dcrat | 504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-01-2025 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe
Size

1.3MB
MD5

ee2939e6b43088446c1cea11b1d260b4
SHA1

6ec0bbd3429a763f74a412c1ada9b87a931a31ac
SHA256

504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4
SHA512

34eae169d468692c5c7971eb99b6f00f6943e0122ada5c37f820abf4c4872de903e93810081e3f4adc357b29e7da9d13a1962de423ead5d98d1a3b734d69fadc
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjCz:UbA30GnzV/q+DnsXgl

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2536	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2716	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2716	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016033-9.dat	dcrat
behavioral1/memory/2884-13-0x0000000000240000-0x0000000000350000-memory.dmp	dcrat
behavioral1/memory/2200-66-0x00000000008B0000-0x00000000009C0000-memory.dmp	dcrat
behavioral1/memory/2572-184-0x0000000000B30000-0x0000000000C40000-memory.dmp	dcrat
behavioral1/memory/2580-244-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/2860-304-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/1040-423-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/2460-484-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/1140-544-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/1632-604-0x0000000000BF0000-0x0000000000D00000-memory.dmp	dcrat
behavioral1/memory/2232-664-0x0000000000320000-0x0000000000430000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1776	powershell.exe
1972	powershell.exe
1988	powershell.exe
2144	powershell.exe
2116	powershell.exe
1964	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2884	DllCommonsvc.exe
2200	WmiPrvSE.exe
2588	WmiPrvSE.exe
2572	WmiPrvSE.exe
2580	WmiPrvSE.exe
2860	WmiPrvSE.exe
2712	WmiPrvSE.exe
1040	WmiPrvSE.exe
2460	WmiPrvSE.exe
1140	WmiPrvSE.exe
1632	WmiPrvSE.exe
2232	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2916	cmd.exe
2916	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
40	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Vss\Writers\Application\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\Application\b75386f1303e64	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2628	schtasks.exe
2640	schtasks.exe
2764	schtasks.exe
2868	schtasks.exe
2536	schtasks.exe
1336	schtasks.exe
2876	schtasks.exe
2760	schtasks.exe
1244	schtasks.exe
2616	schtasks.exe
2612	schtasks.exe
1712	schtasks.exe
2024	schtasks.exe
1976	schtasks.exe
1700	schtasks.exe

Suspicious behavior: EnumeratesProcesses 18 IoCs

pid	Process
2884	DllCommonsvc.exe
1972	powershell.exe
1776	powershell.exe
2144	powershell.exe
1988	powershell.exe
1964	powershell.exe
2116	powershell.exe
2200	WmiPrvSE.exe
2588	WmiPrvSE.exe
2572	WmiPrvSE.exe
2580	WmiPrvSE.exe
2860	WmiPrvSE.exe
2712	WmiPrvSE.exe
1040	WmiPrvSE.exe
2460	WmiPrvSE.exe
1140	WmiPrvSE.exe
1632	WmiPrvSE.exe
2232	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: SeDebugPrivilege	2884	DllCommonsvc.exe
Token: SeDebugPrivilege	1972	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2144	powershell.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1964	powershell.exe
Token: SeDebugPrivilege	2116	powershell.exe
Token: SeDebugPrivilege	2200	WmiPrvSE.exe
Token: SeDebugPrivilege	2588	WmiPrvSE.exe
Token: SeDebugPrivilege	2572	WmiPrvSE.exe
Token: SeDebugPrivilege	2580	WmiPrvSE.exe
Token: SeDebugPrivilege	2860	WmiPrvSE.exe
Token: SeDebugPrivilege	2712	WmiPrvSE.exe
Token: SeDebugPrivilege	1040	WmiPrvSE.exe
Token: SeDebugPrivilege	2460	WmiPrvSE.exe
Token: SeDebugPrivilege	1140	WmiPrvSE.exe
Token: SeDebugPrivilege	1632	WmiPrvSE.exe
Token: SeDebugPrivilege	2232	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2556	2072	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe	30
PID 2072 wrote to memory of 2556	2072	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe	30
PID 2072 wrote to memory of 2556	2072	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe	30
PID 2072 wrote to memory of 2556	2072	504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe	30
PID 2556 wrote to memory of 2916	2556	WScript.exe	31
PID 2556 wrote to memory of 2916	2556	WScript.exe	31
PID 2556 wrote to memory of 2916	2556	WScript.exe	31
PID 2556 wrote to memory of 2916	2556	WScript.exe	31
PID 2916 wrote to memory of 2884	2916	cmd.exe	33
PID 2916 wrote to memory of 2884	2916	cmd.exe	33
PID 2916 wrote to memory of 2884	2916	cmd.exe	33
PID 2916 wrote to memory of 2884	2916	cmd.exe	33
PID 2884 wrote to memory of 1964	2884	DllCommonsvc.exe	50
PID 2884 wrote to memory of 1964	2884	DllCommonsvc.exe	50
PID 2884 wrote to memory of 1964	2884	DllCommonsvc.exe	50
PID 2884 wrote to memory of 1776	2884	DllCommonsvc.exe	51
PID 2884 wrote to memory of 1776	2884	DllCommonsvc.exe	51
PID 2884 wrote to memory of 1776	2884	DllCommonsvc.exe	51
PID 2884 wrote to memory of 1972	2884	DllCommonsvc.exe	52
PID 2884 wrote to memory of 1972	2884	DllCommonsvc.exe	52
PID 2884 wrote to memory of 1972	2884	DllCommonsvc.exe	52
PID 2884 wrote to memory of 1988	2884	DllCommonsvc.exe	53
PID 2884 wrote to memory of 1988	2884	DllCommonsvc.exe	53
PID 2884 wrote to memory of 1988	2884	DllCommonsvc.exe	53
PID 2884 wrote to memory of 2144	2884	DllCommonsvc.exe	54
PID 2884 wrote to memory of 2144	2884	DllCommonsvc.exe	54
PID 2884 wrote to memory of 2144	2884	DllCommonsvc.exe	54
PID 2884 wrote to memory of 2116	2884	DllCommonsvc.exe	55
PID 2884 wrote to memory of 2116	2884	DllCommonsvc.exe	55
PID 2884 wrote to memory of 2116	2884	DllCommonsvc.exe	55
PID 2884 wrote to memory of 1768	2884	DllCommonsvc.exe	61
PID 2884 wrote to memory of 1768	2884	DllCommonsvc.exe	61
PID 2884 wrote to memory of 1768	2884	DllCommonsvc.exe	61
PID 1768 wrote to memory of 2188	1768	cmd.exe	64
PID 1768 wrote to memory of 2188	1768	cmd.exe	64
PID 1768 wrote to memory of 2188	1768	cmd.exe	64
PID 1768 wrote to memory of 2200	1768	cmd.exe	66
PID 1768 wrote to memory of 2200	1768	cmd.exe	66
PID 1768 wrote to memory of 2200	1768	cmd.exe	66
PID 2200 wrote to memory of 2804	2200	WmiPrvSE.exe	67
PID 2200 wrote to memory of 2804	2200	WmiPrvSE.exe	67
PID 2200 wrote to memory of 2804	2200	WmiPrvSE.exe	67
PID 2804 wrote to memory of 2828	2804	cmd.exe	69
PID 2804 wrote to memory of 2828	2804	cmd.exe	69
PID 2804 wrote to memory of 2828	2804	cmd.exe	69
PID 2804 wrote to memory of 2588	2804	cmd.exe	70
PID 2804 wrote to memory of 2588	2804	cmd.exe	70
PID 2804 wrote to memory of 2588	2804	cmd.exe	70
PID 2588 wrote to memory of 1240	2588	WmiPrvSE.exe	71
PID 2588 wrote to memory of 1240	2588	WmiPrvSE.exe	71
PID 2588 wrote to memory of 1240	2588	WmiPrvSE.exe	71
PID 1240 wrote to memory of 596	1240	cmd.exe	73
PID 1240 wrote to memory of 596	1240	cmd.exe	73
PID 1240 wrote to memory of 596	1240	cmd.exe	73
PID 1240 wrote to memory of 2572	1240	cmd.exe	74
PID 1240 wrote to memory of 2572	1240	cmd.exe	74
PID 1240 wrote to memory of 2572	1240	cmd.exe	74
PID 2572 wrote to memory of 2100	2572	WmiPrvSE.exe	75
PID 2572 wrote to memory of 2100	2572	WmiPrvSE.exe	75
PID 2572 wrote to memory of 2100	2572	WmiPrvSE.exe	75
PID 2100 wrote to memory of 864	2100	cmd.exe	77
PID 2100 wrote to memory of 864	2100	cmd.exe	77
PID 2100 wrote to memory of 864	2100	cmd.exe	77
PID 2100 wrote to memory of 2580	2100	cmd.exe	78

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe
"C:\Users\Admin\AppData\Local\Temp\504d5f8b0b7e318681bf1abc35ae32cfcb3e880499fba0950fd5d26c1bdb45b4.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2556
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2916
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2884
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\Application\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Start Menu\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1thxOZSXrp.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1768
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2188
      - C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2828
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:596
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat"
        11⤵
        Suspicious use of WriteProcessMemory
        
        PID:2100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:864
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat"
        13⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2556
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
        15⤵
        
        PID:2468
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2664
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat"
        17⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2008
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat"
        19⤵
        
        PID:2684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1600
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat"
        21⤵
        
        PID:1844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1616
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat"
        23⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2900
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat"
        25⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:324
        
        C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe
        
        "C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat"
        27⤵
        
        PID:2924
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Windows\Vss\Writers\Application\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Start Menu\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Local Settings\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73e22434ab626b9ade969dbcf72cb3b4

SHA1
3427c758b1ffc1375a3bf48b54b9cd85aa49687a

SHA256
458e6bf5d9d8e06079ea798c5865dbeea24fb5e6dcbb0225019da9097e350128

SHA512
d7075f1d5e85715fc80d0f54d186ec702909cb902a536fdf33340a1d42a12a8b46839bb62d266929893331ed3ff46b931537a235407110403fa2c3da7f8aa918

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71a10e59f6e4ea61d7ff246abeeebcec

SHA1
ebecf128bd9807b5a64a7fd5944e3b178bbd0c89

SHA256
c516068d7b9aebd6b319be0e9c29a820846359832ced964ee8dbe43796248c28

SHA512
0d85be9baa16f4cec8ac389f7abe9317a24867a1d6ac55f9076990014fa3412a98767f1cefb3fe2f4aa45ee772aecc6b5c134171725cafdd0527199309633f25

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02bac5a683cfff46aa79f7b3186d6505

SHA1
16fc78937233630fe9685e1cff96ecca0d1839bf

SHA256
469f011f2f802b26dee2376ac6523d765e2fca0e9df09c802a0483c819311962

SHA512
6f6c35b44a76253fd5a04604015d27a4571b4ac0f1e144e3b1d2b63590504569e3be750e3c1963c8cbe3c1db8e5869fb4df44316528da43e290986ebe436bb40

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e6e12e52d969afe35acaccbc2ac7d1d3

SHA1
8b65ec74bfda58fb1c60ed896925f0ddd0d9edcf

SHA256
ae56ee769f4f045de626995150b90433a4626a8d6d45ce52fe2dc7b0fa3fb584

SHA512
829cf8e8589894a0a5d75e05abec1e089ebcf24f8bc3d57a78c953e67b7f108ed31af2f0c465ab42b3d874aa706f3b7f975681c3a7301e2716e077bed43749b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
857647fcfb414708951f38680dccc444

SHA1
5959480926838821885af5fefaa462dd58f2c783

SHA256
ac5e61537961e1ea7b86d80b9bae51afd281f7415dc9405571d17f366fbdb7e9

SHA512
437fbd33a9fbc71ae06df3d9218bf7e1ae535ff3031dca2631aca47ef7929ef48f76cc8ce87c582cfdc339c94eb3ec0d594443f8478351e1430998441dd6b2a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d97b86577e94822ebd9003023f29b842

SHA1
7157e284db25c746923bba71deff458920002675

SHA256
ef0e5339177d9278f39b8d4171e57c7770b64a5e05125c0761b46b6d40602e7f

SHA512
872349d2f4b675d36d2f7db79af7d4400f4d4991bcfac6a96e7e1b8643338f86116a0c678529fba45a01ac01265c1d74df458e089c7cef9fc1d31c80f7b1b1d5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7e88241459a1cd75624d7cf04dc88751

SHA1
08d852f0cbcd858fc9bf7ab7216a2600b34f2d44

SHA256
fb8bec0de28b3de38846e7f5bb2a4b4b5f7bade750ebe6aceeedff9e700a3183

SHA512
9a6557540be7a1f11581ad5e1649fde508badd9acc50ae9ca898338c8fed24bf11f9b5dcc7a38c135884f6cca412d36d9c8a6768bed8d223d89cda9ab3ae9d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e81d3d175dca49442e71a23bff31ea70

SHA1
8d37defd35b41384fa49e5d22ee5c96f495fa821

SHA256
fca525118999f719131dc776a6a59718e8a585e19a34deae0db36111f16c5900

SHA512
4805411950b5e2a96b6bd68c395aebef9ccc5fe63c47ff9b4e495b953c40a7bc86c01992f1d6d8d5376b767796c98772d90b728ab94074b9b79888a1e7abecb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b4812d3a835d5732c69b15ad0349574

SHA1
d54fb7b028ebcda394677f2ee2542e25fceccb92

SHA256
b796852a0168c3c04680fc84fb78eb6a7c830a56e5639b9cd97374ce79cdcc27

SHA512
1b268a6e0231da048d77c807e3bb434f22f8f6690c8b8b6d8b64c5172346887eafe5306337c65a11fa6e7f003ce8ec178e3e54de5373196a288b528db35bbf01

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a625b82a9c6639ae913fd0db9a438867

SHA1
2bff1594f0b0d84dcda7cb8ddbb427d63b8ee5a5

SHA256
72b7740517f8111a4658698a06fad14b6e3b4ab444da0cc8ae40a83e345f4571

SHA512
1d3dbdfa67971234303abf6c3bc48b50175b3c2627173db769cb78124a518bfab092a97fc0ff5e5c3337290e49615de6c09ef331ee0fc7110ce200f2db6caa3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\1bQudXBuXp.bat

Filesize
240B

MD5
a839d845c348da3f9dd50b3b603c43dc

SHA1
844e33bfab89fe81ad4160c4eafe26efb44bc20b

SHA256
dd33261ebfb7249f13950e0dd114105b904b3c88dd0167f0ea517ea524166112

SHA512
2059b1629664443c0281a471131a15ad121f4eaf607ed04a6ae6a873d5c8a28307a38814afdd090af0f9ae657fdaa0f0cc235a9d3b77c970e9605cf966fa8a61

Download Submit
C:\Users\Admin\AppData\Local\Temp\1n8esAjYxK.bat

Filesize
240B

MD5
99275be479b040a9500c0c7fa0af5426

SHA1
1e617063e4767ce0c3bf406db76c4310efcbb9a1

SHA256
159cda1b7a2d308ab65e269da5f1bba7a4925a8e9ffea1fd36723e11f686f1f3

SHA512
33a88988d56441c52ffe15b8fbcb2d66ec29be23766f7ce0c72e37a9854e3e8d5002321a0219986da1d46ff959dec7f608d4ffe048b941e786aa52fad7715497

Download Submit
C:\Users\Admin\AppData\Local\Temp\1thxOZSXrp.bat

Filesize
240B

MD5
c89e83da4c2ec58d22a277f36f844249

SHA1
1e8fa6ea4ba41c3bda3640c2dddcbfa6d6a9cfd6

SHA256
f613ab8e0f0d439badd1f0d26e7be3c91cc97a45b2b5295be1b0462e008dc897

SHA512
4ae042c6288c7c4c7210a390ee1a6b8a771a68a95618af7d1fb7b9d38c9e673a714e3e6fe27304809ff17c8e38870eaed8ce9694fbc16ec36a77920d50234a5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

Filesize
240B

MD5
53288fba7f533f08d6732a8fc1b0f9fd

SHA1
3a5b9db87b3e0b7ff85221525cd639500a396093

SHA256
21e13c3a85082180e1bbb98eb0906dc645420b690e6847cb32f3f7f5210434f2

SHA512
32a2d27316662fb1a0a72ef2b733c0267513ffea86b9829ac8021d4cef86ad2f9c1857990e0e2d6353eb7dbff506c502eed18815ea50b716634f1b721a0c5f84

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
240B

MD5
c722950e4dccb038b88fb1ee0acf249c

SHA1
81ce7548f7e82c821681102b40b882e726ebabe5

SHA256
51874dc5877e8fcec4a02a34240b7de7fbf4530066a63a6af5c8335f6b9d872e

SHA512
d6483564c53b20aa3f901efcc2bdd212b3d39071371e96b755109f2861ee6bf72cf7362094dd46ee0821bc5032d67093ab9d5736312437bf2c080a160f4df2a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\HGlJwS3LgK.bat

Filesize
240B

MD5
b996c302a62b3d62922738f74e9726ef

SHA1
aa41adf0265113dd198175ea108cff8f8eb62532

SHA256
8e22f4eadee089ff20749472a89e1f580e0c6cff78602fb5d1055e0c4963fcf2

SHA512
a0fa1ddc20547e1eba0b519534e9038a6bd1070c970d48a73a87d99a19fd93bbc25b2f7b567d438b28d1794fd79b4afe60eca1e6d975f588fe131cd33893c1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Oupdpj3XpI.bat

Filesize
240B

MD5
3907441408dcf222023e7cd4822ffb1d

SHA1
b689cd97a09e6d7c128efc650461772b8f715447

SHA256
19268bda630720edfbea50ff927b2f93eae1cb8349b3a98977f83ee02db87062

SHA512
8ac975029d404cdcd415f41b30656f4053d74792437278fa3281d98a98493399c761ba5a3de5f8358a83dc5e501db33f20caea12cab4462142e1bfb86c1df98d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RBOUzXbIOW.bat

Filesize
240B

MD5
2275645db895de8bd469864bfc2f506f

SHA1
ca39378ecb08d60c415aae825c87f75b0c792ced

SHA256
57fbab4abe28dc8e779e59b9bc0ca16de2e755fd4a1f43a3d8bbc3e5a0795b15

SHA512
9a4b9b9c29bc1d536efe4ea7d2ced6f44d6c933511c6320cf0d2e8199d2f7f8989b16d87c44181409acf0f3ede533a97e76162f914e3a6b6f950141a50ee8746

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC1.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UucX7bnqC8.bat

Filesize
240B

MD5
b28b9c7ba84f2cdc22d93a59a708600d

SHA1
3eba71894b4cf57e9cf1c4bde9a517397cb403d8

SHA256
372227425908d3876ba939e13ecbeadacdbe775af7ceca6bd5de6e60c7e49da4

SHA512
79f00ce90903c4d244553fbaf49d7f38e311e225584167592e9dd08db18183b5ce2e4b6cdbf785ad7c911020715d1c3741a5268d25cb7ade845039c31fc961aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZgKlNS7JdR.bat

Filesize
240B

MD5
d839b295c7bf0d428d3c243d96489a8e

SHA1
f6ddcf7c67095a734bd76568d23e429cc21271d1

SHA256
b803866a1cd93f447a1df92c6a394c478f59cd2ba27c840372e687ce83d70f66

SHA512
b91d8d93fc519d0c364a55a20602033efc03ce2836df2b4be2a52d5ba28a2140e9071160c206d50ac8effafc380d2fbf6bb1918bfb80453c12746da951e704b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\cU7BGbiaqd.bat

Filesize
240B

MD5
6e2ce1ff36a792ef1812fe2476bd7444

SHA1
4748dad3ac67cc5e3c983466972a6b41d35b4bf1

SHA256
20512870b706f6d6ea3054f2e50b3c875694069c30d10fa0d43e004e77ff23f4

SHA512
073ef181cb2044d173e92f06f9d660f6de275b46f9a891fbc9c819f57d3f2adc4b02496d36633321ce98b999e4f7cb401cedcc2c8a7b51a1390bf5faedc6a95a

Download Submit
C:\Users\Admin\AppData\Local\Temp\oVhzrLBDaJ.bat

Filesize
240B

MD5
b0cf0a0c7dea008adf944acb49e67564

SHA1
37dda4ab94fd924b7b3bfdf13136406cd601e197

SHA256
b5a9a5b45d697cb80133f6bec3d9b5a7289983638ba7cbe3b40fa62f7d7eedd9

SHA512
6c4171b37307a94b560435839f5d4c9363e9283b57c49910447e63da85070ba630ee9a21f8e054e980459b67412b9f0fd092414c1c39862890fea7b689efa883

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\8O0ND84GU5MFTAHIW6XP.temp

Filesize
7KB

MD5
21d691d44e6227389a64067367eecf4c

SHA1
917097645601ac84ff13ef3ed9b4afb91b706f33

SHA256
288fea9aa0b8720e54ce17c335a7adea0008fe2d42297939e9fefde0cd3e4ee5

SHA512
e4453be6c6c9484ac7c32688fd1eddc77336695dccad606e2d7ab40f345bd227dba74c193347444fbb21d9d2eca5301a3d6a356c9c97a446f9630161a06653d4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1040-423-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/1040-424-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1140-544-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/1632-604-0x0000000000BF0000-0x0000000000D00000-memory.dmp

Filesize
1.1MB

Download
memory/1776-57-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/1776-52-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2200-66-0x00000000008B0000-0x00000000009C0000-memory.dmp

Filesize
1.1MB

Download
memory/2232-664-0x0000000000320000-0x0000000000430000-memory.dmp

Filesize
1.1MB

Download
memory/2460-484-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/2572-184-0x0000000000B30000-0x0000000000C40000-memory.dmp

Filesize
1.1MB

Download
memory/2580-244-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/2860-304-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download
memory/2884-14-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2884-13-0x0000000000240000-0x0000000000350000-memory.dmp

Filesize
1.1MB

Download
memory/2884-15-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2884-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2884-17-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download