dcrat | c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 11:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270.exe
Size

1.3MB
MD5

6ec2727b807d0c0f58e7f0ce4d54101b
SHA1

e491ef6344d448c2d0ee8e71918695f0c8a3be2c
SHA256

c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270
SHA512

81bdf5d8356caf3a68473411bd16d7a5252f5b63e86bb6aebc7186a556a40b0e6617639a81fb3df58e77bdef13a9274d76ca73b16e27bcdc6269456723a1b04c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	592	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	920	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2564	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d29-9.dat	dcrat
behavioral1/memory/2900-13-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/1680-86-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/1232-145-0x0000000000B50000-0x0000000000C60000-memory.dmp	dcrat
behavioral1/memory/1160-266-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/2872-326-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat
behavioral1/memory/1352-386-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/1596-446-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2988-506-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2932-566-0x0000000000C00000-0x0000000000D10000-memory.dmp	dcrat
behavioral1/memory/2924-626-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
568	powershell.exe
2640	powershell.exe
2620	powershell.exe
2316	powershell.exe
2352	powershell.exe
2612	powershell.exe
1864	powershell.exe
2204	powershell.exe
2268	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2900	DllCommonsvc.exe
888	DllCommonsvc.exe
1680	powershell.exe
1232	powershell.exe
2204	powershell.exe
1160	powershell.exe
2872	powershell.exe
1352	powershell.exe
1596	powershell.exe
2988	powershell.exe
2932	powershell.exe
2924	powershell.exe

Loads dropped DLL 2 IoCs

pid	Process
2556	cmd.exe
2556	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\schtasks.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\3a6fe29a7ceee6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2228	schtasks.exe
2320	schtasks.exe
2284	schtasks.exe
2448	schtasks.exe
2592	schtasks.exe
1832	schtasks.exe
764	schtasks.exe
1968	schtasks.exe
876	schtasks.exe
2880	schtasks.exe
2588	schtasks.exe
1948	schtasks.exe
1044	schtasks.exe
1688	schtasks.exe
920	schtasks.exe
2208	schtasks.exe
592	schtasks.exe
2600	schtasks.exe
700	schtasks.exe
2388	schtasks.exe
2016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2900	DllCommonsvc.exe
2900	DllCommonsvc.exe
2900	DllCommonsvc.exe
2612	powershell.exe
2316	powershell.exe
2640	powershell.exe
1864	powershell.exe
2620	powershell.exe
2204	powershell.exe
888	DllCommonsvc.exe
568	powershell.exe
2352	powershell.exe
2268	powershell.exe
1680	powershell.exe
1232	powershell.exe
2204	powershell.exe
1160	powershell.exe
2872	powershell.exe
1352	powershell.exe
1596	powershell.exe
2988	powershell.exe
2932	powershell.exe
2924	powershell.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2900	DllCommonsvc.exe
Token: SeDebugPrivilege	2612	powershell.exe
Token: SeDebugPrivilege	888	DllCommonsvc.exe
Token: SeDebugPrivilege	2316	powershell.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	2620	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2268	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2872	powershell.exe
Token: SeDebugPrivilege	1352	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	2988	powershell.exe
Token: SeDebugPrivilege	2932	powershell.exe
Token: SeDebugPrivilege	2924	powershell.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2220 wrote to memory of 2736	2220	JaffaCakes118_c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270.exe	30
PID 2220 wrote to memory of 2736	2220	JaffaCakes118_c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270.exe	30
PID 2220 wrote to memory of 2736	2220	JaffaCakes118_c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270.exe	30
PID 2220 wrote to memory of 2736	2220	JaffaCakes118_c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270.exe	30
PID 2736 wrote to memory of 2556	2736	WScript.exe	31
PID 2736 wrote to memory of 2556	2736	WScript.exe	31
PID 2736 wrote to memory of 2556	2736	WScript.exe	31
PID 2736 wrote to memory of 2556	2736	WScript.exe	31
PID 2556 wrote to memory of 2900	2556	cmd.exe	33
PID 2556 wrote to memory of 2900	2556	cmd.exe	33
PID 2556 wrote to memory of 2900	2556	cmd.exe	33
PID 2556 wrote to memory of 2900	2556	cmd.exe	33
PID 2900 wrote to memory of 2612	2900	DllCommonsvc.exe	50
PID 2900 wrote to memory of 2612	2900	DllCommonsvc.exe	50
PID 2900 wrote to memory of 2612	2900	DllCommonsvc.exe	50
PID 2900 wrote to memory of 1864	2900	DllCommonsvc.exe	51
PID 2900 wrote to memory of 1864	2900	DllCommonsvc.exe	51
PID 2900 wrote to memory of 1864	2900	DllCommonsvc.exe	51
PID 2900 wrote to memory of 2204	2900	DllCommonsvc.exe	53
PID 2900 wrote to memory of 2204	2900	DllCommonsvc.exe	53
PID 2900 wrote to memory of 2204	2900	DllCommonsvc.exe	53
PID 2900 wrote to memory of 2640	2900	DllCommonsvc.exe	55
PID 2900 wrote to memory of 2640	2900	DllCommonsvc.exe	55
PID 2900 wrote to memory of 2640	2900	DllCommonsvc.exe	55
PID 2900 wrote to memory of 2620	2900	DllCommonsvc.exe	56
PID 2900 wrote to memory of 2620	2900	DllCommonsvc.exe	56
PID 2900 wrote to memory of 2620	2900	DllCommonsvc.exe	56
PID 2900 wrote to memory of 2316	2900	DllCommonsvc.exe	57
PID 2900 wrote to memory of 2316	2900	DllCommonsvc.exe	57
PID 2900 wrote to memory of 2316	2900	DllCommonsvc.exe	57
PID 2900 wrote to memory of 888	2900	DllCommonsvc.exe	62
PID 2900 wrote to memory of 888	2900	DllCommonsvc.exe	62
PID 2900 wrote to memory of 888	2900	DllCommonsvc.exe	62
PID 888 wrote to memory of 2352	888	DllCommonsvc.exe	69
PID 888 wrote to memory of 2352	888	DllCommonsvc.exe	69
PID 888 wrote to memory of 2352	888	DllCommonsvc.exe	69
PID 888 wrote to memory of 568	888	DllCommonsvc.exe	70
PID 888 wrote to memory of 568	888	DllCommonsvc.exe	70
PID 888 wrote to memory of 568	888	DllCommonsvc.exe	70
PID 888 wrote to memory of 2268	888	DllCommonsvc.exe	71
PID 888 wrote to memory of 2268	888	DllCommonsvc.exe	71
PID 888 wrote to memory of 2268	888	DllCommonsvc.exe	71
PID 888 wrote to memory of 2416	888	DllCommonsvc.exe	75
PID 888 wrote to memory of 2416	888	DllCommonsvc.exe	75
PID 888 wrote to memory of 2416	888	DllCommonsvc.exe	75
PID 2416 wrote to memory of 2712	2416	cmd.exe	77
PID 2416 wrote to memory of 2712	2416	cmd.exe	77
PID 2416 wrote to memory of 2712	2416	cmd.exe	77
PID 2416 wrote to memory of 1680	2416	cmd.exe	78
PID 2416 wrote to memory of 1680	2416	cmd.exe	78
PID 2416 wrote to memory of 1680	2416	cmd.exe	78
PID 1680 wrote to memory of 3004	1680	powershell.exe	79
PID 1680 wrote to memory of 3004	1680	powershell.exe	79
PID 1680 wrote to memory of 3004	1680	powershell.exe	79
PID 3004 wrote to memory of 1800	3004	cmd.exe	81
PID 3004 wrote to memory of 1800	3004	cmd.exe	81
PID 3004 wrote to memory of 1800	3004	cmd.exe	81
PID 3004 wrote to memory of 1232	3004	cmd.exe	82
PID 3004 wrote to memory of 1232	3004	cmd.exe	82
PID 3004 wrote to memory of 1232	3004	cmd.exe	82
PID 1232 wrote to memory of 2244	1232	powershell.exe	84
PID 1232 wrote to memory of 2244	1232	powershell.exe	84
PID 1232 wrote to memory of 2244	1232	powershell.exe	84
PID 2244 wrote to memory of 1088	2244	cmd.exe	86

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c3b8c0b79475e76cb4b71f779aefacdd1bdb8fe12961b8b2ef1f13276cf63270.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2220
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2736
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2556
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2900
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2316
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:888
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\lib\schtasks.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P2XacHOZcy.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2416
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2712
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1680
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1800
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1088
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat"
        12⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1824
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        14⤵
        
        PID:1316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1504
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
        16⤵
        
        PID:1580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2792
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
        18⤵
        
        PID:2748
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:952
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
        20⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:604
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        22⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1932
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        24⤵
        
        PID:2144
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2784
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows NT\TableTextService\fr-FR\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershell" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "powershellp" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\powershell.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\schtasks.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtasks" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "schtaskss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jdk1.7.0_80\lib\schtasks.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29f8fd5453478c834bcca4060ae91c87

SHA1
2547f7df42c3d43f8abc56d6066ef659750725e2

SHA256
0e649d90744c3bb9d87d68f0a2ea8239335b64b01c26e2a41c21374b5702743b

SHA512
6e7af31e9a2c4a8bc18ddb786a988f0bb689db6c6604ec8ff1b1ebcad0936cdd6262a469a7aad5fc877d7581788138b589909bd05965f76e2b45c896c5526430

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f7b0325c880596d061e17fc321a6a76a

SHA1
f52bc36c6bf51a8aaace4aaa403107527593119a

SHA256
660d79aa9bbcfc5190b5e7151095f4dd2f8f33ef6e33abca2ac84f7ba4a395e8

SHA512
14be706c457f3ad8cc87d6f974cb008df2a36a2b7f7720c1fe80dd8d6ca057442c0765eb22134bf1c2f890059d73b1b2fdb4c80da3b694a8076da7b04a8003f4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6afa7164619a3544bb4e76e3eea9d44f

SHA1
afc7d8fcf89450f7017102f13350304d1d57a8c8

SHA256
305a555b57ec55c27cf316f9244dc2269dcaaec48fedb47ed67860efa780ffdb

SHA512
cad1ee1ef9b0deb09e7f591c2f8a924c5857ba81e8fb06722f90d699f51d5b75ed9e9f0469bb51fd8070b02ca809fff585982874765591e547d81f4335c8e5cb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e2077211d1bd1ba810cd8fa90f42d315

SHA1
4b069d313d87b87531a575fdf123e0871c180029

SHA256
48a8e792ea1b9e199a4a9839d0d63b287973a8d06e3b85ce31d28bb7652e859c

SHA512
0182a4b7fd86a139e9ec008d9884974368bf559744cb3fdf41320a3291ff202c916c2de0cb5d1027323ac277e735ba454f24cabb05564a20955fa579352e2971

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d6549852d901a439055dd57d673aab1

SHA1
cd8c7a567aa8aefb23b85440ef540fcf456bdbbd

SHA256
1d5092ec6b630278c8e4ad336f550c1047c91ea1c55ed836c8d3dcf3066acd60

SHA512
abb7ec774710de6f77868808cffdb5564ca78c12222a82bb91cafe0a59214387ce71ee012626d6bec7506c0331297d6680d19afce27f469c804d0e8b16d89afb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f3bf75b2878bf385cbd4e556a8abea4

SHA1
8e4244f43b9325795b4da15f0e553a92ae58a5bf

SHA256
227488ac51e872e898dd225533042a584ddf3559e14d37aa591803103c455615

SHA512
dd92128ee5513dcd7635a715da80a6f36f5b4de1f3d726d0df5b1827df96e7e6e1202944a782e6215bab9bf376cc9304a738ad554bc2e2e2b7af850d5bdc4680

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
229accd07d6ea143d9becb5c86d7b291

SHA1
0e903fe9242c18a1b50aa6ede31070a7ecbe1d4d

SHA256
8751625ad32814d4e1604f4d30d52f3eac8aab68a81490ca3eac120b32623e40

SHA512
4ab630559800e2b5bbe1a05c0902bb4996abf20890ff09e02699b93b504b5c3efc7e27e5d21f97db7592c7f302a853e9f3c93c986fc33884aa559cf210c41321

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ddd0b7d22f8d8e19df638828b49084d

SHA1
389fa6ef7df235c2acd4b589cc68491c626c84a9

SHA256
d42136e0ce97025b0a5b8f3bdfd1bda88c03b5b1f9e9fc89b618c7d07a2cbab9

SHA512
63976a6bcd6dd543d57ac3db2808152b2be9a2db8c804545f763864b718982de4cd09d33a6dc5e210d9603a6b205062445fcac87577dc3f7dc696d71485c7a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
228B

MD5
cb6baeda7591fabd191222175cabbb10

SHA1
b40dca1ce9941ce9f50a4f2d75898f515a75ce3d

SHA256
639eef9305a21745963635e97d62bb551b81826a89654716cca8490636928d4c

SHA512
5cee56e2e2491ec6e17ea3541a15f45784ff796fc555a01ce84329ff90f75f998afc2231253aa3e383544fd2495b43285463e013cecdc3982457215fb46bfb51

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat

Filesize
228B

MD5
b3bd3f9dbb8c98048f46761d76fcd317

SHA1
795c6d2ad1ab62972682828e0055cfc73331b7f2

SHA256
ac9b12afb124140a53e4712d2744cac84c8fc90968515f81792056ef7ce977e4

SHA512
030ba066e763db893e188311495d02aecd6dc30748eda8c27aedd262dffdda4c10daad4c27894381b73f4dc60afce4f17a90087954a7b7f5fe2fe50c28700f73

Download Submit
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat

Filesize
228B

MD5
9d4c39b3d61a00c0ac9307a62e5e52b8

SHA1
3bbe6a339b5f3bf4cb4811a772a7b660bc7eeaba

SHA256
584c79495f4c50d0aed316e6adb57c1e034bc2f55ca7c5f29374c6eeb32845e2

SHA512
64ac4f546e8f87f2d37fa454147824e9608543adcccd72a4f94e6ed28fd36e64a9ab2d852d455339201ef77b08f393db0fd928de48ae7e6de0efc1a31166fce4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB398.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\P2XacHOZcy.bat

Filesize
228B

MD5
09ec79b3d778dd4db1cc7e8c89a3e695

SHA1
4f48b8ee46e07edc8e81b0d88ba366ac05d9a609

SHA256
28f65c451b07f96c8d2bdf47dc4ce2e1aced9398fee1eee438731c904545a1e2

SHA512
0c7d987029dfd2c5332c9b09cdb548021ba1e567d46c8f9ce625bebaee9cfbf35a87b8b382d713845e8e638c812040b0f30415bd2c41c1c11dc021088a217e72

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
228B

MD5
2ee56f383c9101261803f724cc1ee795

SHA1
fa19ad9dfcb178983cb9104b300dc73e8bfd4094

SHA256
40ac085bb9ea2a0ebf9a01cdad940f90d2f4c48653819f1d5fab2f0e95181e0f

SHA512
d0b4ccc6eccf40da5e73435ffdcc442899a8edd7b0e3845803aed5e41df078676dff487b392cad60c3a1566a3d616134ac6a9a1799be5dff9e32d1be808f00a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB3AB.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

Filesize
228B

MD5
828cf78193386d59fd8516a1d6b8d8eb

SHA1
baf6f8bd455998f2cd3bf14aa2fee707c2bfa062

SHA256
436dfa666ee69ec8dfdca45cf2aea516f64b365d6e42d2c6338a48c240906278

SHA512
63abc347b4ffdad5ea41a564a822625cf805d0c770ea9f1eff95348ea19facca902d9f1f80cb028462c4193df20d416fe26a58c5a2491388d2543e7d82e26743

Download Submit
C:\Users\Admin\AppData\Local\Temp\eTpA0L9dlX.bat

Filesize
228B

MD5
8fd9fd49e58da6627ebaaa2243515c9d

SHA1
85fa0a3f3dee0552c8b7fef44884d19508839a20

SHA256
a75c22e1e11059407d2907f1f38243bd1f0e17d11e2b81046f40cdc98a2d3307

SHA512
f0a9eeec996f7acd72a1296100225ec0b96164a73503f504724122bdd6d62a245cb567ac5b548e63929f9a7ac962adf2cce102fda0f27f67fc8c4b664d8e95b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
228B

MD5
24e3d5eee87f2eabefcf488b45ed5eaf

SHA1
2649170a6a266ca707a4999ba3f383c9a06b7f99

SHA256
e2aa7389dabd32c2a8916c3d2e7a37004da91df90819fecc0ce2a9c2d40f0514

SHA512
d52698b133ba5239d57849637eed265e899438550ae0a1418712dac2b3deeb6cb36ae718257558d4bf59b1567bff6b9d8ce91970b1a975dc53b091e5e67a83c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

Filesize
228B

MD5
599ee3c334f27dcd1134d1786e86c83b

SHA1
12f1aa68861e6901c05cd77beae5fc0633c826ab

SHA256
08ab570807437e1eddabb81684711560c0db2bcf567cc284d896b6c3c2fa67ba

SHA512
f5788867f4247e867ae3421f99df8b4fa578edeb54cdf9f95bbef9af7beb908f2fac46913fd40c38172d4209bbe26a35d2f13e2066eac0dd5ade96e2a3198ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
228B

MD5
f695725033a3c239a78787bf50c0e572

SHA1
79ce7651b830a0858565789d4c7a58153584475c

SHA256
486f4f34882b25f3ed9a72bb4ecbff064e97b48b7085688bb19e724f8569a93e

SHA512
fe0eaceca9059eb54092a41bd70ad6e52c382c76ea0db16b5e85d0cc6ed4b6b9dd29a5a3b91673bec09e941e0595cb769ccc097d93aff57506290dc02f41fed0

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
39e50e1552b8abe5ab035b9fa04f8d19

SHA1
c0b1c6d2f4394c3cdf50928fffb06326e0eab7c8

SHA256
64010cce5f709b7e47fa2be550015ccd269d4d1d0518005a3cb7fe74886ba783

SHA512
224d26c3521003bddc5481affdf6305f6bd4a3b53241688d80c879c0a617ab949dae017ae952e94b9705225b176558f1d0647118199cb4934a3d3244da6a7dd9

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/568-78-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/888-57-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1160-266-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/1232-146-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1232-145-0x0000000000B50000-0x0000000000C60000-memory.dmp

Filesize
1.1MB

Download
memory/1352-386-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/1596-446-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/1680-86-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2204-206-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2352-76-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2612-40-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

Filesize
2.9MB

Download
memory/2612-47-0x0000000001DD0000-0x0000000001DD8000-memory.dmp

Filesize
32KB

Download
memory/2872-326-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/2900-15-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2900-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2900-16-0x0000000000300000-0x000000000030C000-memory.dmp

Filesize
48KB

Download
memory/2900-13-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/2900-17-0x0000000000310000-0x000000000031C000-memory.dmp

Filesize
48KB

Download
memory/2924-626-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2924-627-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2932-566-0x0000000000C00000-0x0000000000D10000-memory.dmp

Filesize
1.1MB

Download
memory/2988-506-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download