dcrat | a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 11:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16.exe
Size

1.3MB
MD5

ce1112eb0dda7b9e33c704405e7daf3d
SHA1

edeb90c964fd80472272e056763605b1ed372032
SHA256

a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16
SHA512

a40225cb305e969fe47c71397eaf5b59682f778af61bb3831b601c6fc7d41091037a6780a96e92cc0db5c148171f48c15ac272d298b45b86c35ec0c96466a75a
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	840	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	636	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1428	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1324	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2492	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2492	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019345-9.dat	dcrat
behavioral1/memory/2016-13-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/1240-40-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/408-145-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2412-205-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/2368-265-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/1240-325-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/2936-385-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/1720-445-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/2292-506-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat
behavioral1/memory/2148-566-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/2924-627-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2156	powershell.exe
2236	powershell.exe
2292	powershell.exe
2448	powershell.exe
2100	powershell.exe
1904	powershell.exe
2272	powershell.exe
2128	powershell.exe
1780	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2016	DllCommonsvc.exe
1240	explorer.exe
408	explorer.exe
2412	explorer.exe
2368	explorer.exe
1240	explorer.exe
2936	explorer.exe
1720	explorer.exe
2292	explorer.exe
2148	explorer.exe
2924	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2468	cmd.exe
2468	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
29	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Windows Photo Viewer\it-IT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\it-IT\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\services.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\c5b4cb5e9653cc	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\ebf1f9fa8afd6d	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2780	schtasks.exe
1100	schtasks.exe
1976	schtasks.exe
2296	schtasks.exe
2940	schtasks.exe
2924	schtasks.exe
2616	schtasks.exe
1032	schtasks.exe
1428	schtasks.exe
800	schtasks.exe
2196	schtasks.exe
1228	schtasks.exe
1912	schtasks.exe
1324	schtasks.exe
2636	schtasks.exe
2632	schtasks.exe
840	schtasks.exe
672	schtasks.exe
2136	schtasks.exe
1872	schtasks.exe
2988	schtasks.exe
2000	schtasks.exe
636	schtasks.exe
2912	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2016	DllCommonsvc.exe
2016	DllCommonsvc.exe
2016	DllCommonsvc.exe
2272	powershell.exe
2236	powershell.exe
1780	powershell.exe
2100	powershell.exe
2128	powershell.exe
1904	powershell.exe
2156	powershell.exe
2448	powershell.exe
2292	powershell.exe
1240	explorer.exe
408	explorer.exe
2412	explorer.exe
2368	explorer.exe
1240	explorer.exe
2936	explorer.exe
1720	explorer.exe
2292	explorer.exe
2148	explorer.exe
2924	explorer.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2016	DllCommonsvc.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	2100	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	1240	explorer.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	408	explorer.exe
Token: SeDebugPrivilege	2412	explorer.exe
Token: SeDebugPrivilege	2368	explorer.exe
Token: SeDebugPrivilege	1240	explorer.exe
Token: SeDebugPrivilege	2936	explorer.exe
Token: SeDebugPrivilege	1720	explorer.exe
Token: SeDebugPrivilege	2292	explorer.exe
Token: SeDebugPrivilege	2148	explorer.exe
Token: SeDebugPrivilege	2924	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2284	2368	JaffaCakes118_a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16.exe	30
PID 2368 wrote to memory of 2284	2368	JaffaCakes118_a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16.exe	30
PID 2368 wrote to memory of 2284	2368	JaffaCakes118_a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16.exe	30
PID 2368 wrote to memory of 2284	2368	JaffaCakes118_a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16.exe	30
PID 2284 wrote to memory of 2468	2284	WScript.exe	31
PID 2284 wrote to memory of 2468	2284	WScript.exe	31
PID 2284 wrote to memory of 2468	2284	WScript.exe	31
PID 2284 wrote to memory of 2468	2284	WScript.exe	31
PID 2468 wrote to memory of 2016	2468	cmd.exe	33
PID 2468 wrote to memory of 2016	2468	cmd.exe	33
PID 2468 wrote to memory of 2016	2468	cmd.exe	33
PID 2468 wrote to memory of 2016	2468	cmd.exe	33
PID 2016 wrote to memory of 2156	2016	DllCommonsvc.exe	59
PID 2016 wrote to memory of 2156	2016	DllCommonsvc.exe	59
PID 2016 wrote to memory of 2156	2016	DllCommonsvc.exe	59
PID 2016 wrote to memory of 2236	2016	DllCommonsvc.exe	60
PID 2016 wrote to memory of 2236	2016	DllCommonsvc.exe	60
PID 2016 wrote to memory of 2236	2016	DllCommonsvc.exe	60
PID 2016 wrote to memory of 2292	2016	DllCommonsvc.exe	61
PID 2016 wrote to memory of 2292	2016	DllCommonsvc.exe	61
PID 2016 wrote to memory of 2292	2016	DllCommonsvc.exe	61
PID 2016 wrote to memory of 2448	2016	DllCommonsvc.exe	62
PID 2016 wrote to memory of 2448	2016	DllCommonsvc.exe	62
PID 2016 wrote to memory of 2448	2016	DllCommonsvc.exe	62
PID 2016 wrote to memory of 2272	2016	DllCommonsvc.exe	63
PID 2016 wrote to memory of 2272	2016	DllCommonsvc.exe	63
PID 2016 wrote to memory of 2272	2016	DllCommonsvc.exe	63
PID 2016 wrote to memory of 1904	2016	DllCommonsvc.exe	64
PID 2016 wrote to memory of 1904	2016	DllCommonsvc.exe	64
PID 2016 wrote to memory of 1904	2016	DllCommonsvc.exe	64
PID 2016 wrote to memory of 2100	2016	DllCommonsvc.exe	66
PID 2016 wrote to memory of 2100	2016	DllCommonsvc.exe	66
PID 2016 wrote to memory of 2100	2016	DllCommonsvc.exe	66
PID 2016 wrote to memory of 1780	2016	DllCommonsvc.exe	67
PID 2016 wrote to memory of 1780	2016	DllCommonsvc.exe	67
PID 2016 wrote to memory of 1780	2016	DllCommonsvc.exe	67
PID 2016 wrote to memory of 2128	2016	DllCommonsvc.exe	69
PID 2016 wrote to memory of 2128	2016	DllCommonsvc.exe	69
PID 2016 wrote to memory of 2128	2016	DllCommonsvc.exe	69
PID 2016 wrote to memory of 1240	2016	DllCommonsvc.exe	77
PID 2016 wrote to memory of 1240	2016	DllCommonsvc.exe	77
PID 2016 wrote to memory of 1240	2016	DllCommonsvc.exe	77
PID 1240 wrote to memory of 2352	1240	explorer.exe	79
PID 1240 wrote to memory of 2352	1240	explorer.exe	79
PID 1240 wrote to memory of 2352	1240	explorer.exe	79
PID 2352 wrote to memory of 2120	2352	cmd.exe	81
PID 2352 wrote to memory of 2120	2352	cmd.exe	81
PID 2352 wrote to memory of 2120	2352	cmd.exe	81
PID 2352 wrote to memory of 408	2352	cmd.exe	82
PID 2352 wrote to memory of 408	2352	cmd.exe	82
PID 2352 wrote to memory of 408	2352	cmd.exe	82
PID 408 wrote to memory of 612	408	explorer.exe	83
PID 408 wrote to memory of 612	408	explorer.exe	83
PID 408 wrote to memory of 612	408	explorer.exe	83
PID 612 wrote to memory of 1032	612	cmd.exe	85
PID 612 wrote to memory of 1032	612	cmd.exe	85
PID 612 wrote to memory of 1032	612	cmd.exe	85
PID 612 wrote to memory of 2412	612	cmd.exe	86
PID 612 wrote to memory of 2412	612	cmd.exe	86
PID 612 wrote to memory of 2412	612	cmd.exe	86
PID 2412 wrote to memory of 2248	2412	explorer.exe	87
PID 2412 wrote to memory of 2248	2412	explorer.exe	87
PID 2412 wrote to memory of 2248	2412	explorer.exe	87
PID 2248 wrote to memory of 1588	2248	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a2ad0b98f04a954ffe2203faca16b988b7d8492cf0b3ab47079ca52b543edd16.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2468
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\it-IT\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1240
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2120
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1032
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2248
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1588
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat"
        12⤵
        
        PID:2892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2692
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat"
        14⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2868
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        16⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1748
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat"
        18⤵
        
        PID:1076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1908
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
        20⤵
        
        PID:1408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3068
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat"
        22⤵
        
        PID:844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2128
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Photo Viewer\it-IT\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Pictures\Sample Pictures\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Internet Explorer\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Internet Explorer\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\7-Zip\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Program Files\7-Zip\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Cursors\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ddf7b591b36b447b63b47cc7d37a44fd

SHA1
103c3802f46f98179a86c8ec0d4b2f4c94343044

SHA256
cdbb14798dc7f79bc2c27eeaf450f42bb26190009b608a96d52dcc358c8de982

SHA512
7f3b380e0e363c4e4e728ee906ca7c81edd3c11c9b79a9249205181776a5bfe864e2d940ae0d7909d57abd49671957751474564ee14eeb5149ccff9f8d09b765

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ad6acad5939a28fbd8517b0f238a941

SHA1
271fc1363fa422fe51a8f850ebe3edef2ec110dc

SHA256
39cb9eee501ce807c29253f0cb0b3d964a67e51f629221ec76f79ac26012e030

SHA512
7924951c515e74bdb279fec7e12051499dfee31a84ba001d526f276cdf04477bf2e2d5dbeac9cff0f83fe0272de7194101a08267258e19c73aefd2292520fc21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dd5dcf589348e7219e0518f47f115395

SHA1
65f0c4e7b53e50040e81e469b550b421dc74e56f

SHA256
c484c2b2b3214be1b3ba5dc2c932fd7c60d648a95b61feb5522879980edb764b

SHA512
18335ac1547c36463f996c90b2f31a022717f61b1f16598df86d13354212f878fe88d4502c868b3ee6672975293ad483bf89c9e5a3ac08d5d8b95281d2d5be5f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fcd6f44a1c32988917cd414e5e205bcb

SHA1
c0cf073ec73e28a61dfb78f67cc76c2e5a54287c

SHA256
9f0157368c337f0ed379f14b15a82b8ae284ce3cc6af35a0767cb01886b61cc6

SHA512
b77fc2cb574f523d05f81e6d668502b86ce75b36bc106f1e184f287eb1a582efbf73fb9eba6edacd2c5c11c76e5d3623a061eda5f38f288bf67277f0f7fb173a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b767e5f9f2312b557b54376930cde89a

SHA1
1cddb5b8afb78cd3175edfe6d4f5e67249f54e66

SHA256
43bc4cb476cea553d93d1e168d6e56b2a480ce08c3fae0530f00968aa41aa435

SHA512
9318275aabce677b896486ff8e1ed3487b3d4b4be8d039abea0c9c13f29ac4ac6d7206ed9cf1bb3435f73a7ce2e78e180f5017639d9b459683858a189a3671c0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
80696ab127bb54254cf9ee06e0896bad

SHA1
59946e796888cf556094689db15b396f8b1667ed

SHA256
dc9b4b04db8e25672c5f746e9d118e19056686ff9e77706587506e0499f50a84

SHA512
53b9ba28d5be554e95cc4fdec2b197a99f953ed432d2bd841796e1a88f72fbed61d062d884e9d96a3b4ecd12c05d98c53f1d1f3f635f67fbceec377da73b5a62

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
566868b2c8ba5fcbdd8aead6ca030587

SHA1
a7c4570a4a16be3b2db9448f4b2650f52b5849ca

SHA256
e7e100c0cef8d9d22c9558b2d861c7dcfe555c3fd26c364e81f21b3266049b7c

SHA512
5c9ed13ef25161c60a9c291ceed4c636cfb41b3d5b8bb45315870199fc4e9d88c578de934889b6b9cde7ee9dc499b09f6f48b40f2e359334ec6bf6c5c3fb1ee5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2ef0eec286516cc95bbaaecda17fdf0

SHA1
e203ce091f1f7a4af62785ab266d330ccd936014

SHA256
296099cd944c35c8a2013217bb9488d304ff8736ea73e8d939f4abef43adfcb9

SHA512
38ea05a54d9ed338edef8c4a0e6b80292afea8c8e90574017268e0e65323f5b661a83966f46142c564e1701ad39b17f55fc77740f64c260fa75f5e2cf0f3a0e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
93552f9dc1ed8e9c8339387015f03454

SHA1
0e1996739e82006ad8189db5592d9a59b416ba17

SHA256
c66c9be56d3b847f059c6fb875bfd3aa9b6c19ab9344077c9407942deb703d68

SHA512
b3c31342974fff1a20b566714478a7af062432238b7198fb4b2667616ab87c2ecfae8ad5732b0b8842079679d8a44dc3cfeb886c86985ae4276535d239cc0ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\6xwNL0dL8Y.bat

Filesize
226B

MD5
3b7eb95e829469a2002f1216078c8a70

SHA1
d1b31eeab5468e5b52e25b894d263bdc7bca23d5

SHA256
9b3fb2dfe57bc4e3e2eb86798295146b6be23ac0e067f6ca700a6289df1758b0

SHA512
a91ddc558468ef4caac0e2007a10018f9a20c785a62375fa4e3b1234f02559767d86f88d8761d911492bafd96d6d1ef746f4f505621698a59a111ff27a804783

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEBD7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KtkjGbmHOL.bat

Filesize
226B

MD5
237302c92000200edeb18156a578d80c

SHA1
6854f1e734208fb10652579fe2b00ef49ed5831a

SHA256
7ca0c82203a2298bb7cf5ea51b426efcaa02a50a4e092e4f681ec1cac73f6cb2

SHA512
1a481f44f8e1003c44b1d6061ec11f9bef85023cbb09a784ba9b917826f6477250fa0a8b6d7dea7a486016e5c494a7c7e3a858347f585418eab55debcd202c34

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
226B

MD5
f36fcce786ec8d857a6941280d893785

SHA1
79f70b01257c0a26211eda8f7da8cd0876c01bb5

SHA256
126eb3bc192b70502dbbfc076b2d702c46bf06635e4fda213f9cc71d2e702b15

SHA512
163b199bc8f86318f6eac51363bd480992634df3a8bc683f2d549dcf73ad55eebeb0f8560a8333729bce2d603f000e1cf525bf48caff5850752a449601d9efba

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nflxmifgtk.bat

Filesize
226B

MD5
e8222149773ff1965830a4844a885a4d

SHA1
7545faf3fc76ef0ed88a91ad17ddb27ca95fd597

SHA256
6098b0791e2e623bb7b552b9012f756ed1cb351d089b5f93b223c3714e2192b5

SHA512
858b3ead10ce8a875c10314cb06ca5628747039563f37000f896bdeae21c1a9fd36becaf92dc2a01a9df2c06d411ece62fbc74d4c222508ea878dd79d465ecba

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

Filesize
226B

MD5
bb2f740ab2086b1f36144bd72b1f085d

SHA1
72e00301859d6b2ed4b2278dbae069e05a18549b

SHA256
e6a2dffc3a82193032be06fcf9db4eb2548b3f33ebbe25247425cbaf692f5e20

SHA512
461e8f59ea4d6ddf6005e22103215557beaddcc1cb797beeb2947631647c4a34f07eaf279d4455d7d0cda262e2f5108f770cfbb6d31e265fdbf5b2fb4e4a9a11

Download Submit
C:\Users\Admin\AppData\Local\Temp\PX74P8KQcP.bat

Filesize
226B

MD5
121a87cc0e68ed00bd713b23836a5fc8

SHA1
0c6f19d9ea17fe5ee4dcab07d697849927b66332

SHA256
f58748532891ca6c75c312795fd9d28899fc4f4f7819ecb79b8a5582919d0bf2

SHA512
313e9fbabf126bc4ef1559913efb3b61f3fbee6246a87dca37c331143342312937c3f664264ea9ae84721e53c077a981718e843f275466c86ac972b8b84a7f7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEBF9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\or7X1gMNi7.bat

Filesize
226B

MD5
ad9995bb254cfa833f9033b782e0f9f2

SHA1
aa981bdb52e0456acd58002fdf308f86e15ccc9c

SHA256
aa6ac9707618c023696cad54599c286ed321c1d5f09268b1ba576ee516482191

SHA512
4c59f19c2eb9050c5b644f6236005fd3055ae232c66312cc8af1e7aded34daf84ca7522b326f54f096d30e91a3231b917d02a07176982a6b1d559863dfce6071

Download Submit
C:\Users\Admin\AppData\Local\Temp\wtOcRLEbie.bat

Filesize
226B

MD5
23c885b0d38d22f2d1b75b88aa7fa78f

SHA1
62ad3f925960b0f4e08bf22c8c6e5366034dcbcb

SHA256
66628dc2a0389350a8575038675eca58c45964a4ba50f7844e6589126fd5163a

SHA512
300c0a073520873118bd05549ba3e5f15d89e72a4d945f7648564d96271d8ff532777e1962de02a1e98a16519bbf55da3655fb49ecf079908192d3008ee1d77b

Download Submit
C:\Users\Admin\AppData\Local\Temp\yyRUJOSyqo.bat

Filesize
226B

MD5
4409dbea256d5dba1a8a0dd0e2cb3675

SHA1
070e00568a48023bee9c1f7ba6d2893742a2a482

SHA256
1029e8e45dd9a7701255f812d7cd8035c28449dbb1241a23d02254d069ae6144

SHA512
841afa0e20f85b80021bb1e12f8dd4287b18142d2edfb90e9735a2b06962e411af98871bc4fdd410f77cd954a0a28a9aa9065887ebb20f2e3c4ad6e7c334016e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
65bb117aadef28e543f2efd10b5b8854

SHA1
f7f9c68478e97beb8a2bfb47b6e3970084e69e73

SHA256
285e94c36fe6d4e195f4249b8d07c8296fb74dbb681c88ac0d20ca11e11354c0

SHA512
abad3e7ca9955c5e0039afdbafe3e43e796254e9baafeafdd2556780ca418631b9d88af823b3b10a717435fdbed3391f2afef2e24ea834c2827b02cf603d9dea

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/408-145-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/1240-40-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/1240-325-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/1720-445-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/1720-446-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2016-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2016-13-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2016-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2016-15-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2016-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2148-566-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/2148-567-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2236-50-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2272-52-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2292-506-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2368-265-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2412-205-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2924-627-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2936-385-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download