dcrat | a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 17:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56.exe
Size

1.3MB
MD5

b006d88b2f654cc3826cd124d4aa142b
SHA1

7eb29d77f8206ead3f636cd8f208f7c0cd6ed18d
SHA256

a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56
SHA512

01c9b17a6148beb9330d912ce1b052fad5a2ae46dcba7867002f7ebc08f0a2df2303dbfd8251a30264f1a4fbe51ccd71410d7b492454d00e5bcef331e4b6d3f9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 18 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2488	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	308	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	2920	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2920	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000015d79-9.dat	dcrat
behavioral1/memory/1656-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2540-86-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/2252-204-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2164-264-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2756-324-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/1116-384-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/880-444-0x00000000009E0000-0x0000000000AF0000-memory.dmp	dcrat
behavioral1/memory/2536-504-0x0000000000AD0000-0x0000000000BE0000-memory.dmp	dcrat
behavioral1/memory/2260-564-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2500	powershell.exe
656	powershell.exe
1324	powershell.exe
1304	powershell.exe
1892	powershell.exe
2844	powershell.exe
2412	powershell.exe
2512	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
1656	DllCommonsvc.exe
2752	DllCommonsvc.exe
2540	sppsvc.exe
1000	sppsvc.exe
2252	sppsvc.exe
2164	sppsvc.exe
2756	sppsvc.exe
1116	sppsvc.exe
880	sppsvc.exe
2536	sppsvc.exe
2260	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2552	cmd.exe
2552	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
33	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\27d1bcfc3c54e0	DllCommonsvc.exe
File opened for modification	C:\Program Files\Internet Explorer\images\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\RedistList\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\images\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 18 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3048	schtasks.exe
2776	schtasks.exe
1500	schtasks.exe
308	schtasks.exe
2348	schtasks.exe
2936	schtasks.exe
2344	schtasks.exe
696	schtasks.exe
984	schtasks.exe
1044	schtasks.exe
2736	schtasks.exe
1352	schtasks.exe
2488	schtasks.exe
2676	schtasks.exe
1408	schtasks.exe
2588	schtasks.exe
2240	schtasks.exe
760	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 9 IoCs

pid	Process
2540	sppsvc.exe
1000	sppsvc.exe
2252	sppsvc.exe
2164	sppsvc.exe
2756	sppsvc.exe
1116	sppsvc.exe
880	sppsvc.exe
2536	sppsvc.exe
2260	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
1656	DllCommonsvc.exe
2500	powershell.exe
2512	powershell.exe
2412	powershell.exe
2752	DllCommonsvc.exe
2844	powershell.exe
656	powershell.exe
1892	powershell.exe
1324	powershell.exe
1304	powershell.exe
2540	sppsvc.exe
1000	sppsvc.exe
2252	sppsvc.exe
2164	sppsvc.exe
2756	sppsvc.exe
1116	sppsvc.exe
880	sppsvc.exe
2536	sppsvc.exe
2260	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	1656	DllCommonsvc.exe
Token: SeDebugPrivilege	2500	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2752	DllCommonsvc.exe
Token: SeDebugPrivilege	2844	powershell.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	1892	powershell.exe
Token: SeDebugPrivilege	1324	powershell.exe
Token: SeDebugPrivilege	1304	powershell.exe
Token: SeDebugPrivilege	2540	sppsvc.exe
Token: SeDebugPrivilege	1000	sppsvc.exe
Token: SeDebugPrivilege	2252	sppsvc.exe
Token: SeDebugPrivilege	2164	sppsvc.exe
Token: SeDebugPrivilege	2756	sppsvc.exe
Token: SeDebugPrivilege	1116	sppsvc.exe
Token: SeDebugPrivilege	880	sppsvc.exe
Token: SeDebugPrivilege	2536	sppsvc.exe
Token: SeDebugPrivilege	2260	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1736 wrote to memory of 2308	1736	JaffaCakes118_a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56.exe	30
PID 1736 wrote to memory of 2308	1736	JaffaCakes118_a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56.exe	30
PID 1736 wrote to memory of 2308	1736	JaffaCakes118_a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56.exe	30
PID 1736 wrote to memory of 2308	1736	JaffaCakes118_a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56.exe	30
PID 2308 wrote to memory of 2552	2308	WScript.exe	31
PID 2308 wrote to memory of 2552	2308	WScript.exe	31
PID 2308 wrote to memory of 2552	2308	WScript.exe	31
PID 2308 wrote to memory of 2552	2308	WScript.exe	31
PID 2552 wrote to memory of 1656	2552	cmd.exe	33
PID 2552 wrote to memory of 1656	2552	cmd.exe	33
PID 2552 wrote to memory of 1656	2552	cmd.exe	33
PID 2552 wrote to memory of 1656	2552	cmd.exe	33
PID 1656 wrote to memory of 2500	1656	DllCommonsvc.exe	41
PID 1656 wrote to memory of 2500	1656	DllCommonsvc.exe	41
PID 1656 wrote to memory of 2500	1656	DllCommonsvc.exe	41
PID 1656 wrote to memory of 2512	1656	DllCommonsvc.exe	42
PID 1656 wrote to memory of 2512	1656	DllCommonsvc.exe	42
PID 1656 wrote to memory of 2512	1656	DllCommonsvc.exe	42
PID 1656 wrote to memory of 2412	1656	DllCommonsvc.exe	43
PID 1656 wrote to memory of 2412	1656	DllCommonsvc.exe	43
PID 1656 wrote to memory of 2412	1656	DllCommonsvc.exe	43
PID 1656 wrote to memory of 1480	1656	DllCommonsvc.exe	47
PID 1656 wrote to memory of 1480	1656	DllCommonsvc.exe	47
PID 1656 wrote to memory of 1480	1656	DllCommonsvc.exe	47
PID 1480 wrote to memory of 1772	1480	cmd.exe	49
PID 1480 wrote to memory of 1772	1480	cmd.exe	49
PID 1480 wrote to memory of 1772	1480	cmd.exe	49
PID 1480 wrote to memory of 2752	1480	cmd.exe	51
PID 1480 wrote to memory of 2752	1480	cmd.exe	51
PID 1480 wrote to memory of 2752	1480	cmd.exe	51
PID 2752 wrote to memory of 656	2752	DllCommonsvc.exe	64
PID 2752 wrote to memory of 656	2752	DllCommonsvc.exe	64
PID 2752 wrote to memory of 656	2752	DllCommonsvc.exe	64
PID 2752 wrote to memory of 1324	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 1324	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 1324	2752	DllCommonsvc.exe	65
PID 2752 wrote to memory of 1304	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 1304	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 1304	2752	DllCommonsvc.exe	66
PID 2752 wrote to memory of 1892	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 1892	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 1892	2752	DllCommonsvc.exe	67
PID 2752 wrote to memory of 2844	2752	DllCommonsvc.exe	68
PID 2752 wrote to memory of 2844	2752	DllCommonsvc.exe	68
PID 2752 wrote to memory of 2844	2752	DllCommonsvc.exe	68
PID 2752 wrote to memory of 1004	2752	DllCommonsvc.exe	74
PID 2752 wrote to memory of 1004	2752	DllCommonsvc.exe	74
PID 2752 wrote to memory of 1004	2752	DllCommonsvc.exe	74
PID 1004 wrote to memory of 1716	1004	cmd.exe	76
PID 1004 wrote to memory of 1716	1004	cmd.exe	76
PID 1004 wrote to memory of 1716	1004	cmd.exe	76
PID 1004 wrote to memory of 2540	1004	cmd.exe	77
PID 1004 wrote to memory of 2540	1004	cmd.exe	77
PID 1004 wrote to memory of 2540	1004	cmd.exe	77
PID 1004 wrote to memory of 2540	1004	cmd.exe	77
PID 1004 wrote to memory of 2540	1004	cmd.exe	77
PID 2540 wrote to memory of 868	2540	sppsvc.exe	78
PID 2540 wrote to memory of 868	2540	sppsvc.exe	78
PID 2540 wrote to memory of 868	2540	sppsvc.exe	78
PID 868 wrote to memory of 320	868	cmd.exe	80
PID 868 wrote to memory of 320	868	cmd.exe	80
PID 868 wrote to memory of 320	868	cmd.exe	80
PID 868 wrote to memory of 1000	868	cmd.exe	81
PID 868 wrote to memory of 1000	868	cmd.exe	81

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a936a6f0c79204ee24ca2e6bd22200ec187e5442d027313fd836e6b4eff0db56.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1736
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2308
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2552
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\images\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aYFkw6Uz0k.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1772
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1716
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:320
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
        11⤵
        
        PID:892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2568
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat"
        13⤵
        
        PID:2524
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1588
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        15⤵
        
        PID:2332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2904
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
        17⤵
        
        PID:2424
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:704
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        19⤵
        
        PID:2744
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1532
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat"
        21⤵
        
        PID:484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1720
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        23⤵
        
        PID:1628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1788
        
        C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe
        
        "C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
        25⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Program Files\Internet Explorer\images\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Analysis Services\AS OLEDB\10\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft.NET\RedistList\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\480d7142-91a3-11ef-b9f6-6e5a89f5a3c7\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Uninstall Information\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbbc29109d6114ded2adedf702d2ac15

SHA1
160720e3467391236b0e1f4b3e815a3725945ff3

SHA256
cc0f28d3e6bfc288b677250d95ad469ae6812533b878e46854bfef6415eee5c6

SHA512
3ae739ddf4db63beaa3e6ef94551c1f320d85e0d9bfb5884e8a86ba250c015ce668011bc32622db79df74f14ce84ef80de39572c50646857688e79715d316ca6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e842ebc00e601fcc0bee7a3fec62b91f

SHA1
8e6cb5530dfd838082aa2f840caa886750d58f9c

SHA256
0081e5d50d8754e10fda321ce99ceb3a8086dab1b60dffea1b7b56171987fee9

SHA512
ac34a95d97ce188331c7eec32532d1a70a4781c88d356a5a7a8a66feeba0e9677a159596a0354ea1b01be0b3ab1ce5e91342ad9cb198ec5dcd949fe7025474ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc4be8c2967076e53ec8f6a23520c746

SHA1
aad30ea6c6dddf5ed6d872b5f676bafa487c7a62

SHA256
add7f84148d77597c598d7a7a2fa7d4c1619d84b45286fb6cb32bafe6fc4361c

SHA512
fce83307e6fd7c5794576009ce53503f6b18356ea6f473a97da1da5c3647bcfff91acec1a301d905086f68d5353af949f74d81236be4cc5463b330a64969e59f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5d77f8e4a1352acf88e88a62ba792346

SHA1
cd23fe9db15f724eeed561b9fa3a537db3d0ec3c

SHA256
e0733bf9fa3cafdcc0f0ae5370a4ee6789fbc0c59c14f82194878ccb528db587

SHA512
d31f80fa984c8e38dcff7f061e1a62a0bec5bde4f2cfb4f80d2c24c30794117a122ab4e4254831a87351b52e90c3a8bcbb7fc814f3dc8ec488083e334ac61490

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3122320c9093e792a480b96798d59071

SHA1
2a362abdd83fd02ca9998f31b636b20192f146e0

SHA256
116a1afd0b8e781ee33bd9b6be42adb5ce265a35963ca56ac737862088b615fb

SHA512
12525d8fa68abae77e89dd671c9ac52e2a5e31fcca3f47a1d07b86b44f658f6ad0baef3bb6e7e05fa6a46acd19c7838331d57b9427c23704b44c3caccd8e685a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7630fc3b06b2205ac30976c88a04c65c

SHA1
09e322094fc07c889e5400647cc3fd24a5b350ba

SHA256
897046e39e4c368b4c98e980b8010e1e0f2e04ec8b5c280928a96eef245f4d82

SHA512
9117d5fb294c8b921338fbe0c8d3748a459bdb74d59e08d4fe4b7fd1ae70e9fcd3a9f6c64b751d61bc4a83f412b70a6b06ec6e5241b7f4172d27b65ac8a20ff0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
89acdde5a2481c153ac3c08a0dda3f71

SHA1
907bf10fa184035af2548555c5831cb58039b73c

SHA256
a7784c8fc81cb7dcb734efe7684d588f9140345749d27f78192a681f0b0a429d

SHA512
eeec22807ecc8e5aacc08915ef79e2d572e34ad1916b1a65b0168895e22868ec1e112d92fb6cb6791f8d435e682a73c6e2b9654d6149c9326e94396943c2bec6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5ba65be524e53a7436e3f7b9a250a1a

SHA1
c8e31e4d9182ef19f3a0bb1c960f5070924d4e4a

SHA256
0f2387e8d707331041963fa520f1c8955bed45cffc0c6d417f465afa4cbd91b7

SHA512
aedfb097838b00add26e09a95f72d784d16ce953c38361095e6ac8679e10279a5af3afabf3bd942391964558a90fde5e148035fe2dfcf64d11b275cee7d2c9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8C2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
223B

MD5
b020de87153921620135e10fb2d39d0c

SHA1
283a381523769bdfc89d391b295fc186692ef3d1

SHA256
ddfdf0310e7f477ea07d6b63cad60563d597298723fc50f7456e9408086dc07d

SHA512
02a03c44097ee450ad11117c1f29e7aa6586c46b314aad3a28e9650501a02e9a16c48f4b9166e99fe4222f716e572352335022a8411c2f8c88a0fe8fb7c85eb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
223B

MD5
611b8ebea3d9427467c3ea7d0378a47b

SHA1
8477ad403653a21021f42ccba5f27ce87e568b47

SHA256
4c207371a34f62ea7baf982a83b3c28a35553f4078ebdebc2a2128c7ca4b3ae9

SHA512
123294e96c897ba7bb068d85167bdc9a46d5abbc812e5c2b3710b28b4c7642ab8a794b53aec73e689712f79bcea70c354b56eb377a54ffb7042d971fdf10ad3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\OrAhl4fNEA.bat

Filesize
223B

MD5
0148aee7763bc6c9adf7a1a592cec2b8

SHA1
c9f6409b564f13f4fc95220e38e7e2ff783be9c5

SHA256
f6f930f67d80214b0dd31dfa678b289bc8f6614cd773a5a36cbe6b3bf32f3b6b

SHA512
ce1535662f04ad07ba4244a3d70428c09c05bc316b1709c56a2104db11e3e4086abf630c96cf26de725bf94442e270e9acb484c7e971f84d778b06abee28e95c

Download Submit
C:\Users\Admin\AppData\Local\Temp\SaOkt9ru2m.bat

Filesize
223B

MD5
8dac31ced22ddc8ef37112e77449e488

SHA1
f88722a028a7fe2a50e1697ab695cd74e7d33f11

SHA256
66e911f44d623f8c0fe00d3b9b98a8bbec4e3f6a064db716aad488a616515a9f

SHA512
13e57931565e414d64188fc7fa1ded117ca4d807950b108317954722eb1b817978dc55f2d172b6951c14a48b2ca110f0af573bc0fc6bf3301fa085cf974ce5a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat

Filesize
223B

MD5
bd07bce8443137b0e93df6de9e6c07f9

SHA1
3593d6d8813f3582c6e9daecdb9eb132afae8dfe

SHA256
fd1d1bd2d0c2b726d901152ed90918fd5371fe9de09b3c46a871ba899ed67401

SHA512
62a4d125ac62c8677f8b228448d41f2b8ea51888ac9829d4997434090ef7b292a8ebc101c24fd946836b3f564643d72026787230048a381b2dd05093c1ac059c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8E5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Utfk4Eg9N4.bat

Filesize
223B

MD5
eefc8ea91483b988a325b7cbec752c27

SHA1
60d006a97279c46e4763199b432e68012ad18bbc

SHA256
54438142dc8eca520ebf3f4875a8bb40729f57137c6942f46f41fcaadc12dc2c

SHA512
d1a8dc2df0e0af731c015a2994dd0107e24bd5d285727d2a7736693b21dc431686a78936cbe806a7678d549c2471b677ae7e1c29b0821522b028c0fccf8ceb2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
223B

MD5
c3bb3f72d02949a5d3c0ffa936506e47

SHA1
22ba67cfa9f390028b07a4a1c430a1be99742108

SHA256
fec9d3701fabc89c0acc078ef1ece787540a8f05b2b5d3c2de61ea59f3fd460a

SHA512
a90dbb3759dc8c2f59e74b3a6b162531184888d61ade376ae2795f9b0a99409f6f170e0aec9d479ffb40f3d5409e8583f958640eb9956947281cc5d875d69812

Download Submit
C:\Users\Admin\AppData\Local\Temp\aYFkw6Uz0k.bat

Filesize
199B

MD5
91c669a1ac8b5dd0aa5d379fa3ae3d67

SHA1
0587e4898a0a0559de9571b40aee69ea39db55d1

SHA256
69c0d8c0312607cc54f50006492fb5e5bcdf667d092f080fd2dcc8216a3385c0

SHA512
58703bce5889d11f701d124ed9f99bd1396c6a3c94c339acc512f59555c924becd03f951cd9435ad4d77891849221a98c2af057a3f959ce39ce56cdb49358121

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
223B

MD5
0ef78bb1a2e13c5c61caf656601acb1a

SHA1
629b0625eb72ee2aa68402a6102cd973e20b6f16

SHA256
30d38d8f4d3e03c4920d73126b04ea61ac9de0bcc589445f65dae768a92cd448

SHA512
e94055de3c194898f4356e7378722c53edf35ad825b3359c1cc93897c01103e4d6a524dca5ce8078c0bff5094d422bd79824bc54b26697aaaef2ab69887691ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
223B

MD5
a1b617f81b7043e4a4d5148c288a1285

SHA1
54037731265068eeab2aa249c4b9e0f7bfef1d51

SHA256
b220ff9ed9c9f444f19d62857de2bbef003f2c9dcd90de19fea5cd9757b8f40b

SHA512
8efa9c8b9408f98e46dd2de604f140c23e175b46d5b72b73d4a933bd2bafda2da579a6bd6a3a8c614afb666bf629ba383cd451ae2c0916ac7d7d8d91359053fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat

Filesize
223B

MD5
8d1b465e59fb3ed8cba57a64d30ef8dd

SHA1
54106a4f491dabd98b44b0f22eecb70317a58bc3

SHA256
f6dda17ea4fc87db9c52935acdc6cfefcef6765d8ee0cfad1c88e6b168702754

SHA512
5e769699f46e442c7fb8a374824a2988c8c53140e195383176a6644562f5f2896f4f6107d74ba6949a02cb954e6240ee0ad2ca5d7b3c858b7b21e137687c52bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3477f5992b16aef4684ad0d13811070f

SHA1
cf30734f93f71467923d89659f2d5e18df8ced9b

SHA256
b57fe90e2f41657b3aaf3313093f12134a22746cefbacb8dca85d71a31559684

SHA512
7b7c86bc237aea28cf029f4c9a9e4b00a9a49f81e6f069d58207db5a6682dc89ffb0a9379aa892fad27f95c4e340cc259045240377dc14311915a2fe187b7db3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/656-83-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download
memory/656-82-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/880-444-0x00000000009E0000-0x0000000000AF0000-memory.dmp

Filesize
1.1MB

Download
memory/1116-384-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/1656-15-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/1656-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/1656-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/1656-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1656-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2164-264-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2252-204-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2260-564-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2500-42-0x00000000028F0000-0x00000000028F8000-memory.dmp

Filesize
32KB

Download
memory/2500-41-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2536-504-0x0000000000AD0000-0x0000000000BE0000-memory.dmp

Filesize
1.1MB

Download
memory/2540-86-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2756-324-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download