dcrat | 230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538

Analysis

max time kernel
146s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
23/12/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538.exe
Size

1.3MB
MD5

341e3286fae220c53a6d57618e454796
SHA1

31ab3113366e4d5b817f067befaab292044199ef
SHA256

230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538
SHA512

b0f696e2589bb082ee7cd4ddb8a2215319996ab3d5d3dcbeffbcfcbdbf2a273b653a255d31058123440cb8317f424e597f2e613d71ffc7e0bfabe33607a13b3e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2152	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2152	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000600000001926b-9.dat	dcrat
behavioral1/memory/2580-13-0x00000000012F0000-0x0000000001400000-memory.dmp	dcrat
behavioral1/memory/1328-42-0x0000000000880000-0x0000000000990000-memory.dmp	dcrat
behavioral1/memory/480-138-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2168-199-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2756-259-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat
behavioral1/memory/1964-378-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1568-438-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/932-499-0x0000000000220000-0x0000000000330000-memory.dmp	dcrat
behavioral1/memory/1572-560-0x0000000001380000-0x0000000001490000-memory.dmp	dcrat
behavioral1/memory/2036-620-0x0000000000020000-0x0000000000130000-memory.dmp	dcrat
behavioral1/memory/2000-681-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1956	powershell.exe
2112	powershell.exe
2192	powershell.exe
2096	powershell.exe
2260	powershell.exe
2336	powershell.exe
2204	powershell.exe
2180	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2580	DllCommonsvc.exe
1328	audiodg.exe
480	audiodg.exe
2168	audiodg.exe
2756	audiodg.exe
880	audiodg.exe
1964	audiodg.exe
1568	audiodg.exe
932	audiodg.exe
1572	audiodg.exe
2036	audiodg.exe
2000	audiodg.exe

Loads dropped DLL 2 IoCs

pid	Process
2588	cmd.exe
2588	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
31	raw.githubusercontent.com
35	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3032	schtasks.exe
2128	schtasks.exe
696	schtasks.exe
1872	schtasks.exe
2452	schtasks.exe
2924	schtasks.exe
2524	schtasks.exe
2996	schtasks.exe
2652	schtasks.exe
2516	schtasks.exe
264	schtasks.exe
1492	schtasks.exe
2540	schtasks.exe
2592	schtasks.exe
832	schtasks.exe
404	schtasks.exe
2132	schtasks.exe
2060	schtasks.exe
2092	schtasks.exe
2188	schtasks.exe
2016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2580	DllCommonsvc.exe
2260	powershell.exe
2204	powershell.exe
2096	powershell.exe
2180	powershell.exe
2112	powershell.exe
2192	powershell.exe
1956	powershell.exe
2336	powershell.exe
1328	audiodg.exe
480	audiodg.exe
2168	audiodg.exe
2756	audiodg.exe
880	audiodg.exe
1964	audiodg.exe
1568	audiodg.exe
932	audiodg.exe
1572	audiodg.exe
2036	audiodg.exe
2000	audiodg.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2580	DllCommonsvc.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1328	audiodg.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	2112	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2336	powershell.exe
Token: SeDebugPrivilege	480	audiodg.exe
Token: SeDebugPrivilege	2168	audiodg.exe
Token: SeDebugPrivilege	2756	audiodg.exe
Token: SeDebugPrivilege	880	audiodg.exe
Token: SeDebugPrivilege	1964	audiodg.exe
Token: SeDebugPrivilege	1568	audiodg.exe
Token: SeDebugPrivilege	932	audiodg.exe
Token: SeDebugPrivilege	1572	audiodg.exe
Token: SeDebugPrivilege	2036	audiodg.exe
Token: SeDebugPrivilege	2000	audiodg.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1072 wrote to memory of 2988	1072	JaffaCakes118_230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538.exe	30
PID 1072 wrote to memory of 2988	1072	JaffaCakes118_230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538.exe	30
PID 1072 wrote to memory of 2988	1072	JaffaCakes118_230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538.exe	30
PID 1072 wrote to memory of 2988	1072	JaffaCakes118_230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538.exe	30
PID 2988 wrote to memory of 2588	2988	WScript.exe	31
PID 2988 wrote to memory of 2588	2988	WScript.exe	31
PID 2988 wrote to memory of 2588	2988	WScript.exe	31
PID 2988 wrote to memory of 2588	2988	WScript.exe	31
PID 2588 wrote to memory of 2580	2588	cmd.exe	33
PID 2588 wrote to memory of 2580	2588	cmd.exe	33
PID 2588 wrote to memory of 2580	2588	cmd.exe	33
PID 2588 wrote to memory of 2580	2588	cmd.exe	33
PID 2580 wrote to memory of 2112	2580	DllCommonsvc.exe	56
PID 2580 wrote to memory of 2112	2580	DllCommonsvc.exe	56
PID 2580 wrote to memory of 2112	2580	DllCommonsvc.exe	56
PID 2580 wrote to memory of 2192	2580	DllCommonsvc.exe	57
PID 2580 wrote to memory of 2192	2580	DllCommonsvc.exe	57
PID 2580 wrote to memory of 2192	2580	DllCommonsvc.exe	57
PID 2580 wrote to memory of 2096	2580	DllCommonsvc.exe	58
PID 2580 wrote to memory of 2096	2580	DllCommonsvc.exe	58
PID 2580 wrote to memory of 2096	2580	DllCommonsvc.exe	58
PID 2580 wrote to memory of 2260	2580	DllCommonsvc.exe	59
PID 2580 wrote to memory of 2260	2580	DllCommonsvc.exe	59
PID 2580 wrote to memory of 2260	2580	DllCommonsvc.exe	59
PID 2580 wrote to memory of 2336	2580	DllCommonsvc.exe	60
PID 2580 wrote to memory of 2336	2580	DllCommonsvc.exe	60
PID 2580 wrote to memory of 2336	2580	DllCommonsvc.exe	60
PID 2580 wrote to memory of 2204	2580	DllCommonsvc.exe	61
PID 2580 wrote to memory of 2204	2580	DllCommonsvc.exe	61
PID 2580 wrote to memory of 2204	2580	DllCommonsvc.exe	61
PID 2580 wrote to memory of 2180	2580	DllCommonsvc.exe	62
PID 2580 wrote to memory of 2180	2580	DllCommonsvc.exe	62
PID 2580 wrote to memory of 2180	2580	DllCommonsvc.exe	62
PID 2580 wrote to memory of 1956	2580	DllCommonsvc.exe	63
PID 2580 wrote to memory of 1956	2580	DllCommonsvc.exe	63
PID 2580 wrote to memory of 1956	2580	DllCommonsvc.exe	63
PID 2580 wrote to memory of 1328	2580	DllCommonsvc.exe	72
PID 2580 wrote to memory of 1328	2580	DllCommonsvc.exe	72
PID 2580 wrote to memory of 1328	2580	DllCommonsvc.exe	72
PID 1328 wrote to memory of 2388	1328	audiodg.exe	73
PID 1328 wrote to memory of 2388	1328	audiodg.exe	73
PID 1328 wrote to memory of 2388	1328	audiodg.exe	73
PID 2388 wrote to memory of 1100	2388	cmd.exe	75
PID 2388 wrote to memory of 1100	2388	cmd.exe	75
PID 2388 wrote to memory of 1100	2388	cmd.exe	75
PID 2388 wrote to memory of 480	2388	cmd.exe	76
PID 2388 wrote to memory of 480	2388	cmd.exe	76
PID 2388 wrote to memory of 480	2388	cmd.exe	76
PID 480 wrote to memory of 1404	480	audiodg.exe	77
PID 480 wrote to memory of 1404	480	audiodg.exe	77
PID 480 wrote to memory of 1404	480	audiodg.exe	77
PID 1404 wrote to memory of 564	1404	cmd.exe	79
PID 1404 wrote to memory of 564	1404	cmd.exe	79
PID 1404 wrote to memory of 564	1404	cmd.exe	79
PID 1404 wrote to memory of 2168	1404	cmd.exe	80
PID 1404 wrote to memory of 2168	1404	cmd.exe	80
PID 1404 wrote to memory of 2168	1404	cmd.exe	80
PID 2168 wrote to memory of 2784	2168	audiodg.exe	81
PID 2168 wrote to memory of 2784	2168	audiodg.exe	81
PID 2168 wrote to memory of 2784	2168	audiodg.exe	81
PID 2784 wrote to memory of 2868	2784	cmd.exe	83
PID 2784 wrote to memory of 2868	2784	cmd.exe	83
PID 2784 wrote to memory of 2868	2784	cmd.exe	83
PID 2784 wrote to memory of 2756	2784	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_230e5401c5094bf8585576343338084668ea603c1693fbf18be34277cf94b538.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2988
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2588
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2336
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Application Data\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1328
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2388
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1100
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1404
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:564
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2868
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        12⤵
        
        PID:644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2780
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        14⤵
        
        PID:1668
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1816
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat"
        16⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:3052
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat"
        18⤵
        
        PID:584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2208
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat"
        20⤵
        
        PID:2880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1960
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat"
        22⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2700
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat"
        24⤵
        
        PID:1552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:916
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        26⤵
        
        PID:2552
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Application Data\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\All Users\Application Data\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Application Data\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2781a469a240547b35c9e3a758dd8488

SHA1
be24aace2a49419a1e5e8bc710df9016841ea356

SHA256
660387d60029262ad14356d06f4835bfe77038ceae681aff17e7cee6508fde93

SHA512
41c7fdcc320d7af088673e1f18013d0eb4612820543dc03c05470c08c49e519e08968fddc42e6a33259f3424574595cbdfe89d41edb580efebf14acbd5d47035

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c1ed2bc0b86b9f3475a46ec2b6be007

SHA1
edb4c2a382955ef3fb0a2d0c3c2ddbd2cd66c5dd

SHA256
e8036ae1b1c8f2014a0ae67ec0c8c6a6103194cc8d305c79f39af89345540dcf

SHA512
a4099a53e1b736e433261d9115c4e9108febd108e61b3f2f3df9a41a8bb7bd5f6829030d305144a002ffa0560d4ddf6c28f5fae0bb60e919ae986fad25841341

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31ea628f91adb839765a524b9542e3fe

SHA1
65f065756d3805cb076863583edc9903a3a625b5

SHA256
032faba704df0d2b8981c564aa20ff60891de9310b4b6170508d15138c3abf09

SHA512
8cc797a1678caa7746bab7625eed7a7abb1eb3e9f34402012aaad6e5284ab77376fc7f5ffe2f366fa53bc3f347150c41082a0ba3722c2f732c21091faac2dcad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59a9266e9e04a272a487de87953d301c

SHA1
2c504108837370659adf4be0b293327d2cf7d57d

SHA256
edc149e628017f96b157512e1578e8d9ea64af54471c43416253333b2e200a9b

SHA512
dd52aa9fa7cfbe07fcaf22f346c87dd96bf727550f8560a9cf221a287d4f3d431003c4adb749cd8dc6904556fdff0e0b5ee65a494d7fee9a5400129db59d362b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8889228514a9e58ce67c1614b4cfdca

SHA1
7b1da7a318df6029704d2717102daadc454f123c

SHA256
72b37b73be257e19d94366a46fd88bccf70ece5a437bad70685a0bc6ae8e314c

SHA512
b29919b54f6686bd59a4a666ff3bf3c1d20dd86098c07af4ec9f9292f04a6e1ed3eae370dd220dbd9580e2d156a17ed173fea1e638b6326477407fbb2c81183e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2ad1fedc33d90047fc379d81afcf093f

SHA1
eea3a5a23c43926626cedb2edd70f21830258d5f

SHA256
d0e3360d384fb036a9e0e51f7a482fa106a5a1d1a6934842008d798ae6fb64bd

SHA512
36ca7505419613d3e39d618b47c7f3444016e3872b5d5ed638e54935eeb996a2e52f3828cc28b80631789cb8b3b87144d5dfda05d483210efb96bf5f3bf0c936

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c3f97748094de59206437a2b0355424

SHA1
e278de8fe8841d12205e86e76366c05447ca5327

SHA256
9ff8169619e8a72ebd797a35c74b1b8fd8b9bd102bd10e41821adf7f9491ce5c

SHA512
69db6ee6035d35f1af720c3107d892a34e6d8ea0acecc3a3bd624c1d97591eb33dfdadc8f811c74e1fb2f01aac118991030366cd674385bdb23abd3e83d3e320

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
26bd9a684a9ae22c890d9b505a8214eb

SHA1
078cf046c6e2183343de1804cae4442a0bb9328c

SHA256
a3922f25a673f30069cc9a97777f90108648c8851858cbbdf49f5cd38a740b44

SHA512
b78ba731599594c4970672bb7cdedb98562d81cf17d757b8c26548749920a3c9e52889a158644f8a16d3c10538e389376cfc97e52f3b43dae3cd3ea945de904d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67a69b8917afe7b949e95ae92938feb7

SHA1
6ae3e90bdc5b1cd7cf6b9a84399a3115d07ec2f5

SHA256
1fdd3048176d8d3719a50331fe89136bcf4f2c439232a7ec872f38ca85c25aa1

SHA512
21f9ed8d50f145bd333e0b4d07f383dc59718aed78fafd0b13b1569e92d3c646aab9b65ad801fe9c726b035e217c6902f837d581daddddcd7c6a3c83a0047372

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e61940e4edca8d957acc05fad17b35c

SHA1
33eafe5693fdd560e9774dd351bd7234b2787c27

SHA256
7bf962907d5d1b384bd835332917588a7325bfcd09c2081e70f9561dbd5bfbed

SHA512
52beb19142e026088e119a813cb50c55250e42777fe965f89dc2550cf69a7f3cbefa6f4dd6c35c18ed19d3ed1dfc5223010b959e720203eaeea838c16c56a548

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gNv7qRJ8U.bat

Filesize
225B

MD5
9bfd04fa29c7db16d335500c01ccb378

SHA1
66e6e965f60e5a0eb65d012814e6374442aef847

SHA256
a99b3ce5c44eef269a6505fe3ce214f92429634d7edf86a46b4b1617cfb17bd1

SHA512
ed5df0bb527f57341a5fda4099bab8ddc8ab61be9f3d266caad054d94a15d7abe0cd1254c163bc257fb86db694805e1352363d396a279f87f793003f15ba4fc0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab5B7B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ISA3vp411k.bat

Filesize
225B

MD5
d54eabb4f14c321da423a5b4d1449b2e

SHA1
c4810a70e2e71dd55e2d4bb504c4df1353c81ca0

SHA256
e4f78d9b8db18b3437153063184665e1f36c343c58bb62fc0b368a7d678b6edd

SHA512
218dd9b42b7b9bc415f68a60167be7d0c0c3263caeb0ef6ac54cb7b748131241fb35404f71f396f7dae6f09b4c7de3f5283b965cfcafa6fd657e4674b83afaf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\NpgWdIWSbT.bat

Filesize
225B

MD5
d5521d3bcfaa35ce4dc13df293056203

SHA1
d00814381acc7568a9e8eb236404870aaf0a6fe8

SHA256
cd587f2625624f43f6542d67eeafa2d002b8c7c2b66448ebad891fe53382e286

SHA512
4e1e9bbfdb818152596014ae9bc454202a224ddb59891405cd22766e585a45ad1e26ffc22b6bcd9e18c24a50b7b9c3e87e2a7c7ffd6b2b82bae1ba5f84517281

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
225B

MD5
2a3dfeb8c1e2eb2763b5e67ab32a66e9

SHA1
32689f4686000b0ad0672f8947f45b36581ef387

SHA256
d97e52dc5947a4d3cb9aa08a0f21a608ec7cd7636aaa4678ea7af4a068ef86a6

SHA512
50d94c20c62293899f472e8d857afb85f2c7c640eac84293905333fcadf917741577064efbc6d9a08f6d4aa3e66860f64396de05259590abe959b53c220f263c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar5B8D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Z87Ce65nyU.bat

Filesize
225B

MD5
7e799be8ce5516d2bcd7fc07e72bbf69

SHA1
3ee977d9f457c1914dfd2eac2ecc6e9cb263340d

SHA256
99ab8da26556bb015678c20f997095f410fbf469a9bcee1434b104c06121516c

SHA512
d72a769d2505db434a2774c93a337661a38a579b11a36d2e7a2dd5033a970ec1f4ccd477bd178db0251f18d9e39da0daf1dc63022e88e91c0dabe8f40b2ad3fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
225B

MD5
b161b20eba5171e2d1b1fd73cd5536d7

SHA1
886f27561136f80ead7da1559b3db76924bd5926

SHA256
e261901c9a3417f94c2bfe3728f6f76549f46039d3cbe4f56e504d489198ad3d

SHA512
b87174ff4b5ebf8075445f2b230ebe8b377b4445d018f119771be4bebf436b6a12177b61481c2cc18fd47cd21f15f70a14178e023f4fa0fc8c302701ab6d4b01

Download Submit
C:\Users\Admin\AppData\Local\Temp\fELEOgu8eF.bat

Filesize
225B

MD5
38f0b14d094be21ddd09e6efb5f673ac

SHA1
c914f8366a28c1c679641d7bd673a350b40457cd

SHA256
c308e8a99a121998b25b95fb62fe75c8b54725cbf34e27d0df0ff9c5812c2913

SHA512
ae4cde1b274cea527274a0f67bcfc712c005c8cf2db419d57e6e08d11668747dfc7ff60548efa9925b24d3a21a94866ace316d6f93c2d0804ac9e44f07f30795

Download Submit
C:\Users\Admin\AppData\Local\Temp\l8nFZEr7oq.bat

Filesize
225B

MD5
69ac46eccf953a2cda59d73188115098

SHA1
40055f9a55bf4708f8b20fcb29c1f00026316276

SHA256
8f75bf578c630b68e8922a36e47bb9839b7b09436050793cc9c8b0713d6667a2

SHA512
3b004f25dcff2b2c966a40b4db97961eead5fff6e0758a181464490e9b5287b2cd512f66fc5969b8215c781b3ce5b174a36945649ae79c301cb9db4f253d2bbd

Download Submit
C:\Users\Admin\AppData\Local\Temp\p5ITN63wlJ.bat

Filesize
225B

MD5
162798a07be36d7be58f6c803bc5f063

SHA1
5a71d82c0a7e40abb689931d695a073f342e19e8

SHA256
1ad9646f275bea2be9155c5c43d54ef3126c332551b964a7e8ed479521f36be5

SHA512
6059a60cd6043aa2c7dc35ff4e80802004a8b0feb937c23ad8a474655a679192f3ded86ea218dc4eb7a1c1c749564cec6035edfb79eb7b46c21a3a6b6149de45

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
225B

MD5
48cedd7b971ab01d52f276d7d2ea4efd

SHA1
69a8b251286697f1bc9c8f155ff6c993892af9dd

SHA256
bd3ddb9b8fcfcd40d7e6e290fcf288d4f009875ea1be15c8b3179846c5ba882e

SHA512
091a5c835e084259804fb420aa2528d8addaaba77588f35db3d82a7c457ecd50d174d9d569fc2546dc00fa3d9eaba17149d7de6a66284f6970f76ed6d9bc8141

Download Submit
C:\Users\Admin\AppData\Local\Temp\veDg5wW3gS.bat

Filesize
225B

MD5
53b500523d226e9d2b5f0e87481d9a56

SHA1
0f483e9084e19c765d0e7d657a4d9f45ccc14686

SHA256
309403ae2f0251ce88f2c0e9efb6cebc73671848a68204a2846304126f9df80c

SHA512
b24166a66e856c2e54fbea7685364e81b141d5ec3a6024e62f9297a0d345ef747a0186a4acedf6362e23b6a83e2144ac3a04cfbd024657fee9c5adcacc0cccdf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
c4ddf85bc7e81ebe4a750e86e2f31940

SHA1
f926eef147656635576c70e6bdfa9e78854631a0

SHA256
06d7824cdfb3c4303524b16a4d3643d15c9204551e7af636e439d46a3dbe6124

SHA512
ab0f769c94f8d98820571a528440dc1de07cdeea5d0022472138f7f0fd3fff65bed1faee0db9598a63e83a7bf9c0971a9b26c030caabf67feb2091a99de80249

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/480-139-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/480-138-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/932-500-0x0000000000210000-0x0000000000222000-memory.dmp

Filesize
72KB

Download
memory/932-499-0x0000000000220000-0x0000000000330000-memory.dmp

Filesize
1.1MB

Download
memory/1328-42-0x0000000000880000-0x0000000000990000-memory.dmp

Filesize
1.1MB

Download
memory/1568-438-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/1568-439-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/1572-560-0x0000000001380000-0x0000000001490000-memory.dmp

Filesize
1.1MB

Download
memory/1964-378-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2000-681-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2036-621-0x0000000000520000-0x0000000000532000-memory.dmp

Filesize
72KB

Download
memory/2036-620-0x0000000000020000-0x0000000000130000-memory.dmp

Filesize
1.1MB

Download
memory/2168-199-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2260-44-0x000000001B850000-0x000000001BB32000-memory.dmp

Filesize
2.9MB

Download
memory/2260-45-0x0000000001F50000-0x0000000001F58000-memory.dmp

Filesize
32KB

Download
memory/2580-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2580-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2580-13-0x00000000012F0000-0x0000000001400000-memory.dmp

Filesize
1.1MB

Download
memory/2580-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2580-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2756-259-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download