dcrat | 3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 18:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f.exe
Size

1.3MB
MD5

7c3d61ee06027e200f02ea184385505d
SHA1

ea4e148af95090eb5198238c22ef5e4f9a32bcfa
SHA256

3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f
SHA512

d3a7658524635b031d0441a6256bac8501afc6e9391250ad84650016a56131663fbabcc7e76d0fb11d786eb0613b868c342ab35c938ef0fc0085310821dc0617
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	604	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2540	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2540	schtasks.exe	35

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001747b-9.dat	dcrat
behavioral1/memory/3044-13-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/1268-51-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/1784-195-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/1584-610-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2200-670-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/1888-730-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1860	powershell.exe
2036	powershell.exe
1552	powershell.exe
2868	powershell.exe
2884	powershell.exe
2572	powershell.exe
2004	powershell.exe
1200	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
3044	DllCommonsvc.exe
1268	System.exe
1144	System.exe
1784	System.exe
1552	System.exe
1940	System.exe
1008	System.exe
900	System.exe
2888	System.exe
440	System.exe
1584	System.exe
2200	System.exe
1888	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2624	cmd.exe
2624	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\System.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Common Files\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PLA\System\System.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PLA\System\System.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\System\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\ja-JP\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2332	schtasks.exe
1880	schtasks.exe
1648	schtasks.exe
1660	schtasks.exe
2040	schtasks.exe
1800	schtasks.exe
2532	schtasks.exe
604	schtasks.exe
1448	schtasks.exe
2192	schtasks.exe
1964	schtasks.exe
2864	schtasks.exe
2700	schtasks.exe
2564	schtasks.exe
2608	schtasks.exe
1160	schtasks.exe
2632	schtasks.exe
1520	schtasks.exe
568	schtasks.exe
1912	schtasks.exe
1624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3044	DllCommonsvc.exe
1860	powershell.exe
2036	powershell.exe
1552	powershell.exe
1200	powershell.exe
2004	powershell.exe
2572	powershell.exe
2868	powershell.exe
2884	powershell.exe
1268	System.exe
1144	System.exe
1784	System.exe
1552	System.exe
1940	System.exe
1008	System.exe
900	System.exe
2888	System.exe
440	System.exe
1584	System.exe
2200	System.exe
1888	System.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3044	DllCommonsvc.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1860	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	1200	powershell.exe
Token: SeDebugPrivilege	1268	System.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	2868	powershell.exe
Token: SeDebugPrivilege	2884	powershell.exe
Token: SeDebugPrivilege	1144	System.exe
Token: SeDebugPrivilege	1784	System.exe
Token: SeDebugPrivilege	1552	System.exe
Token: SeDebugPrivilege	1940	System.exe
Token: SeDebugPrivilege	1008	System.exe
Token: SeDebugPrivilege	900	System.exe
Token: SeDebugPrivilege	2888	System.exe
Token: SeDebugPrivilege	440	System.exe
Token: SeDebugPrivilege	1584	System.exe
Token: SeDebugPrivilege	2200	System.exe
Token: SeDebugPrivilege	1888	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2948 wrote to memory of 2960	2948	JaffaCakes118_3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f.exe	31
PID 2948 wrote to memory of 2960	2948	JaffaCakes118_3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f.exe	31
PID 2948 wrote to memory of 2960	2948	JaffaCakes118_3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f.exe	31
PID 2948 wrote to memory of 2960	2948	JaffaCakes118_3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f.exe	31
PID 2960 wrote to memory of 2624	2960	WScript.exe	32
PID 2960 wrote to memory of 2624	2960	WScript.exe	32
PID 2960 wrote to memory of 2624	2960	WScript.exe	32
PID 2960 wrote to memory of 2624	2960	WScript.exe	32
PID 2624 wrote to memory of 3044	2624	cmd.exe	34
PID 2624 wrote to memory of 3044	2624	cmd.exe	34
PID 2624 wrote to memory of 3044	2624	cmd.exe	34
PID 2624 wrote to memory of 3044	2624	cmd.exe	34
PID 3044 wrote to memory of 1200	3044	DllCommonsvc.exe	57
PID 3044 wrote to memory of 1200	3044	DllCommonsvc.exe	57
PID 3044 wrote to memory of 1200	3044	DllCommonsvc.exe	57
PID 3044 wrote to memory of 1860	3044	DllCommonsvc.exe	58
PID 3044 wrote to memory of 1860	3044	DllCommonsvc.exe	58
PID 3044 wrote to memory of 1860	3044	DllCommonsvc.exe	58
PID 3044 wrote to memory of 2036	3044	DllCommonsvc.exe	59
PID 3044 wrote to memory of 2036	3044	DllCommonsvc.exe	59
PID 3044 wrote to memory of 2036	3044	DllCommonsvc.exe	59
PID 3044 wrote to memory of 2004	3044	DllCommonsvc.exe	60
PID 3044 wrote to memory of 2004	3044	DllCommonsvc.exe	60
PID 3044 wrote to memory of 2004	3044	DllCommonsvc.exe	60
PID 3044 wrote to memory of 1552	3044	DllCommonsvc.exe	61
PID 3044 wrote to memory of 1552	3044	DllCommonsvc.exe	61
PID 3044 wrote to memory of 1552	3044	DllCommonsvc.exe	61
PID 3044 wrote to memory of 2572	3044	DllCommonsvc.exe	62
PID 3044 wrote to memory of 2572	3044	DllCommonsvc.exe	62
PID 3044 wrote to memory of 2572	3044	DllCommonsvc.exe	62
PID 3044 wrote to memory of 2868	3044	DllCommonsvc.exe	63
PID 3044 wrote to memory of 2868	3044	DllCommonsvc.exe	63
PID 3044 wrote to memory of 2868	3044	DllCommonsvc.exe	63
PID 3044 wrote to memory of 2884	3044	DllCommonsvc.exe	64
PID 3044 wrote to memory of 2884	3044	DllCommonsvc.exe	64
PID 3044 wrote to memory of 2884	3044	DllCommonsvc.exe	64
PID 3044 wrote to memory of 1268	3044	DllCommonsvc.exe	73
PID 3044 wrote to memory of 1268	3044	DllCommonsvc.exe	73
PID 3044 wrote to memory of 1268	3044	DllCommonsvc.exe	73
PID 1268 wrote to memory of 1460	1268	System.exe	74
PID 1268 wrote to memory of 1460	1268	System.exe	74
PID 1268 wrote to memory of 1460	1268	System.exe	74
PID 1460 wrote to memory of 2652	1460	cmd.exe	76
PID 1460 wrote to memory of 2652	1460	cmd.exe	76
PID 1460 wrote to memory of 2652	1460	cmd.exe	76
PID 1460 wrote to memory of 1144	1460	cmd.exe	77
PID 1460 wrote to memory of 1144	1460	cmd.exe	77
PID 1460 wrote to memory of 1144	1460	cmd.exe	77
PID 1144 wrote to memory of 1624	1144	System.exe	78
PID 1144 wrote to memory of 1624	1144	System.exe	78
PID 1144 wrote to memory of 1624	1144	System.exe	78
PID 1624 wrote to memory of 1504	1624	cmd.exe	80
PID 1624 wrote to memory of 1504	1624	cmd.exe	80
PID 1624 wrote to memory of 1504	1624	cmd.exe	80
PID 1624 wrote to memory of 1784	1624	cmd.exe	81
PID 1624 wrote to memory of 1784	1624	cmd.exe	81
PID 1624 wrote to memory of 1784	1624	cmd.exe	81
PID 1784 wrote to memory of 372	1784	System.exe	82
PID 1784 wrote to memory of 372	1784	System.exe	82
PID 1784 wrote to memory of 372	1784	System.exe	82
PID 372 wrote to memory of 1728	372	cmd.exe	84
PID 372 wrote to memory of 1728	372	cmd.exe	84
PID 372 wrote to memory of 1728	372	cmd.exe	84
PID 372 wrote to memory of 1552	372	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3aa21805cc0378c0ca26e82e171ce5bf27128da31be05f67535a9db0f7ed367f.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2948
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2624
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3044
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1200
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2884
    - - C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1268
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2652
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1504
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:372
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1728
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
        12⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2888
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        14⤵
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2228
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
        16⤵
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1524
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        18⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1552
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat"
        20⤵
        
        PID:924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2700
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat"
        22⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:808
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat"
        24⤵
        
        PID:1212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2960
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        26⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2628
        
        C:\Users\Public\System.exe
        
        "C:\Users\Public\System.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\System\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\PLA\System\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\System\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Public\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 10 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Common Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d89ce546245acbd734bfe36713cc50e0

SHA1
f03f496f04275777e77a93283d66b889c8fad658

SHA256
0c2a641a0eda975e25b102402671c649647708592ac63b1912b16d8c42891df2

SHA512
05eaf6b05e4db1c4afa539ce41ead8777957f4c5ef356525c6ed28e2f82d8f20e909ce9233485bc738196cab0458d5efe4a5d51be56ac63ece0d10395d9a67bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff01282561b81b89d3f8f8494e770a79

SHA1
3ee16be81eaf247401a3d60c092e0736a1f0d6d4

SHA256
5ff45b6a5ef396845db68ab79eae6e0b1522084a4df0492ecd4350565c32b838

SHA512
719563e7365d135244aa04d3efba82048cbbc3ebd0b2d2de8b714ea0e500bd513628763e77becd5b078a0d71225402766950058a7e15c37d429cc8bb53d5a1b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a061bd0e6eac09773a8755d0cc2e476d

SHA1
013557de23b9634a75c87eefe9a2044ff6085770

SHA256
7700b1e669ecfe77b57195443ab1eb7e52ee6b0790537e7934af5878744ec25b

SHA512
dc0235eb9d730e42a23fbeab2bdc89859923d0fc2ecd75b24cbcddd412ede553dd544dbed615b21a105bd5456a6d1015817fdb1b3e8cba64f764fdec126d3945

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2ed1a30f1ed918a1ec9198d1cf1c52f

SHA1
8330c0895344e2bfb79789752b530bcac678104f

SHA256
aeb3f7b8f5700c78fc805cafffb5c50cc270d69250876021e6553fa3918f51b2

SHA512
73022120dfc2a51c70dff5e4bf55e313d81269fd72e7fc0865a0040264b6c589d40526b2cb71a8cf05d95198efba40d5e5bf6b53528d0ce55760d9cbf1fca021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
637252e197355ac4610c9aeda56547b0

SHA1
bd3fe99b19804023b6cbf33fea684ccafe9a7aa5

SHA256
cd851a8ff7fa685a8c1a2df2351b4e62082044b6aa39110a14976619c25a58dc

SHA512
e95b7149585fb128db71cbbfe8c2d4727c29a852d6b7f8bf1aca126b712368394ff310f3d8631f03a3dcf1c4bc6153537db6c6068bd88121ad59c9bb3516bfd9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86354627efcbb783982ea4a29258f3c3

SHA1
b4af9bcf6b057d26fa0b973f934631c28eb3928d

SHA256
ebb9c77508656d1297df6351a0c1c4c8c397f55295696bd19844fdda9cf7d985

SHA512
899134d1abe9a0d106ab68dad6bbb9197df0101a0bb0c5d2880185693c2b7e783ad31b353d75898fd277652704579abf9f0a072e82a50f3cbcd0a5b601f88462

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
77573f659951d20e5ecad51434be197b

SHA1
16d4db0044af98a11c3afbf3f121cf62570efb89

SHA256
4168acdf2e5bde2df5d0524ce39a652d723288ec4b887c308425981d7a29c63a

SHA512
895d127682282a8a4022562647d1b905a69a4358f138debb0332ba274c24fdc8222b2dd7f36db487dfdab1086a720a29ed4a276a69e8a2ee19e0d050ce1fce91

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b01d7d90a4c7fccba3a8cf521df9e5ef

SHA1
63477aafde020e2490b5e24588c8e47720f62914

SHA256
a1c9ee8a7db23f66eefeab452f0642c13d334653e682027d667f35e6e2483636

SHA512
973cbc5d0ff131d27dfdde37d186b6b18a85188ce3ef0a376f57eb9d501690e9fa737cd78a6d53e004aed4c82a09b01c3e0a7de0f6aba1a55a9a54929c948acb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
316f41000f7714cb85631289a2faea6e

SHA1
bf06c85aa2383290ed133ea98ea8bdea87b0de54

SHA256
9a30857bfeeef7fee1e65133b552ba4743b7c1beea8337a08070f3c1950001d8

SHA512
bd386babfe9f84d3e11c8889efa94b843995192bde56aa6e347d5079ff7f129f74c75e99496f048fc5c00685412ace845b0e4fab2ee3d26e0e6f32fb95021270

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf90938e11261ecfc25885c58b4b0570

SHA1
37840b27df8dde76092f3e46bd5a234fb8d5af06

SHA256
bcb174a462530f75cb511f5bd33c58347cd75b06ced2f7acb5b198de1fcbe8e4

SHA512
e896ecc79d1999d0cb174de44062614b7435a1e5d94dd026fea562d96da5fcc0be70f096d3099b0109051695a4960962a411cf20b28b0904c877e5b067b91f05

Download Submit
C:\Users\Admin\AppData\Local\Temp\0rnbwo7iYS.bat

Filesize
191B

MD5
3f909be0c70bae252d6c718f4e1e3333

SHA1
0464b08ead8681d829c3af4d9798f49ade675b3b

SHA256
11dfd36984b7280dc123e34cde9607388a2ca0e14dd6c7c81677282bfcec42a7

SHA512
1c7a07de046dc3829dfef21ebd53131a364cb3242569bc2d6af0dcbdbe4d516527bef6be930c5ff6a69c20adb2ffeeb25445170945e79c74813c9c0e7a40b4f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1A27.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

Filesize
191B

MD5
d4f8c4a954a41613808eb5e8e52347c8

SHA1
4010ee34c1d1b02804f5e2e86df903deb739d9f3

SHA256
9b12bc1909c2d7ff1b5ef440eb17c0247b99c06837fea7b9a161cc3532b066e9

SHA512
2ae8a17f9a604a3dcfda7b386f5294b766fdbb745b5a40156d02d32798ad0de6c31ed83e1f39fcd1bf18c1c4dcff01abe5619447c3945c378020a1087c3acfd6

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
191B

MD5
c45fad2539670e541818b1bcb639fee2

SHA1
6637d556245a30f86c0fad13986eee8c077f6155

SHA256
46b3073b467aad7044a82b68b243067ea57d425710549fda5c2d56a0be21ee67

SHA512
5c457ca818d718eb7de3a01b12ce6a0d416282d82d22ed58e7f15bdb834745a3ac833a005c831c4ffe2115e9d3094210aa5ad4dce791152353c12cf8e4135d6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\P6ENo64DAh.bat

Filesize
191B

MD5
ebb56f3a4ee844063e1b66fd409ada18

SHA1
f3650920a90a4660e186523799e9f6c08df9eeb8

SHA256
c621c172f0e3fe04b9aee85d26b99f39f7e5c6169fa9f9189dfb8d1ed2536544

SHA512
a3f3eaf621077900bf55f5f6a0229df85c640e04a326d37da372eb320fd87d07723cf6d192b22e860e9b0da0420c4f4abe1c3a87cdfc8810b90c4930d1610e2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1A69.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UZ6jdsJyxg.bat

Filesize
191B

MD5
2a99119d8215777a1b0934bc0f9d21a8

SHA1
a7f7204f0a3affd29266fc3582c6f15cfb9aa352

SHA256
8903295b7140c198d91e1dcc6aa90648ee0f122c157d46afb382dd8bc9fcf463

SHA512
380d5fb64583f56b76a3e88d703f828de261a2b14be4e45be97e4b8ba69af302817c0ff62f19b7af6e0cb38e1682bee6f5ce151d3c0cf8c0de138819f7cf820a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
191B

MD5
22e4364a7d34a7f0f3eaeaa8d9ee3288

SHA1
bacf01db046d189151b0e0f3f952950673270835

SHA256
0b4e934568277f46040e7f95b32a7aa0f6ac17b28202c110e0aae4434b5f4966

SHA512
a89400808379dab55740d5dd698b6638c9f54e633f89ec7ca1d8e2d9a34b727416d8e1b51c801f170957c7df3d7d05a21671dd8210c5b79ba5c012a03c040b7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
191B

MD5
67605d75fee969df721d40207d73387b

SHA1
f9efb827ad64fad3a68f680eb043b5996379131b

SHA256
d87c8d479a31b011ddc55723d05849b1e778745d1b44b3b5d2e708d141085f56

SHA512
072f1425dc3b885e2286491faf53e089bc01234614b1a4d662f5df674283f4dc9d6ff7013572c7598cd137ff24faa6da60b23a88f1c528bbd84a4e542d9b418d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
191B

MD5
6f67b192c0ac87841b6a5839b2cea282

SHA1
185455c86e9af2f0def0e63e6f141c134c48b568

SHA256
c3c4aa47c6d644e5340f6ad8143cb879ce2c2707f1abf348aabde390eb09c673

SHA512
eb7d838bb63b4d1887e715782d915eb26173bbf0727ae0324095991a53c7b29970886a413f6e0d7dd9d07b3aa5ecb26cf53a371897df04f16a4922fe5d378b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
191B

MD5
7e7532c70e82370ff9e7850782829296

SHA1
cd408f56625c8d652c59579a61f649bd0e95183a

SHA256
156ccf5128a921043b6bf50031ab936746e7701cc40cf9581805408b6f6c8958

SHA512
4d42a02b059fb75fef51cda7a4b18a8ae764572d1a7231163028ab9e01b1dc75d9425002b011b4e9d6c2922077e907ec5c7a42e6d0812c4ab8c87c97adb92345

Download Submit
C:\Users\Admin\AppData\Local\Temp\jddtUB3Qwl.bat

Filesize
191B

MD5
59998d41cb3587e812e3a1177b490c87

SHA1
87dfd39ead8ed00200f2407ff1f00174ea75345d

SHA256
ec2de86863ad5a3a836470b174ad2777787ba9a039c57d93c4a56516aa757a94

SHA512
17435b941db5feeea379124d215190849bed26ff2d3dfb147763fb7095b58e54a0373784c1def8422493e2a78b7e2b1d517b5b5344e42d74c0f3a2cb08849229

Download Submit
C:\Users\Admin\AppData\Local\Temp\kQw8FYVnXF.bat

Filesize
191B

MD5
98b984d82f1554a7c096a832b407bc23

SHA1
2b01773a974e6e58108f97d77afe5f8d78d092ff

SHA256
3cee39719343f09639555a15dbb9d4ed99125120d250438915e9a57f5bde758e

SHA512
c36c4a998f1c75a95cfbe9558785609ede2215dff64e6e2747dd5b5bc38b6385cbde15c99f7a0b6401a6803cea7feb3f9f2ca3b4db7c2de5c4801cddc0ea681e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8Y75DQ4SGJCC1N71FNG4.temp

Filesize
7KB

MD5
82e9a18e5e3b73bcf9ef90e64ab5fd52

SHA1
7c3bf8c9a0b2635c0ed9b143f9d574e0addf6ff4

SHA256
d69aebd1c94c5a0873ecad7f566a9cbfe201f3ed67f19a653b6831835552dd1e

SHA512
223d3c4d34ff7cc8b372d53c00b73bcabc77cd0bb93b643f034db39078afda13a3a47d4ad19f7f377d4e4ad14a205dfbfb2a37590a951b82da61bb392b53d17e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1268-77-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1268-51-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/1584-610-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/1784-195-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/1860-46-0x0000000002710000-0x0000000002718000-memory.dmp

Filesize
32KB

Download
memory/1888-730-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/1888-731-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1940-314-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2036-45-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2200-670-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/3044-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/3044-13-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/3044-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/3044-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/3044-16-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download