dcrat | 6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26

Analysis

max time kernel
148s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26.exe
Size

1.3MB
MD5

3008200ad70e831577b80210fb28e51b
SHA1

a3289f1a218d89404240a305f2873ed8d77b4ca4
SHA256

6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26
SHA512

c62ea0785bcd9eaa36d595e0774a0b931bd380f174c39437299c29a200bb15c425a59248c53ce8c65db5930f370b404f982be4ca6b17de25013ad8151b8e7024
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1464	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1452	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	944	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2768	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2768	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d0e-12.dat	dcrat
behavioral1/memory/2728-13-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2176-108-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2624-167-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/296-227-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/1216-287-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/1320-347-0x0000000000B70000-0x0000000000C80000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1472	powershell.exe
1684	powershell.exe
1476	powershell.exe
1488	powershell.exe
340	powershell.exe
2232	powershell.exe
680	powershell.exe
1832	powershell.exe
2604	powershell.exe
1596	powershell.exe
600	powershell.exe
548	powershell.exe

Executes dropped EXE 7 IoCs

pid	Process
2728	DllCommonsvc.exe
2176	dwm.exe
2624	dwm.exe
296	dwm.exe
1216	dwm.exe
1320	dwm.exe
2972	dwm.exe

Loads dropped DLL 2 IoCs

pid	Process
1012	cmd.exe
1012	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 8 IoCs

Web Service

T1102

flow	ioc
6	raw.githubusercontent.com
10	raw.githubusercontent.com
14	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\dwm.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Branding\ShellBrd\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Windows\Cursors\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Speech\Engines\SR\es-ES\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\ShellBrd\services.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2652	schtasks.exe
1916	schtasks.exe
1908	schtasks.exe
2168	schtasks.exe
2688	schtasks.exe
3032	schtasks.exe
1584	schtasks.exe
2672	schtasks.exe
1980	schtasks.exe
1464	schtasks.exe
1452	schtasks.exe
2996	schtasks.exe
2972	schtasks.exe
2236	schtasks.exe
1744	schtasks.exe
1760	schtasks.exe
2412	schtasks.exe
2088	schtasks.exe
1124	schtasks.exe
3024	schtasks.exe
2032	schtasks.exe
332	schtasks.exe
944	schtasks.exe
2160	schtasks.exe
1296	schtasks.exe
2748	schtasks.exe
2756	schtasks.exe
2988	schtasks.exe
1796	schtasks.exe
808	schtasks.exe
632	schtasks.exe
2452	schtasks.exe
2620	schtasks.exe

Suspicious behavior: EnumeratesProcesses 19 IoCs

pid	Process
2728	DllCommonsvc.exe
1684	powershell.exe
1596	powershell.exe
340	powershell.exe
1476	powershell.exe
600	powershell.exe
548	powershell.exe
1472	powershell.exe
2232	powershell.exe
2604	powershell.exe
1832	powershell.exe
680	powershell.exe
1488	powershell.exe
2176	dwm.exe
2624	dwm.exe
296	dwm.exe
1216	dwm.exe
1320	dwm.exe
2972	dwm.exe

Suspicious use of AdjustPrivilegeToken 19 IoCs

description	pid	Process
Token: SeDebugPrivilege	2728	DllCommonsvc.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1596	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1476	powershell.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	548	powershell.exe
Token: SeDebugPrivilege	1472	powershell.exe
Token: SeDebugPrivilege	2232	powershell.exe
Token: SeDebugPrivilege	2604	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	680	powershell.exe
Token: SeDebugPrivilege	1488	powershell.exe
Token: SeDebugPrivilege	2176	dwm.exe
Token: SeDebugPrivilege	2624	dwm.exe
Token: SeDebugPrivilege	296	dwm.exe
Token: SeDebugPrivilege	1216	dwm.exe
Token: SeDebugPrivilege	1320	dwm.exe
Token: SeDebugPrivilege	2972	dwm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1792 wrote to memory of 1652	1792	JaffaCakes118_6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26.exe	30
PID 1792 wrote to memory of 1652	1792	JaffaCakes118_6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26.exe	30
PID 1792 wrote to memory of 1652	1792	JaffaCakes118_6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26.exe	30
PID 1792 wrote to memory of 1652	1792	JaffaCakes118_6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26.exe	30
PID 1652 wrote to memory of 1012	1652	WScript.exe	31
PID 1652 wrote to memory of 1012	1652	WScript.exe	31
PID 1652 wrote to memory of 1012	1652	WScript.exe	31
PID 1652 wrote to memory of 1012	1652	WScript.exe	31
PID 1012 wrote to memory of 2728	1012	cmd.exe	33
PID 1012 wrote to memory of 2728	1012	cmd.exe	33
PID 1012 wrote to memory of 2728	1012	cmd.exe	33
PID 1012 wrote to memory of 2728	1012	cmd.exe	33
PID 2728 wrote to memory of 2232	2728	DllCommonsvc.exe	68
PID 2728 wrote to memory of 2232	2728	DllCommonsvc.exe	68
PID 2728 wrote to memory of 2232	2728	DllCommonsvc.exe	68
PID 2728 wrote to memory of 600	2728	DllCommonsvc.exe	69
PID 2728 wrote to memory of 600	2728	DllCommonsvc.exe	69
PID 2728 wrote to memory of 600	2728	DllCommonsvc.exe	69
PID 2728 wrote to memory of 680	2728	DllCommonsvc.exe	70
PID 2728 wrote to memory of 680	2728	DllCommonsvc.exe	70
PID 2728 wrote to memory of 680	2728	DllCommonsvc.exe	70
PID 2728 wrote to memory of 548	2728	DllCommonsvc.exe	71
PID 2728 wrote to memory of 548	2728	DllCommonsvc.exe	71
PID 2728 wrote to memory of 548	2728	DllCommonsvc.exe	71
PID 2728 wrote to memory of 1472	2728	DllCommonsvc.exe	72
PID 2728 wrote to memory of 1472	2728	DllCommonsvc.exe	72
PID 2728 wrote to memory of 1472	2728	DllCommonsvc.exe	72
PID 2728 wrote to memory of 1684	2728	DllCommonsvc.exe	73
PID 2728 wrote to memory of 1684	2728	DllCommonsvc.exe	73
PID 2728 wrote to memory of 1684	2728	DllCommonsvc.exe	73
PID 2728 wrote to memory of 1832	2728	DllCommonsvc.exe	74
PID 2728 wrote to memory of 1832	2728	DllCommonsvc.exe	74
PID 2728 wrote to memory of 1832	2728	DllCommonsvc.exe	74
PID 2728 wrote to memory of 1476	2728	DllCommonsvc.exe	75
PID 2728 wrote to memory of 1476	2728	DllCommonsvc.exe	75
PID 2728 wrote to memory of 1476	2728	DllCommonsvc.exe	75
PID 2728 wrote to memory of 1488	2728	DllCommonsvc.exe	76
PID 2728 wrote to memory of 1488	2728	DllCommonsvc.exe	76
PID 2728 wrote to memory of 1488	2728	DllCommonsvc.exe	76
PID 2728 wrote to memory of 340	2728	DllCommonsvc.exe	77
PID 2728 wrote to memory of 340	2728	DllCommonsvc.exe	77
PID 2728 wrote to memory of 340	2728	DllCommonsvc.exe	77
PID 2728 wrote to memory of 2604	2728	DllCommonsvc.exe	78
PID 2728 wrote to memory of 2604	2728	DllCommonsvc.exe	78
PID 2728 wrote to memory of 2604	2728	DllCommonsvc.exe	78
PID 2728 wrote to memory of 1596	2728	DllCommonsvc.exe	79
PID 2728 wrote to memory of 1596	2728	DllCommonsvc.exe	79
PID 2728 wrote to memory of 1596	2728	DllCommonsvc.exe	79
PID 2728 wrote to memory of 2368	2728	DllCommonsvc.exe	89
PID 2728 wrote to memory of 2368	2728	DllCommonsvc.exe	89
PID 2728 wrote to memory of 2368	2728	DllCommonsvc.exe	89
PID 2368 wrote to memory of 2292	2368	cmd.exe	94
PID 2368 wrote to memory of 2292	2368	cmd.exe	94
PID 2368 wrote to memory of 2292	2368	cmd.exe	94
PID 2368 wrote to memory of 2176	2368	cmd.exe	95
PID 2368 wrote to memory of 2176	2368	cmd.exe	95
PID 2368 wrote to memory of 2176	2368	cmd.exe	95
PID 2176 wrote to memory of 960	2176	dwm.exe	97
PID 2176 wrote to memory of 960	2176	dwm.exe	97
PID 2176 wrote to memory of 960	2176	dwm.exe	97
PID 960 wrote to memory of 2984	960	cmd.exe	99
PID 960 wrote to memory of 2984	960	cmd.exe	99
PID 960 wrote to memory of 2984	960	cmd.exe	99
PID 960 wrote to memory of 2624	960	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6c6ed088b082218ea7b7afc8255a0f4eff5ef3703c19b2328a6068ba26998b26.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1012
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\ShellBrd\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1472
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1476
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Recent\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Favorites\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1596
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2368
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2292
      - C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2984
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat"
        9⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1600
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        11⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1628
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
        13⤵
        
        PID:2704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2036
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat"
        15⤵
        
        PID:2504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1420
        
        C:\Program Files (x86)\Windows Portable Devices\dwm.exe
        
        "C:\Program Files (x86)\Windows Portable Devices\dwm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        17⤵
        
        PID:1492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\Resource\Linguistics\LanguageNames2\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Portable Devices\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Branding\ShellBrd\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Windows\Cursors\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\Cursors\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Users\Default\Recent\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\Recent\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Recent\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\Users\Default\Favorites\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2302be025bae0ab517a28deb232d193f

SHA1
9a6833db3dcbae96c68e7d0d811c753e55d0247d

SHA256
1149bb192012abdc859bf76823800e34df5742d19d2968be32bb0ad3da4fec7f

SHA512
020b54c03bcc55de78be26624d84110e99713a236bb3b0c7f15511fc0a96182a8e8ca23e4bdb301d9ac21cd8afe7885e73a45be7044bfe0f749589961d7875ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d9bcb5619bfc2adf60d3548775d53dfe

SHA1
48bf559ed1b24469c7aac96049cb98357c056692

SHA256
21b771bd597dfcce4ea2b76149672895bde4b46d88c36c12b00730ae13cb9504

SHA512
cff9d9c34745b53e44fa573a10662393b4fff30461898c68c079cddd824ee1aee266ac14fdb1f95806221e00d767b2e9ec9989178feaed01cffc5449478034f3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d838f2af1f64abae10dec774a6ea9e7f

SHA1
59d3036b7bb7499eb02546afcfedf60c0de71b6f

SHA256
8530cc24ee30dad12617dcf3bf5e04f5ff7c5031c44dc49cc3691759a98de9ed

SHA512
f37940695a0029c06a2af932b51b0d4dba1180132fb6b219f8ca758852b5fa636e9e778347db30a36c9f89837dd5e48d22941f8c2743564bf117f4df6d635de2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
336de120e3d9da00b7dfe2eeabfb700d

SHA1
f99a5c21b441fdaee06d463b73fa7a917bbdec53

SHA256
73aca43d917eddee98b2f3268c561790068af7bbf0cdb179a04de8b36e327c4a

SHA512
dbceb210c9ff6a66fcba410b6bac9ce1bf219ebf933ffab1f0b87b4b10fbd4780ad5306a8607afb2bd50ec364000b94b519bb713745a47cc0965d9a5f43cc200

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bf8b5b14adeb0362e2a5534baf4b748a

SHA1
da0f2425b4d911fa946e815cfacc554023b6376b

SHA256
b663964cefa55990080ef7b477c1c26dd399be8a8387171721508ad5f8499a53

SHA512
f46d165e4280b0028feaf713b6d218dc37eee7968871cd89cb0509b7971818441ae7d548835467e747c66c01a89a7d224c60a286429d70309d016f86a8d1c028

Download Submit
C:\Users\Admin\AppData\Local\Temp\6ossFTShKU.bat

Filesize
220B

MD5
f64c007594c4d3b2f30c62de03b19dbc

SHA1
6cb2e66ee2a578ee3ac2d0f105fcff829d3f74a9

SHA256
c3dc4d585bbdaa66fe4158c3b20148025a86485dd56328df2404fa67747961c3

SHA512
b76be8dcdccbd155e8068c1ce43959649600e2e3dac24bef92f40e838fc68efbb058dd03b329322551724bd22c5e570c161664549774cc0f0d0b57871e52a1d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
220B

MD5
e48ecd9fc84c4b57e09c57b2047042d2

SHA1
c22e0524bacdb627ca3446fb4e1cec1bab0c9f6c

SHA256
f567c37baad43db9eca622e9f2cdddd03a4fed131d71471a80d4e25db71c9eaa

SHA512
4d9b449daf6e986df29d3d4c0f15bcf75cf1125d7187dd95b61670acfbf93680d5cf156d3e0932cfded7796dfc58c78e85d3a347e1cf6401ea29fee4b249ea0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab400E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4031.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
220B

MD5
04b1ca3d673e1c23e22321f6e0871e15

SHA1
1e3e9c1eb6ee6878aee516182e6313567c38b128

SHA256
7566848ff1bde29b2a95b94e8bfd9bc39541e058a48998611828c7da281d5f21

SHA512
ce14e3f194b6fa75016dbab1681c671da3a4002765bb1d4d618f6699e32558fdc59808dc80c22e32e02be45aa91c65a9274f2a495411156206c5c0481b72ca2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
220B

MD5
73edd23fa429dabcecb200f61a836a1d

SHA1
8c64e65f5812fede59d3f7d6e7853b21b3eb1a81

SHA256
4c9bae55970e0aaaffd9d0cf05c74f1c6621d2c3ff10b86319e37a106c47988f

SHA512
8e63b2010ceb5bda9e5b8fa93362178d239a821eb48510f703a7602d2648a2e5e19496dbdc85f950da8c726db621ff851ee8236548bcedfffb25a6483539011e

Download Submit
C:\Users\Admin\AppData\Local\Temp\VeFqpJq3BV.bat

Filesize
220B

MD5
aa2a6d391f0dad4cf3fdfce77c60c58e

SHA1
739577b3283a16130622965e49b0ce1d63435d87

SHA256
2a00eeb4459d4625b99592a02f5cd438029f10c51cfd44ab14eaf1ec5020c072

SHA512
72f2b247c3897a4508defa65ae46a0567ff3461b7dfc15cef166a096dd2109e7ec7d4b5b6692d6745e078a9e578d46ae4511b86483b3c146ca59a07574a45238

Download Submit
C:\Users\Admin\AppData\Local\Temp\XErLL4imMU.bat

Filesize
220B

MD5
667c283509a7201435dd5b9c090b3713

SHA1
fd8b0342f935f894bacf3062b8b83ce4083312c1

SHA256
896dd851f42dcfe5383dedf27f8fa8b5fdd7bdd0a8122bf62dc09d2247513704

SHA512
8a3309332a53bae5617d2f31244c98b81f4b1a5f1634dda36361c60df1ee1b9817ea620d96d4e5c68b643c5f86e278207d9f3e849d7f66816d24ee5f3e12acd2

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
220B

MD5
27c7ce99d1b6b80cf0e3002b8217cab4

SHA1
1b9216235cd6c209761690af542d7fa9d3871169

SHA256
df7fe6650844741437d49303c268d0a031479290b6cd86b237d62aa30e622548

SHA512
547f08534e0790a0a6c1e0698329db758149f021acfb4dc18ec4cda59b5ebc01a9d24d5d7baa0971e15e4d06169c323f5f22ab4e9075eeadc4c6fc7e78e351bc

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
28c08baf09b6b0bad9ddf11ba3ac1fef

SHA1
4ae0e6ece115f157a3cfa39e16ddc094b1c0d49c

SHA256
8f693c237976e8b6533410483b56e92c386c640fbdc247a423a8c56dce1961b8

SHA512
12da0fbe3072cef1205953d679cc1af0d164f1ab0f637dbe9c0097c7d5a983178fc780e0027001e99dc2ffc05ebeed506427128a890499fe05c3c5e618224386

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/296-227-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1216-287-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/1320-347-0x0000000000B70000-0x0000000000C80000-memory.dmp

Filesize
1.1MB

Download
memory/1596-66-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

Filesize
32KB

Download
memory/1684-55-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2176-108-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2624-167-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2728-17-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/2728-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/2728-15-0x00000000001D0000-0x00000000001DC000-memory.dmp

Filesize
48KB

Download
memory/2728-14-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/2728-13-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2972-407-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download