dcrat | bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7

Analysis

max time kernel
149s
max time network
155s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
23-12-2024 12:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe
Size

1.3MB
MD5

0c0e9d81c1fc8382f48c1c4144d2c16f
SHA1

8d2762a079d1c967b934dd3e523541f4272072d6
SHA256

bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7
SHA512

7000bb88fb5778d61f2e78649c5ccde76a968449466f77bac2d0c7a4bdc4d6569e2b7a17d4e41bd84bae66987ed6beafc5c91ae1add3d623db0b067dee0cec78
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1168	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	3032	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	3032	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cf0-9.dat	dcrat
behavioral1/memory/3056-13-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat
behavioral1/memory/1664-42-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/2640-372-0x0000000001160000-0x0000000001270000-memory.dmp	dcrat
behavioral1/memory/740-433-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/1208-493-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/3052-553-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1800	powershell.exe
1736	powershell.exe
376	powershell.exe
324	powershell.exe
2028	powershell.exe
2004	powershell.exe
1940	powershell.exe
948	powershell.exe
2496	powershell.exe
1864	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
3056	DllCommonsvc.exe
1664	WmiPrvSE.exe
1264	WmiPrvSE.exe
1276	WmiPrvSE.exe
1500	WmiPrvSE.exe
2352	WmiPrvSE.exe
2640	WmiPrvSE.exe
740	WmiPrvSE.exe
1208	WmiPrvSE.exe
3052	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
3008	cmd.exe
3008	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\Favorites\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-help-sniptoo.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_98b2d78ec536ce73\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
336	schtasks.exe
2236	schtasks.exe
2040	schtasks.exe
1820	schtasks.exe
1192	schtasks.exe
1168	schtasks.exe
1976	schtasks.exe
1672	schtasks.exe
2760	schtasks.exe
2188	schtasks.exe
1576	schtasks.exe
1520	schtasks.exe
1212	schtasks.exe
3052	schtasks.exe
2900	schtasks.exe
1612	schtasks.exe
1264	schtasks.exe
2808	schtasks.exe
2428	schtasks.exe
1080	schtasks.exe
1884	schtasks.exe
456	schtasks.exe
2420	schtasks.exe
580	schtasks.exe
1104	schtasks.exe
1436	schtasks.exe
2216	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
3056	DllCommonsvc.exe
948	powershell.exe
1800	powershell.exe
2004	powershell.exe
1736	powershell.exe
324	powershell.exe
376	powershell.exe
1864	powershell.exe
1940	powershell.exe
2028	powershell.exe
2496	powershell.exe
1664	WmiPrvSE.exe
1264	WmiPrvSE.exe
1276	WmiPrvSE.exe
1500	WmiPrvSE.exe
2352	WmiPrvSE.exe
2640	WmiPrvSE.exe
740	WmiPrvSE.exe
1208	WmiPrvSE.exe
3052	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	3056	DllCommonsvc.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	1800	powershell.exe
Token: SeDebugPrivilege	2004	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	1664	WmiPrvSE.exe
Token: SeDebugPrivilege	1264	WmiPrvSE.exe
Token: SeDebugPrivilege	1276	WmiPrvSE.exe
Token: SeDebugPrivilege	1500	WmiPrvSE.exe
Token: SeDebugPrivilege	2352	WmiPrvSE.exe
Token: SeDebugPrivilege	2640	WmiPrvSE.exe
Token: SeDebugPrivilege	740	WmiPrvSE.exe
Token: SeDebugPrivilege	1208	WmiPrvSE.exe
Token: SeDebugPrivilege	3052	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 740	2076	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe	30
PID 2076 wrote to memory of 740	2076	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe	30
PID 2076 wrote to memory of 740	2076	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe	30
PID 2076 wrote to memory of 740	2076	JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe	30
PID 740 wrote to memory of 3008	740	WScript.exe	31
PID 740 wrote to memory of 3008	740	WScript.exe	31
PID 740 wrote to memory of 3008	740	WScript.exe	31
PID 740 wrote to memory of 3008	740	WScript.exe	31
PID 3008 wrote to memory of 3056	3008	cmd.exe	33
PID 3008 wrote to memory of 3056	3008	cmd.exe	33
PID 3008 wrote to memory of 3056	3008	cmd.exe	33
PID 3008 wrote to memory of 3056	3008	cmd.exe	33
PID 3056 wrote to memory of 1940	3056	DllCommonsvc.exe	62
PID 3056 wrote to memory of 1940	3056	DllCommonsvc.exe	62
PID 3056 wrote to memory of 1940	3056	DllCommonsvc.exe	62
PID 3056 wrote to memory of 376	3056	DllCommonsvc.exe	63
PID 3056 wrote to memory of 376	3056	DllCommonsvc.exe	63
PID 3056 wrote to memory of 376	3056	DllCommonsvc.exe	63
PID 3056 wrote to memory of 324	3056	DllCommonsvc.exe	65
PID 3056 wrote to memory of 324	3056	DllCommonsvc.exe	65
PID 3056 wrote to memory of 324	3056	DllCommonsvc.exe	65
PID 3056 wrote to memory of 2028	3056	DllCommonsvc.exe	66
PID 3056 wrote to memory of 2028	3056	DllCommonsvc.exe	66
PID 3056 wrote to memory of 2028	3056	DllCommonsvc.exe	66
PID 3056 wrote to memory of 948	3056	DllCommonsvc.exe	67
PID 3056 wrote to memory of 948	3056	DllCommonsvc.exe	67
PID 3056 wrote to memory of 948	3056	DllCommonsvc.exe	67
PID 3056 wrote to memory of 2496	3056	DllCommonsvc.exe	68
PID 3056 wrote to memory of 2496	3056	DllCommonsvc.exe	68
PID 3056 wrote to memory of 2496	3056	DllCommonsvc.exe	68
PID 3056 wrote to memory of 1864	3056	DllCommonsvc.exe	70
PID 3056 wrote to memory of 1864	3056	DllCommonsvc.exe	70
PID 3056 wrote to memory of 1864	3056	DllCommonsvc.exe	70
PID 3056 wrote to memory of 2004	3056	DllCommonsvc.exe	71
PID 3056 wrote to memory of 2004	3056	DllCommonsvc.exe	71
PID 3056 wrote to memory of 2004	3056	DllCommonsvc.exe	71
PID 3056 wrote to memory of 1800	3056	DllCommonsvc.exe	72
PID 3056 wrote to memory of 1800	3056	DllCommonsvc.exe	72
PID 3056 wrote to memory of 1800	3056	DllCommonsvc.exe	72
PID 3056 wrote to memory of 1736	3056	DllCommonsvc.exe	73
PID 3056 wrote to memory of 1736	3056	DllCommonsvc.exe	73
PID 3056 wrote to memory of 1736	3056	DllCommonsvc.exe	73
PID 3056 wrote to memory of 1664	3056	DllCommonsvc.exe	82
PID 3056 wrote to memory of 1664	3056	DllCommonsvc.exe	82
PID 3056 wrote to memory of 1664	3056	DllCommonsvc.exe	82
PID 1664 wrote to memory of 1764	1664	WmiPrvSE.exe	83
PID 1664 wrote to memory of 1764	1664	WmiPrvSE.exe	83
PID 1664 wrote to memory of 1764	1664	WmiPrvSE.exe	83
PID 1764 wrote to memory of 2480	1764	cmd.exe	85
PID 1764 wrote to memory of 2480	1764	cmd.exe	85
PID 1764 wrote to memory of 2480	1764	cmd.exe	85
PID 1764 wrote to memory of 1264	1764	cmd.exe	86
PID 1764 wrote to memory of 1264	1764	cmd.exe	86
PID 1764 wrote to memory of 1264	1764	cmd.exe	86
PID 1264 wrote to memory of 2156	1264	WmiPrvSE.exe	87
PID 1264 wrote to memory of 2156	1264	WmiPrvSE.exe	87
PID 1264 wrote to memory of 2156	1264	WmiPrvSE.exe	87
PID 2156 wrote to memory of 2236	2156	cmd.exe	89
PID 2156 wrote to memory of 2236	2156	cmd.exe	89
PID 2156 wrote to memory of 2236	2156	cmd.exe	89
PID 2156 wrote to memory of 1276	2156	cmd.exe	90
PID 2156 wrote to memory of 1276	2156	cmd.exe	90
PID 2156 wrote to memory of 1276	2156	cmd.exe	90
PID 1276 wrote to memory of 2296	1276	WmiPrvSE.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bcc43dcaeb7454c82551c65bee86ece7ad2c2a3cbc090943c8ae794e89f31dd7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3008
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1800
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1664
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2480
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2236
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat"
        10⤵
        
        PID:2296
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2380
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        12⤵
        
        PID:916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1432
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        14⤵
        
        PID:2736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2580
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat"
        16⤵
        
        PID:1896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:816
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat"
        18⤵
        
        PID:1732
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1072
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
        20⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2908
        
        C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe
        
        "C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Libraries\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\ServiceProfiles\LocalService\Favorites\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6ec97f16fcd14420275e1a28a72afa6

SHA1
6f2c831d9e2d3547a568e838855ad5511976573c

SHA256
ced63f77d10a7d76114ab90bfea13c3c6b548f73a6f5eb0b66b724b8872381d5

SHA512
d654239d454bbfe493f4d6a177cd3d088183e2131dd3fb6377e3a6146553ede54ebe27e51830dfcd564f8be952198aa85a9a98b5664adb0092a07ebab7e3aa96

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
85d309902351899f7c2621db1a25b9c0

SHA1
42f491ee5037445ea9b263b04a69733102b44338

SHA256
711357ee2c4d37d7c210d0ca356a8320fdd5ddf6cf56fd40c71354cdfaced65c

SHA512
8a60bc6352233865647cb7f9b851e238466d781e9016f243a675fa94805dd29e51f1b8a903e75c14bb597fe046444eb1633468a398005c55a67afbee04b15f83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4a32219da0d55e71e8d06e90dcc9bc05

SHA1
c289599995e39e09c238306879b60fce2a82eb9c

SHA256
13514f59e743bfbfe2863d69078e4f0296629af87bc75963994fd05ed2bf677d

SHA512
a4e76340f9547b2262eaabfe7eff276be6494a996534db0331c84aaf654bde73ec438321306d64df3fe26289d2acf10a0e4797d1ce170558c02555474c8cc2d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
33013b5a5f0022106db21b4eed09ff27

SHA1
f4eb596cea18dafa7e616df611c203810f8199b2

SHA256
f63cbdfc4e58a5ddd8fa552183e6e6b83fdfe5ed3a7e8bf03f7c2644ea267217

SHA512
2c9df35eef95f8fbae6ea708b44b1d4dbecfe43bfab6c3e45f7dc94c7e44d7a02e438c4919722db0b6826b14f2bac8991d6cf855a66832c22b63b5f166e39aa3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e995e6f337297a58b5fc46104865ae9c

SHA1
0d93d3a10a6dc6cf4d77cebca774c414dcf93056

SHA256
07fe9e9e8e7af6bccffcc8e6b6afc3a4e841f7fb2c213d1fbe3b0c615baa7c70

SHA512
3c56466eb7e8dd12abd1ab31d6e33948638b84816d95464c05294ade66d6c16bcea9d8a9cf27971d8c0fcba2182de63ad2aa22a3502fe612afd874b502b8e013

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9fe06da166665bcf499f6516803ec8e

SHA1
c8e553763dc2f7f920baf9eca3309ff2ae343e05

SHA256
57edaa5298f416a8d035cc6068ca7884ae4ef8f8b58049c64fa55f82729691ba

SHA512
f121c80e354649b1f4dc7ee6784e738d3fb2cbe4cba010984a1422cfd1ecbf5ab7eb3574464e8efc13eee6de2e85e6a9675f2e0db09c44c424c1e18a8d7e4ee0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cc327d8ed821ce7090fb87e0e0a0a27

SHA1
868913a2b24eb20b204b8e9168697df8bbc40a40

SHA256
7b4bccd8689f5c5274b7c358cb74726afb47041d6c1a3fb32a13c64e166946ed

SHA512
0ab1d7ae3fbc11fab2551094756de437a55ca86c73004835ffdc4b04422e39d27af4d94d9ac591406be31a4882bb42b0a3d3ed08f27f918bf131363cc6b79784

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

Filesize
226B

MD5
87a10b5be85022dd0d408fec9fafc1d7

SHA1
94663c232a9680f84fd3772dae3be4a135541529

SHA256
3961ec94ff31ee1cb93c890ae26d128f6a360524d2fe33a20e377eea930ead56

SHA512
cc02bbd5c48adb41009c641660222e2e3e6c03dba6855fa3d05c41b62ce61e17959f37894ed5aaac4e33670fc585aaa05e3962fc3bf6b5a5741b6faa3e467046

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab16FC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat

Filesize
226B

MD5
19947703d6260f1d221db6da366db127

SHA1
1b56b9187d7427df07cb42e740021f9b8aaf8d1d

SHA256
6416f7a1db2ba06350f9f82669dd60532fca6f9e54556508b8bc3a5306e5bdc2

SHA512
8dde2ab0787e48ac4b14d41abecdc7a16e9452a4c815e0c1ca5a39d4caafa6af662f27bd2bf66d77f083b2c4b20c8c2c412aa156aed3a6bbce9d96fd6345e340

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar170F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat

Filesize
226B

MD5
106579559250fe0fb865708e469d7833

SHA1
f6899b911d8203ffb18e3207964384d6541fdbac

SHA256
b41e11e555aaa174895318150f4ab553ad18c2d7eebf47be9c87533f5ad8e78a

SHA512
7c4087542a300817075380b42265d6fdd472f1a050afec61eb8387329eab63bf841fc9309a3a1e4867a74c4316c9fd792d3f99d294ae6878ab2f3e3ead5afb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z7DRyUOV59.bat

Filesize
226B

MD5
c919ae58a9d31b8457c28826a3820a62

SHA1
7927faa08f46ffe1726940d701fe6694344648b0

SHA256
ab74d52f5a88a2a35072c1110fe36bdbe1e09ddc73b3b11027a07fc7e6e6662a

SHA512
b0cb8da1d2f3e2c0635c2d96e472f6433969f0c128d1943f84ffa190d67f45df12535d8962e43362724a31883c5f19d666d4d680a37ea9763cff955aa88c4a4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
226B

MD5
1e26ae2d8392943b4817f12093fd9318

SHA1
ca9421956f7ad2d108673add6962961af0de6a71

SHA256
2bbcf8594ad16543276e4a515e741741f2c5b4b68b44d327eb9ae6434e58fcf6

SHA512
c0b786acee5eb13ec9bdacb06a43526561b4b8f75a5bee9ef01727e072f97b724932dec0bb9afa94da745550fd5b91a901838b0ef5d328aad5c7fe2167ce4b64

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

Filesize
226B

MD5
736108b2b7ab55299604d45c24852ce3

SHA1
188dd7f2140f971c671e867e59b0a718310c22e3

SHA256
076213a8b67e24ff51a487b932b5880af218b9deca81819df0c49ee5b220c231

SHA512
114ffb886ddf714299a7120577ec5a1ec68b21c3b52fe899fb86fb511eb927cc796cddeee267263c61cd3c95268dcacbdbd5b1223eda31490c742522895c294f

Download Submit
C:\Users\Admin\AppData\Local\Temp\h6oaLUsZTY.bat

Filesize
226B

MD5
529166eb00851784f63db3cd12a0406c

SHA1
488cc02e368b0444daaabab078bfa69c197dc59d

SHA256
ff635387dea4052f2e6d0f85239c80d359581ffce0cf5664f92af316d2c8c0c9

SHA512
0c434f253ff9a0b12502d1a5ba05eee94e53ec4377801a0b1ead454bb57ec3b688345d0b5c45f8c6c207e95a700fb55f0c2fe1121ef90aed55a5d28a0af6e915

Download Submit
C:\Users\Admin\AppData\Local\Temp\nl4g9d70ax.bat

Filesize
226B

MD5
20f8c515aaa818fd4238b73fe085e5b8

SHA1
c78273cd5401e27da2dfdcf1f1b2c3844cf3dee1

SHA256
54b4af69176ea5fffc6ffa756b0612cd539236f59d4b98527ae7aeedf68d1237

SHA512
ac4bdc572b35257a7a2ab6c32b97920d80a69830a2d4ea65ec6d860cf0385e6156f98193c2fba4d2b75bd3bfcc890b1e9f2a58875573be9e40d9f63d89f3857f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
269ecd28392ba2d03db374c4e9fe7cc2

SHA1
553ff623de3c12d606a4613297d2a5b70075226b

SHA256
efd3c21394c903eaa98b9598edab2b1b7e6292428fabc4df95acd6611b1eaf44

SHA512
3d19ab7bb7b21995b0a925d8b3da8f9e65223125fc9c3fb5d127a1d5bf3c604e247bd4cb482535abe459270efc35d4b9cfc723b0d92326417512f715465d3b2b

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/740-433-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/948-62-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/948-59-0x000000001B280000-0x000000001B562000-memory.dmp

Filesize
2.9MB

Download
memory/1208-493-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download
memory/1264-134-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1500-253-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1664-42-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/2640-373-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2640-372-0x0000000001160000-0x0000000001270000-memory.dmp

Filesize
1.1MB

Download
memory/3052-553-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/3056-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/3056-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/3056-13-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/3056-17-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/3056-16-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download