dcrat | 4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1.exe
Size

1.3MB
MD5

43aec1d7df9aa817e3ba7d25d21e83fa
SHA1

f6887adfa7cb7e69683ee60f87657c73c93052bc
SHA256

4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1
SHA512

dfa3de0999f8f8b5deba810a7e663646d7cdea6b80fc1bacff43fa0900c1c5c024f31c0c258ffb9166e77e5b6037a6a6f25971e5a15fade19df219311d2cd121
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 15 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1820	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	484	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1508	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	268	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2828	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2828	schtasks.exe	33

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016be9-12.dat	dcrat
behavioral1/memory/2896-13-0x0000000000FE0000-0x00000000010F0000-memory.dmp	dcrat
behavioral1/memory/292-38-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2096-421-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/2052-481-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2696-541-0x0000000000F30000-0x0000000001040000-memory.dmp	dcrat
behavioral1/memory/1796-601-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1636-661-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/1908-721-0x00000000003D0000-0x00000000004E0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 6 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1924	powershell.exe
1912	powershell.exe
1724	powershell.exe
2384	powershell.exe
1004	powershell.exe
1904	powershell.exe

Executes dropped EXE 14 IoCs

pid	Process
2896	DllCommonsvc.exe
292	dllhost.exe
2812	dllhost.exe
2512	dllhost.exe
2216	dllhost.exe
872	dllhost.exe
1156	dllhost.exe
2096	dllhost.exe
2052	dllhost.exe
2696	dllhost.exe
1796	dllhost.exe
1636	dllhost.exe
1908	dllhost.exe
2256	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2764	cmd.exe
2764	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
39	raw.githubusercontent.com
42	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\winlogon.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ehome\wow\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\wow\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 15 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2960	schtasks.exe
1508	schtasks.exe
1992	schtasks.exe
764	schtasks.exe
2780	schtasks.exe
484	schtasks.exe
268	schtasks.exe
2672	schtasks.exe
2328	schtasks.exe
1820	schtasks.exe
2756	schtasks.exe
2712	schtasks.exe
2520	schtasks.exe
980	schtasks.exe
2104	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
2896	DllCommonsvc.exe
1904	powershell.exe
1724	powershell.exe
1912	powershell.exe
2384	powershell.exe
1924	powershell.exe
292	dllhost.exe
1004	powershell.exe
2812	dllhost.exe
2512	dllhost.exe
2216	dllhost.exe
872	dllhost.exe
1156	dllhost.exe
2096	dllhost.exe
2052	dllhost.exe
2696	dllhost.exe
1796	dllhost.exe
1636	dllhost.exe
1908	dllhost.exe
2256	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	DllCommonsvc.exe
Token: SeDebugPrivilege	1904	powershell.exe
Token: SeDebugPrivilege	292	dllhost.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	2384	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1004	powershell.exe
Token: SeDebugPrivilege	2812	dllhost.exe
Token: SeDebugPrivilege	2512	dllhost.exe
Token: SeDebugPrivilege	2216	dllhost.exe
Token: SeDebugPrivilege	872	dllhost.exe
Token: SeDebugPrivilege	1156	dllhost.exe
Token: SeDebugPrivilege	2096	dllhost.exe
Token: SeDebugPrivilege	2052	dllhost.exe
Token: SeDebugPrivilege	2696	dllhost.exe
Token: SeDebugPrivilege	1796	dllhost.exe
Token: SeDebugPrivilege	1636	dllhost.exe
Token: SeDebugPrivilege	1908	dllhost.exe
Token: SeDebugPrivilege	2256	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2596 wrote to memory of 2288	2596	JaffaCakes118_4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1.exe	29
PID 2596 wrote to memory of 2288	2596	JaffaCakes118_4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1.exe	29
PID 2596 wrote to memory of 2288	2596	JaffaCakes118_4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1.exe	29
PID 2596 wrote to memory of 2288	2596	JaffaCakes118_4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1.exe	29
PID 2288 wrote to memory of 2764	2288	WScript.exe	30
PID 2288 wrote to memory of 2764	2288	WScript.exe	30
PID 2288 wrote to memory of 2764	2288	WScript.exe	30
PID 2288 wrote to memory of 2764	2288	WScript.exe	30
PID 2764 wrote to memory of 2896	2764	cmd.exe	32
PID 2764 wrote to memory of 2896	2764	cmd.exe	32
PID 2764 wrote to memory of 2896	2764	cmd.exe	32
PID 2764 wrote to memory of 2896	2764	cmd.exe	32
PID 2896 wrote to memory of 1724	2896	DllCommonsvc.exe	49
PID 2896 wrote to memory of 1724	2896	DllCommonsvc.exe	49
PID 2896 wrote to memory of 1724	2896	DllCommonsvc.exe	49
PID 2896 wrote to memory of 2384	2896	DllCommonsvc.exe	50
PID 2896 wrote to memory of 2384	2896	DllCommonsvc.exe	50
PID 2896 wrote to memory of 2384	2896	DllCommonsvc.exe	50
PID 2896 wrote to memory of 1004	2896	DllCommonsvc.exe	51
PID 2896 wrote to memory of 1004	2896	DllCommonsvc.exe	51
PID 2896 wrote to memory of 1004	2896	DllCommonsvc.exe	51
PID 2896 wrote to memory of 1904	2896	DllCommonsvc.exe	52
PID 2896 wrote to memory of 1904	2896	DllCommonsvc.exe	52
PID 2896 wrote to memory of 1904	2896	DllCommonsvc.exe	52
PID 2896 wrote to memory of 1924	2896	DllCommonsvc.exe	53
PID 2896 wrote to memory of 1924	2896	DllCommonsvc.exe	53
PID 2896 wrote to memory of 1924	2896	DllCommonsvc.exe	53
PID 2896 wrote to memory of 1912	2896	DllCommonsvc.exe	54
PID 2896 wrote to memory of 1912	2896	DllCommonsvc.exe	54
PID 2896 wrote to memory of 1912	2896	DllCommonsvc.exe	54
PID 2896 wrote to memory of 292	2896	DllCommonsvc.exe	60
PID 2896 wrote to memory of 292	2896	DllCommonsvc.exe	60
PID 2896 wrote to memory of 292	2896	DllCommonsvc.exe	60
PID 292 wrote to memory of 2412	292	dllhost.exe	62
PID 292 wrote to memory of 2412	292	dllhost.exe	62
PID 292 wrote to memory of 2412	292	dllhost.exe	62
PID 2412 wrote to memory of 2804	2412	cmd.exe	64
PID 2412 wrote to memory of 2804	2412	cmd.exe	64
PID 2412 wrote to memory of 2804	2412	cmd.exe	64
PID 2412 wrote to memory of 2812	2412	cmd.exe	65
PID 2412 wrote to memory of 2812	2412	cmd.exe	65
PID 2412 wrote to memory of 2812	2412	cmd.exe	65
PID 2812 wrote to memory of 1264	2812	dllhost.exe	66
PID 2812 wrote to memory of 1264	2812	dllhost.exe	66
PID 2812 wrote to memory of 1264	2812	dllhost.exe	66
PID 1264 wrote to memory of 2976	1264	cmd.exe	68
PID 1264 wrote to memory of 2976	1264	cmd.exe	68
PID 1264 wrote to memory of 2976	1264	cmd.exe	68
PID 1264 wrote to memory of 2512	1264	cmd.exe	69
PID 1264 wrote to memory of 2512	1264	cmd.exe	69
PID 1264 wrote to memory of 2512	1264	cmd.exe	69
PID 2512 wrote to memory of 664	2512	dllhost.exe	70
PID 2512 wrote to memory of 664	2512	dllhost.exe	70
PID 2512 wrote to memory of 664	2512	dllhost.exe	70
PID 664 wrote to memory of 1660	664	cmd.exe	72
PID 664 wrote to memory of 1660	664	cmd.exe	72
PID 664 wrote to memory of 1660	664	cmd.exe	72
PID 664 wrote to memory of 2216	664	cmd.exe	73
PID 664 wrote to memory of 2216	664	cmd.exe	73
PID 664 wrote to memory of 2216	664	cmd.exe	73
PID 2216 wrote to memory of 1704	2216	dllhost.exe	74
PID 2216 wrote to memory of 1704	2216	dllhost.exe	74
PID 2216 wrote to memory of 1704	2216	dllhost.exe	74
PID 1704 wrote to memory of 1552	1704	cmd.exe	76

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4fabd1c1f39aa9d4a4cb2d1bd2489222d87315c09b7455c41fb1a07f81c325e1.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2288
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2764
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\wow\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:292
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2412
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2804
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2976
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1660
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        12⤵
        Suspicious use of WriteProcessMemory
        
        PID:1704
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1552
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
        14⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3000
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        16⤵
        
        PID:268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:980
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat"
        18⤵
        
        PID:2224
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1004
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        20⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2532
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat"
        22⤵
        
        PID:3036
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:828
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1796
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat"
        24⤵
        
        PID:1504
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1088
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat"
        26⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2796
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat"
        28⤵
        
        PID:1652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2764
        
        C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Uninstall Information\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Windows\ehome\wow\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\ehome\wow\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\ehome\wow\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db7966551009182078f85bdc8723afed

SHA1
8505c7e7745c4f9d1e8f33c14d7da820d44bcaea

SHA256
946c26abdb42b8769fdfa8c6095438563b32804dd47fbfdf30bd607e493fd6e0

SHA512
b7ee926e132496f01a52270cb456eba03bf47049b51e94e73d67ac423ea3789f80bac1b0e804cbd98e9e1ff1a8aba2e5d7416018cdbd1b848c2c20316cf43b2a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
062061b93424a0b15694db64fe118bd7

SHA1
1243fa2455d6324e848979d96ff1da9d54f4eae2

SHA256
b0450afca20e51dfafd07bf8827fb50e3eb270587ef01cf0b7fe8780847a0484

SHA512
38d63ca8f03e32c31cdf43c09926c599ba2f796c6c8e9d37183b34806bb43ea89a259a63c3401deba22cac64aa628e581a9ca207bdbaa68298826522ad273240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3dac37b93c687c7f2eebe55ed853b52

SHA1
4ec330b75ab0cffadf520865d82ec8c41f687695

SHA256
dfab4067ffdc9b1a19aa3ca803d759951d96b41f26ba6249068df5e9952251c1

SHA512
1d37a7ce2991cfb0e894560552dd5da67b3c53575fb9db5005daa3e2639c777eb420974a0f578591d23cde36c2d137e5fb6e26a556fff2c28c30ce758c91dab5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2edd1e9800971c0335982092b84a852b

SHA1
f940aacc7db28fc42ddb7a16781f2b38d4321616

SHA256
a9fe80bbe047b6228614c4dbc3ee2ce56398dcbb86d63df4626ba8c5225a7037

SHA512
0c63c3edabc2b2398190014766b5929f5bf4db1f92400a0d790ef162d05c6ae8c1cc04851caf202ccb863c245812cdaa6292ca82baf2bf3f4d1a43dfee04ace9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38553193f143f443eacd89ebbe7ad86a

SHA1
365632c836f8538537daa8a95c6a3a555c2de502

SHA256
baa75ddeb09600b78d71ea887fe79ee3f3531649d0b4007576bdfacf4cfc303b

SHA512
1a4f068f3c0c53f5520b2ed9fbe8e1ba61933318da7e183a449ff24c1cde21340aef329d5c732e67df6bb93bf488f1d8625160d629f4e6c4b0d64e4a591b1210

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8824bc204a1723aaf5131980ae396c70

SHA1
1682f973cb2fd46817bd3e4b0d962e34ec36ee2c

SHA256
699111049dd13e093c022bfe400a5dd5166b07beabcd641c4fb7fff682881a9b

SHA512
146127766d3a40767c018f47111809b64c53f89f4bebfa4b1216d81121604110633922281d24c25197eb0c3067e01d86c078a62a511f049c59df74cd05352475

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f10e3d952ddd5e3028501ea018047ba

SHA1
9b696daaea99d8c21cdc97062346d540ea0c1533

SHA256
8eb29a4480c1c5cafa31169a9bd0b3c092105580bb0dea026f39a099be32ad11

SHA512
a04ff730bf9e34f8b3a5d249650f5cdef6933f64cf15b3364c042fc88b513c2c90165d34ed0ee75628869c38855f8aa8f3e3e6023d84e5f8b0ad19f17f5c9d92

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e40572409387426d6b9771452d5fac5d

SHA1
ec32a0c089cfad135104cb447ae5770a9a0e6cfa

SHA256
cf8bcd802ebd7d77aa2e510546460c32156f83a4aa647900cc9b38253277c09f

SHA512
ab2331239980b8b79712ba9ab0b51dc6eadad7a93c0a04387aac606548625dd88c03f41bf2775e4110192b788de27e9c9bdec813a0c0a965db11c8ce5a03df12

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62aff171168ed9fe6d60a98b7044c196

SHA1
a0436f922896c18e0c036052880d12fb2ea7973a

SHA256
f69a1779fefda213edd85c84cd17f6cf74793cc005b78b4930ef57536341fa77

SHA512
e8c680bffe908b57bd883b0107bd01b56e600c9e5dec18cf91ce3561f1264b2f148c5ac7f33214c89be70ab1c6549cbe692ae6f53603e99d0c2f2959606abbf5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5013090f9805fc9b417fad6f00f467b8

SHA1
4b83cdaf8b95ef2d71f2bcad03e69f52328d1ef1

SHA256
dca390647a740a5e73cc3bdb0e157755c0b71c4971577f446f123b525b1d07e3

SHA512
20b05824b0c4ce308e6f39126a99f2ca0ea877c24ab0ce5b6c5177a7cde55b4bb5ed308ad6166b0c4749ee8a9c4a4d209ddd8b4d961033724aef7c23e7be5d48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2220657c34362b0645e9f900c216113

SHA1
65e6a5122266d72467c1415fe7c2e4e5937bff7c

SHA256
b26a3edbad74ce5c140dba8518830f26bb27c4fb052e61c266a2ea0671432dff

SHA512
6e9f7a6ae2aa44e06df0e53fbc0688e6aa8eb0e7afc5cb3b8fcd6dabd1481595a95792b88c986a1622bebc73ae9564fad152ad6602ee6225f0dcf7805d4f8aca

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
240B

MD5
2228622f667a2c852235e15e9d1638a1

SHA1
8090e8bea682f4a655fde5ed390549884330c0c2

SHA256
91c70c20c40f352cf1fd8782e95ca76cfcfa4ddaf96dd923ef6e36578ce5b76b

SHA512
8ed9f41ab640e4e4647d4f2e533aad2860083cd63bc4271c0b2bcec8fa1ed13a8539c32272a903c7ad6c6eddbb631b8d6e8b0c8fb81ee5f742876cfedc1d8188

Download Submit
C:\Users\Admin\AppData\Local\Temp\0x9T38u1li.bat

Filesize
240B

MD5
392e728841f5c415fbdad110578249cf

SHA1
0eb3d8b308523ed5aaa17c641895f42724f9cf7c

SHA256
c1837752f0daf309d3c0869121112ba4fbc0b276f289d9f636c24363ffb3baf2

SHA512
113d7aee622a8641e42c641d9fc917e93bdb9497c895e9460f5b35bf52b18211e1c4f76b24583f09c07b23310c76d168408dc09750bf7ecd6794c0603ab58f5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

Filesize
240B

MD5
8b24b6cd17b4179b32dfa1f9dad36423

SHA1
deaf85898d4fcf2f42d4539218271bfec957a508

SHA256
cbc36c5d758afa42332c792f770e1ded88da906121168ffe31306b01c77b7cb0

SHA512
7bd4cebe7d13a616d134555207436769742670bf980def113c57846b83d37f64af74223beaa9d46519a936a3bb4f6442ba441fec6cbeed717a480455d2141c05

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
240B

MD5
cb3e6977e670bcfcfba32074f7e839ad

SHA1
05dc427d39d12164a05f034e90dd4e1a9ca951bc

SHA256
3e9a6d6b7ce3dffe56f592983b8035c01136b42f3d225763ee0c8c8f240b7c6c

SHA512
b2ed3df7fc67b07752bcd06525d508626966b00d8707a8fb40466c8fa1e817ea50ec248d65e3dd5759f209ffc99c0a8c3840962682b2f151d4c57946272655a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab22BF.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\KteTxDTZHh.bat

Filesize
240B

MD5
e7e3fd33809798f0429810f77b02e699

SHA1
3f142ab7ebb9d83b8751768a37190648edfc7737

SHA256
6fd01ce608496f3d34e8e84728fe99f2c41758dc512ed14a6c0137a0f88cd297

SHA512
2d5bc3e32d2b6f7e215b10e22f6a90c14a3dc1b2c0a3a86cf631c76932c07afb02aa5a5128355b92affc1f9d40f74707b8134e8af69e7c0d56bedf65c45f9440

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22C2.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b3FUfZROOv.bat

Filesize
240B

MD5
87de675cff68475ed85106ad86a90f6a

SHA1
a4e7fcd9ffe6c80b5d9e0a8205451db7d5c0a445

SHA256
bba4def0f71a57853e1354f959940d35a35722884b3767bc1e0a8bec846cff1d

SHA512
56f50125aea63ac789bc1bd529ab476b3c06cbf4bb60d2c3074ce81dbf2963b1aec9531769818ab7d1d0e9935b2a6a3d2da746ebdd69a955be9b4e427d455a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\hibqn60Xcy.bat

Filesize
240B

MD5
25873b0362950f2155924c8724f43735

SHA1
4745da58359d6619cd1f6d70761f4b1f50cd3198

SHA256
e1c511972de1ffaff4abd5e1fe021f979b251a1c05134aa0327f4a9ab59ad378

SHA512
ee4521531d2cbbde1d7d5445df878bebd8c89e8b9826d0c38be701ea078e47b0c49f3e6d0ab741c58c77c2a141e1475783b508c6ab8fd54087cfca2627ebe194

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
240B

MD5
b21556b9f55bb7970cd05137038f575b

SHA1
ed093017c8570b1a573e5261aee03f066bcd8310

SHA256
4bdee5d9e0c27ba4a2dd4fafa2d0f8d5feb12284372d1110c9db0772991553ad

SHA512
49bbbbb6221110654e5bb3ae91dd9e43d184a6a76011c6679d3229e48822343860c22ecc805dc7463df579e6d6b1303ad7154dcd278c5ff0d957c9b7e0d01fe4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pI0EcicZAo.bat

Filesize
240B

MD5
395e6ff7dbc98f56f232686925d254fe

SHA1
15f9dec3afe96955664a123782b2ed0d27322c40

SHA256
b111e4db215722eb434952c2f21edc92388b5c7f2324d0807c8678658d4b6dab

SHA512
befe87a6dff608a848848dc2b14b2919b5cf9bf4c85b7525f005870212095f93956000c0ff923e449a1b5ac10ab97b81d4814448c544861ebd95ead52ad698ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\tfVhKC50lX.bat

Filesize
240B

MD5
9c42c47abeef61d2b151ed46132f04ea

SHA1
d2a9a8313384cf6051d92d7411da4237de5faa15

SHA256
c3d33ee697119fe1c57ed26123d443fa48a85b42bc09cf4fbaa9120e175f7635

SHA512
a9bbb5be4ce82b6fe9301158bc38b40b0cb89e02bd15cd4a20566b16d3f842d4d36489e82776ee818accc695a09f4181a236950add42ac5138055fd60ab1dc6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlraSVrJxn.bat

Filesize
240B

MD5
d962309c6e71e42f7d4023a988a07877

SHA1
9929b10c14858835396d8a58c470fd7432053839

SHA256
193bce79d9ac55473e297f9ce947b063426c09cc2ffc12f080e9866c5cd2c085

SHA512
cb7f2f29ce9a1641b89be48ed53786103b761c0f8362327ef6d1acea0ee3b3f384100b8242b8ba2206d1b7154314951be3fa7d35a7af55dfce926d6869a4bf98

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
240B

MD5
1aac4a41aecd963e7f0ae669d97eb931

SHA1
f22d7f73ed20c855b15130c3593702036eb1ae9c

SHA256
46136231471e10ee74ad9b99180f972b388c78f237f8f990b8cdc58870753b44

SHA512
d8f0fbc9bccce5023eafd1a75d7b2f5e946c19fcc1f4c621760149b1debbb1f6baa66286b0937402be6885c82ef090b9be9c3cd9302031a543b1e9de0e0b8057

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
80fe96e5aafc67728d74345a9a1a1f7e

SHA1
3a9656d1d0b6760fe65c2223117aba7eacb15391

SHA256
67d3b4e9c9e9d643e92ee4f501d3774c5074e0edf56db1f8ded109fee5d6456d

SHA512
6785767ec9c306bf4ea8d3442ed066e05a81fed2cf2ccaf847800e406d39a50ed1d6db1d5d9351317d70b44ab34374d24d018331e5bdd74cb0c0fd83db0db371

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/292-38-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/872-302-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/1636-661-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/1796-601-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1904-41-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1904-39-0x000000001B710000-0x000000001B9F2000-memory.dmp

Filesize
2.9MB

Download
memory/1908-721-0x00000000003D0000-0x00000000004E0000-memory.dmp

Filesize
1.1MB

Download
memory/2052-481-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2096-421-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2256-781-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2696-541-0x0000000000F30000-0x0000000001040000-memory.dmp

Filesize
1.1MB

Download
memory/2812-124-0x0000000000400000-0x0000000000412000-memory.dmp

Filesize
72KB

Download
memory/2896-17-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2896-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2896-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2896-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2896-13-0x0000000000FE0000-0x00000000010F0000-memory.dmp

Filesize
1.1MB

Download