6b3a4cda1cd18a82f91

SHA256
75273415b37d85d2082c96754a7d48c174207e0c6e4d08145234844c50df9c63

SHA512
3882b64efd51b7c7134e21ed9b595cb4081ba0782abab749863d5d5021da43a6b9c5b3911dc15b2fd989d6d60a431df294f1a1df9e0342950a74208ec2603048

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9f0b25794c4f88446f19fab731c197b1

SHA1
ec35d0d2d28aa13c4d36224eff17287472eba2e1

SHA256
1210df74b3c829001a08ff2564ce11a702d735c434ac3ec462243bfcf7c4d019

SHA512
beaa9228207ace010210c196dbbcde11abe46776eef4a922eceb550a6e116d7e895823fd48237a32fec7edbff90cd209f417fc8717496856a4555334739625f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9c2ef16f8fc3b5ec49a778a002a9b9ed

SHA1
00e29beeaea930b9adab4a00235b7b333e4aeb9f

SHA256
a6cf41a2a4fd011bf9f139ee5b52cd4c672951388fc62e00fc6b774d482263a9

SHA512
41e8693098e67f13315846d13c8486dc745f1c90c70bd4965463cf927f644462e1b0e82d92019ac6ede33b9f1ddd137273e518f16c69ab9e3539fe24f795f9dc

Download Submit
C:\Users\Admin\AppData\Local\Temp\BlQmztffGe.bat

Filesize
251B

MD5
58d92892ba01f61297957972ddd2ece2

SHA1
07ca1c0b2f909de23a8e9d15fc2ffa23f2840f39

SHA256
4276bf82c15384ed08259acd6cdad29983ae8eac6f93a3344a03ee39bde8fca0

SHA512
9e74e77fa79c461f1e5585a6c184d332493a0e172a90195656778c413c3700f5dfd78c04168a5276b46234c1698c87fd90c72e35e0b78d3bf01eeeb8b5bbc2e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8900.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GKRF07RVHS.bat

Filesize
251B

MD5
7111ea7afd831fc8727c19fe5e120fd7

SHA1
eb55e57650f6e29b8f21febcaa6c70f8ec1001f0

SHA256
c11a72067d98cd0fb55955d889036aa5ce6e81d2044b2a3296936172fe6be116

SHA512
a4e2e54184b4c27db2b9957c7938a06bfffaaad0751fe95d8b7a1f85a0601fa8bfaee9e7bfed4bd17c2b7f475d324dbb54ae1c09197dc323ced29b6e63571335

Download Submit
C:\Users\Admin\AppData\Local\Temp\GN7B3lpeta.bat

Filesize
251B

MD5
aa205461d406f521de3d669169a1f8d7

SHA1
d4c43a5da2835c6e799dccc6790f3bc6bc88485b

SHA256
75f7282dc4ef9acda5a0dd06093b107cc21adc47ba0c6eed5996d4cdcd41accc

SHA512
aee5606fbcef83eacafec8a2a36e264230159b516024c17bf5f90da85ce245e5fc046d042b5e314b434d09e3ac8923594066a088b195fe1956ce06e67327cc95

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar899F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\asjVMp8zxr.bat

Filesize
251B

MD5
c15b22dd8bbc970ca8be6a887e6d7cf4

SHA1
1a58c217324ee621f40426dfc2440a0f38eed53d

SHA256
eb76c22cd44d95327bf70e5f1803e1add220e0e5775fce1ed4b167f2d7d136d2

SHA512
9325d8b439474b15bbeea7797353c9cbf9ba09e6310f0ab0c00738e99740e25793a7b2373069d1bd27eb2388148a62cbca6b611ca24a30837c0a2c271dc5dd84

Download Submit
C:\Users\Admin\AppData\Local\Temp\uuaNNDTqg5.bat

Filesize
251B

MD5
914d2628cd786205e7e92a348157176e

SHA1
1f403a239b71a894add0cd4dd588eba2063f1c23

SHA256
c002f0401cbe1ad08950c07774988870468d1461335e5f0417bfe15080f4ccee

SHA512
92d18078b25d9d5d94c8ffdc2b8ff60b8a4289ac13c2519992d2b5f06162f29e5554103258467540f79e3e9258ac8f82abd1d2499a9dedfb8e25a4bdfce143f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\zDcPfnAXs0.bat

Filesize
251B

MD5
3524026858417a3c54a9716f4f3283d1

SHA1
974dfa11b62949042edf069213bb9896fa6daca5

SHA256
adb53bbb320094d387d5a034649987a0b5e692d88b82bec2f0c6133c633feb08

SHA512
8f8e76fca69f4e1aa8505a420fd2b06449ec8a604ea10e2d41e24bc68ff60fc9c6816fca6077ab0fdf069674f37893086d383d0eaa0fb98470d88c4c40bd1c41

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8e773115d06270ebf6bdb8486d323ea8

SHA1
4bb349d252ae40f793aa0e1c92a7665c4b50dd0a

SHA256
c93256fd8e1556996b2dd61d725e2a9bfcee05e4580659bd4b342d3d3cdef135

SHA512
0a9177228993cc6191dd57aa8705f6cc90c33568cfc808f64ab603311052d86816a55d097e43c5766a940da1e1eb0f2243dbcf14c053d5cafc5f44ee88430dbf

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/816-456-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/928-63-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/928-62-0x000000001B390000-0x000000001B672000-memory.dmp

Filesize
2.9MB

Download
memory/1008-61-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1008-96-0x00000000006D0000-0x00000000006E2000-memory.dmp

Filesize
72KB

Download
memory/1672-335-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2000-395-0x0000000000870000-0x0000000000980000-memory.dmp

Filesize
1.1MB

Download
memory/2000-396-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2428-155-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/2840-275-0x0000000000AE0000-0x0000000000BF0000-memory.dmp

Filesize
1.1MB

Download
memory/2928-215-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/3028-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/3028-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/3028-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/3028-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/3028-13-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download