dcrat | 05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754

Analysis

max time kernel
149s
max time network
146s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 05:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754.exe
Size

1.3MB
MD5

62f010ff7900fb61d7869d375b814fc9
SHA1

60b47402c18943cebdd4f0e6948dda080fbf14f9
SHA256

05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754
SHA512

ad35272dc5c66d4e4c6ede9a2375fc85f5abe88cc1ad65d228445fcce5b265aeba765131b33f18bdb531dcd479481a9fc860962565295d62c9c468f687483c92
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1664	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2316	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2316	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d31-12.dat	dcrat
behavioral1/memory/2792-13-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/844-44-0x0000000000DC0000-0x0000000000ED0000-memory.dmp	dcrat
behavioral1/memory/1536-145-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2504-382-0x00000000000A0000-0x00000000001B0000-memory.dmp	dcrat
behavioral1/memory/2828-443-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/348-504-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/2100-564-0x0000000000F90000-0x00000000010A0000-memory.dmp	dcrat
behavioral1/memory/2548-742-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2000	powershell.exe
2136	powershell.exe
2392	powershell.exe
2360	powershell.exe
2156	powershell.exe
1544	powershell.exe
3040	powershell.exe
2364	powershell.exe
2376	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2792	DllCommonsvc.exe
844	conhost.exe
1536	conhost.exe
1520	conhost.exe
1012	conhost.exe
2932	conhost.exe
2504	conhost.exe
2828	conhost.exe
348	conhost.exe
2100	conhost.exe
2488	conhost.exe
1052	conhost.exe
2548	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2832	cmd.exe
2832	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
26	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\Services\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\Services\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
1928	schtasks.exe
2716	schtasks.exe
2344	schtasks.exe
2732	schtasks.exe
1664	schtasks.exe
1828	schtasks.exe
2928	schtasks.exe
2080	schtasks.exe
2564	schtasks.exe
2068	schtasks.exe
2028	schtasks.exe
1444	schtasks.exe
2416	schtasks.exe
2592	schtasks.exe
752	schtasks.exe
2244	schtasks.exe
1048	schtasks.exe
2396	schtasks.exe
1948	schtasks.exe
2468	schtasks.exe
2412	schtasks.exe
1936	schtasks.exe
2996	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2792	DllCommonsvc.exe
2792	DllCommonsvc.exe
2792	DllCommonsvc.exe
1544	powershell.exe
2376	powershell.exe
2364	powershell.exe
2000	powershell.exe
2156	powershell.exe
2360	powershell.exe
2136	powershell.exe
2392	powershell.exe
3040	powershell.exe
844	conhost.exe
1536	conhost.exe
1520	conhost.exe
1012	conhost.exe
2932	conhost.exe
2504	conhost.exe
2828	conhost.exe
348	conhost.exe
2100	conhost.exe
2488	conhost.exe
1052	conhost.exe
2548	conhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2792	DllCommonsvc.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	2156	powershell.exe
Token: SeDebugPrivilege	2360	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	844	conhost.exe
Token: SeDebugPrivilege	1536	conhost.exe
Token: SeDebugPrivilege	1520	conhost.exe
Token: SeDebugPrivilege	1012	conhost.exe
Token: SeDebugPrivilege	2932	conhost.exe
Token: SeDebugPrivilege	2504	conhost.exe
Token: SeDebugPrivilege	2828	conhost.exe
Token: SeDebugPrivilege	348	conhost.exe
Token: SeDebugPrivilege	2100	conhost.exe
Token: SeDebugPrivilege	2488	conhost.exe
Token: SeDebugPrivilege	1052	conhost.exe
Token: SeDebugPrivilege	2548	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2680	2668	JaffaCakes118_05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754.exe	31
PID 2668 wrote to memory of 2680	2668	JaffaCakes118_05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754.exe	31
PID 2668 wrote to memory of 2680	2668	JaffaCakes118_05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754.exe	31
PID 2668 wrote to memory of 2680	2668	JaffaCakes118_05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754.exe	31
PID 2680 wrote to memory of 2832	2680	WScript.exe	32
PID 2680 wrote to memory of 2832	2680	WScript.exe	32
PID 2680 wrote to memory of 2832	2680	WScript.exe	32
PID 2680 wrote to memory of 2832	2680	WScript.exe	32
PID 2832 wrote to memory of 2792	2832	cmd.exe	34
PID 2832 wrote to memory of 2792	2832	cmd.exe	34
PID 2832 wrote to memory of 2792	2832	cmd.exe	34
PID 2832 wrote to memory of 2792	2832	cmd.exe	34
PID 2792 wrote to memory of 2000	2792	DllCommonsvc.exe	60
PID 2792 wrote to memory of 2000	2792	DllCommonsvc.exe	60
PID 2792 wrote to memory of 2000	2792	DllCommonsvc.exe	60
PID 2792 wrote to memory of 2156	2792	DllCommonsvc.exe	61
PID 2792 wrote to memory of 2156	2792	DllCommonsvc.exe	61
PID 2792 wrote to memory of 2156	2792	DllCommonsvc.exe	61
PID 2792 wrote to memory of 1544	2792	DllCommonsvc.exe	62
PID 2792 wrote to memory of 1544	2792	DllCommonsvc.exe	62
PID 2792 wrote to memory of 1544	2792	DllCommonsvc.exe	62
PID 2792 wrote to memory of 3040	2792	DllCommonsvc.exe	63
PID 2792 wrote to memory of 3040	2792	DllCommonsvc.exe	63
PID 2792 wrote to memory of 3040	2792	DllCommonsvc.exe	63
PID 2792 wrote to memory of 2136	2792	DllCommonsvc.exe	64
PID 2792 wrote to memory of 2136	2792	DllCommonsvc.exe	64
PID 2792 wrote to memory of 2136	2792	DllCommonsvc.exe	64
PID 2792 wrote to memory of 2364	2792	DllCommonsvc.exe	65
PID 2792 wrote to memory of 2364	2792	DllCommonsvc.exe	65
PID 2792 wrote to memory of 2364	2792	DllCommonsvc.exe	65
PID 2792 wrote to memory of 2376	2792	DllCommonsvc.exe	66
PID 2792 wrote to memory of 2376	2792	DllCommonsvc.exe	66
PID 2792 wrote to memory of 2376	2792	DllCommonsvc.exe	66
PID 2792 wrote to memory of 2392	2792	DllCommonsvc.exe	67
PID 2792 wrote to memory of 2392	2792	DllCommonsvc.exe	67
PID 2792 wrote to memory of 2392	2792	DllCommonsvc.exe	67
PID 2792 wrote to memory of 2360	2792	DllCommonsvc.exe	68
PID 2792 wrote to memory of 2360	2792	DllCommonsvc.exe	68
PID 2792 wrote to memory of 2360	2792	DllCommonsvc.exe	68
PID 2792 wrote to memory of 844	2792	DllCommonsvc.exe	78
PID 2792 wrote to memory of 844	2792	DllCommonsvc.exe	78
PID 2792 wrote to memory of 844	2792	DllCommonsvc.exe	78
PID 844 wrote to memory of 2032	844	conhost.exe	79
PID 844 wrote to memory of 2032	844	conhost.exe	79
PID 844 wrote to memory of 2032	844	conhost.exe	79
PID 2032 wrote to memory of 1504	2032	cmd.exe	81
PID 2032 wrote to memory of 1504	2032	cmd.exe	81
PID 2032 wrote to memory of 1504	2032	cmd.exe	81
PID 2032 wrote to memory of 1536	2032	cmd.exe	82
PID 2032 wrote to memory of 1536	2032	cmd.exe	82
PID 2032 wrote to memory of 1536	2032	cmd.exe	82
PID 1536 wrote to memory of 1828	1536	conhost.exe	83
PID 1536 wrote to memory of 1828	1536	conhost.exe	83
PID 1536 wrote to memory of 1828	1536	conhost.exe	83
PID 1828 wrote to memory of 2168	1828	cmd.exe	85
PID 1828 wrote to memory of 2168	1828	cmd.exe	85
PID 1828 wrote to memory of 2168	1828	cmd.exe	85
PID 1828 wrote to memory of 1520	1828	cmd.exe	86
PID 1828 wrote to memory of 1520	1828	cmd.exe	86
PID 1828 wrote to memory of 1520	1828	cmd.exe	86
PID 1520 wrote to memory of 1492	1520	conhost.exe	87
PID 1520 wrote to memory of 1492	1520	conhost.exe	87
PID 1520 wrote to memory of 1492	1520	conhost.exe	87
PID 1492 wrote to memory of 2740	1492	cmd.exe	89

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_05d935d0859885620b53a8e3d8d8c24b690d4918a15c652fb7500e62bde02754.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2680
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2832
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2156
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\Services\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
    - - C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:844
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1504
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2168
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1492
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2740
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat"
        12⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2500
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2932
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat"
        14⤵
        
        PID:2692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1428
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        16⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1396
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat"
        18⤵
        
        PID:1900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1976
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat"
        20⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1980
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"
        22⤵
        
        PID:1032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2732
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
        24⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2864
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat"
        26⤵
        
        PID:588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2468
        
        C:\Program Files\Common Files\Services\conhost.exe
        
        "C:\Program Files\Common Files\Services\conhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\Services\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\Services\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Common Files\Services\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c57aadf67d255d4c428bb1dde0811da

SHA1
a9a174e1a0498d66ddb842509b945e0b6e24ec19

SHA256
a122951c1622c80705105795f7aa97ade18f4a54da34d97f017fa3ac559acd24

SHA512
eb64faa649c47052fba3d6edb6b3c30c163bb320a3b56c50e829d0633c35a40b850988b238c5edcc7764cc0838e378b4007875eaec61b72bbbbd13b54f988207

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7423c83bc5110aa67c1f4f0ba09c0506

SHA1
f2902daa139c4d5a189244f09298f7ac4ee57087

SHA256
f163555c2ea020254db85f118682e321f41223e218f4089c8dca616b3c3e49e6

SHA512
7d5f928f93f535a1953e14eebfd263e1717fd70a9498b7e28d09de4dda25cd566cd5c9d07e40e93679c54ff2fa914b3690833c0d9a7896d9ac594b73a8be5272

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b64787e9d77b24ed2e31c1f40c89ec5

SHA1
1056045f17b6f3d8901ea3b3e9408de9186d0e75

SHA256
16fb189000a6311a86f2916dedf45fce453ec9cbe1c9f6ec9ed9083cccd74a1c

SHA512
959d7fc007ec92513b613fea6252d5d209c994edf226691f07b8621fbf1bcb1ffa748e9ca6ccce291c418f97b001ace67993834ea810112de2ef7f4473c092d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0807c6a365e8f17ae861da7efe261a58

SHA1
359d52ad91c46cfde20ad3ab5147da0a0b7d000b

SHA256
136115db32d9ac68966a133356d2c1d20a1895ce7642a99f47be914ffb1ea17c

SHA512
1b69b69c3ab634642fcb9bc86f5432a6758535bdbbbafcd5e1bdf3915bbeb8aebd8ddca0f7696d10b4c48a59f9f78e439ebb2eeb16ea63e49c69b6958bd935d9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07b6cea82d21b2da31b3ed622bd59b4a

SHA1
1772febf6fccbe20b93b5fc6eea8e68655517db8

SHA256
f2979975135a2fdab81ff08bde743c4f3196a913028704268f38646b2bac7ad3

SHA512
5f3e0c9abddfae4c08f26efa93340b01047f97bfbf6d1c6bc733491676180408037ec438ecd271164a5962a7bd1fcca9bf8a4b45d981f11238c20adf7f0ce63e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4eb5ef141fc6e4859bc908e7edb6d687

SHA1
b7ef75d3ddb5844a60e91e6b46bc51fadd21fc2d

SHA256
1c90aedea10e274cf0cfb371f3b31bcd68eafcc5feee7c4e790ad427bb8d6956

SHA512
c0b6fcb707341510643827be18bdfe764fd3476840e01373719c79651dfe1e66eaecddac5f0b1d619734fce2df08c50ea2fe10e9554f541bf115d144c552bcfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b6baab0bacb03aa92dd1c29cbdadac1d

SHA1
af9c02d86d6623d519f501a54438c9f430411bd1

SHA256
5463b5714fa6cde781c19d70c17c00f70158cfb7c66d6bab72ac63954f12661b

SHA512
e13ea7ce13e409ff01a7857da260abd4257b7db954f5f4f1d522b8c11367306aaf43f7abc22242fd26c094af7fd7c425e97efc983028f0ba50d7059477abe380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
348fc54bcadfa0c942aea690561b1de0

SHA1
594fdd7a518590ba029870ac8149021087f90fcf

SHA256
8a98e9452386600f038ae7097ce270a2fe3441adfc9dfe16ae30e63e1f6c9ee0

SHA512
d22159b133d5938f258e0f6a344efa87ec741d1bc85e9630d469d6e4e024f3a1b63c5e19fcbfdb14be66b8eb03993a11e0176a8be7b2f24a457fb24cf32c58b3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bf124260ec196c1857754e797d4d6fc

SHA1
3d0b93bbf601e26f3804b49aa3e40b83059968d5

SHA256
73245f4473cbaabf149443a2fc7da4a1d92bb4af402c6e0d0f2e0fca0dd105d7

SHA512
574eb5ba25780bf28a247bce1214427bc38a806d49f4845ba3fdb4d03cb6427579add47e3f536dce77d9dd9929357f38ff006eb7db6a915a1e4b832b12ec1795

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28bd8f09238ab7fe81f5bac2ca14c647

SHA1
91722db86a059fe59866f27a7d328007bc0c6107

SHA256
8480c6fbb27ab9ece936e0ace1871720bb97c4ddfa5d5b006dffeec26379a4f7

SHA512
c7c105185066d53f421d5aa1db43f9ea305ac37a31dbf766410022701fdc95baabd209f16076f5375947b13259665a1a77cb2865ddbdb7026fec30b2225a1906

Download Submit
C:\Users\Admin\AppData\Local\Temp\8UyA8TRco5.bat

Filesize
215B

MD5
2395bca5782ea8cd8c492f49359f6b6d

SHA1
1c1fe9dc28bd859e60b08130fec2d667834939a7

SHA256
cc78304627fb048c876d986e148fb8a2fa4e4fb77f522c10be741b5b4ef71801

SHA512
026d3dc968e213d37d331f8551040fa7eef76d88a41c4c6588a568b43b816961007f8888e21ac26f5535cfdf470303d3fec792c6e07f9dca0652e600a8853d1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2770.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GRgsn2v6O3.bat

Filesize
215B

MD5
423c3181ef685a4e85e324c4e2ba4f19

SHA1
7c6eb2235202d3af6e439cd036eb10bd3aa75d61

SHA256
8c0200965d6785e5a9f0b0dfe9d3691117bd0d7f070cd3611d8b4366fea8c98a

SHA512
653d2b5418f617e8fd1ae5d2b7c444605d07e13b5bccdf3c4f2747cf8262ee070e2b84d53a3ddcb34ac929581f06089f3597633749959c2ef4bb7053a766eb05

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
215B

MD5
007c446e2c8d6bf1b4c2c638ed22115c

SHA1
ca98e95102661ee59c49d6e1d92aa3326dea220d

SHA256
4151b91a43227650818faf4e2ba8bca1c8c7f46faa9e93a87f58621cdb136006

SHA512
03171a832368e385205a6ef05573f444df228dd62fbf2cb58b7703c521a5ea8d5533aee1d34eeffc07c371dcfc83e07bf552cf53d5187526d28ce139e46fb7e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\KOC6cu7vKW.bat

Filesize
215B

MD5
d26f2e1364e99732b22389aad53747de

SHA1
378449bef08a7847a4ade535f6a5efd58bdcad25

SHA256
a1f05c49318907734a43db0348bc3f039e0b800f16a94bf5f77297828128b084

SHA512
aa68eb7e9500d5dfb5bcfefb7277668dbd2ec5ed0dba9e853035ed76239b4d3b53dc727ed4f491738556f4a32f88dff5193c19c86ccaf620b301dd1ee7af6d76

Download Submit
C:\Users\Admin\AppData\Local\Temp\QSfwyRFOJU.bat

Filesize
215B

MD5
c81d4471ac9c6bc3a5bdebee52d52857

SHA1
4247daac5b422a1ae205d761e8fd7e4f299c7461

SHA256
f35caf54129b8bcd45ed741867cd45c5653a010078146fdf6d6ddb5c6116751e

SHA512
ecab29ee9350dc89f4cc7d7d5c5632cc7ff9500712fce2a26068b3e72b1fb818664d373cf787e71d33780a22eeda7acd4113bd5115350e8b7a9564dc1b5828fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2783.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

Filesize
215B

MD5
2605987c177bee00048dd99fcc330fb6

SHA1
445c1c04227e02f88821ba0ac48cba71e2382cd1

SHA256
2ee64ee633ebf8cf26282718dc0ff26644226b1160f52fadb34eca5f46e48062

SHA512
bbe8525f5684026fdc233dbe625a209c0764a8f483bab3ec122380974e3d50c2f2f081d1ed5901b61ff56c7711fc27b04d7d948d35da84425af18a2ca1aa991c

Download Submit
C:\Users\Admin\AppData\Local\Temp\dXV640YnNf.bat

Filesize
215B

MD5
0b629911d04c28f10c6c3f292b4ac1d6

SHA1
71166fd5bb9efde25529561f03147eaaf4faf25d

SHA256
372b2a0b9663f8dcaa98734bfb5daef1e43b6f99c675e91cfff7db8001d4eb55

SHA512
87c6fc6b2726d032b573ba02dc39a60c375998a683812c7e8bd34823e6e4f5f2180e135fad025f712fb5233715e72fd3011a3aaba77eacf71a5a877153f1f78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

Filesize
215B

MD5
7245b32ca10d9e2cec84d71f33278cb2

SHA1
8b2799f6d0fa83e3c36ed2ef6820c90f1e0723bf

SHA256
19b7393499923e0cc4b66523f47aa789dc9160cac6e011f6ef8959bb6446bd82

SHA512
4cec10a53a83cec2b6be9077b8bc2c78a28c66e863820f7f71cf6b52bbc3b2cc281918389885199a7ea143cdd51f5c2dc85c564943e52c06b6e23820b5c99405

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
215B

MD5
bc9d2fe5772e5ebc5982d5d4f1ad235c

SHA1
ce5c00599078e7242f6cc8d6aa7a5c431169628b

SHA256
f1961ad79a81ba4b58a05c667b5388a70b01f522f2a864a7c88e559d68a99cfd

SHA512
a0a085f545563b13d3a9991bd611c38998cdbe7ad043a27a0082a992d06e9e2ad635df992c6e06701863de63c28dfd10051375fa50f40475f1f8b6dd9bf74e97

Download Submit
C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat

Filesize
215B

MD5
550bc9336ad936ab66c203e70b1f7d6b

SHA1
2cae566ad5cacf05a5c47ab15d87623c4badac3c

SHA256
4b76c6acf759891dcd6ce6cc0f2fdd904087b9dd04471eac48c9606a4d47fcc7

SHA512
c66a9b7f620df2db09e918c47c198cea308e74c80c2cc4206afe80d14f00d1a2b2db8e7791d43a844fd338b9ebe065fb213bbfeda358e0dbe8390aa6f49fe957

Download Submit
C:\Users\Admin\AppData\Local\Temp\w2PRcJO5W1.bat

Filesize
215B

MD5
f0554ad1d0cfe57e257ab13a3ffbfbb4

SHA1
92cc1f6288fb8c2012c4f9113ffebefb558f043f

SHA256
9ba97618a02166be1b51453ce8c9c5fff4f005ccfb4a4773daef2882b7790906

SHA512
179b2f031881da4651aa954aba35db5353a7e2402f64eff6fd99983fb76665ef21d851af5a2b09337de013e2df181eb76adefc66547366fb31131fa094e84fbe

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\3DUHNU5JO15M5803ZOLT.temp

Filesize
7KB

MD5
20f72a8499ac50cb270d548026988178

SHA1
a70bb51fc702694c5b7f40c46ea673e2189a42c2

SHA256
77e4a479d9b7e1bc89ca76377352e4552d24bd7fc7a7f763d88409139db60a99

SHA512
3053d4a76484fb92aa2f745c24667bf3a3f2312f96d92a4090f01fa922292d21d45714b4e8201752dad33a1182bb14e5c31ae7fdffcb458df548ad60f044245e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/348-504-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/844-44-0x0000000000DC0000-0x0000000000ED0000-memory.dmp

Filesize
1.1MB

Download
memory/1536-145-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/1544-57-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/1544-56-0x000000001B660000-0x000000001B942000-memory.dmp

Filesize
2.9MB

Download
memory/2100-564-0x0000000000F90000-0x00000000010A0000-memory.dmp

Filesize
1.1MB

Download
memory/2504-383-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2504-382-0x00000000000A0000-0x00000000001B0000-memory.dmp

Filesize
1.1MB

Download
memory/2548-742-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2548-743-0x0000000000560000-0x0000000000572000-memory.dmp

Filesize
72KB

Download
memory/2792-17-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2792-13-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2792-14-0x00000000005B0000-0x00000000005C2000-memory.dmp

Filesize
72KB

Download
memory/2792-15-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2792-16-0x00000000005C0000-0x00000000005CC000-memory.dmp

Filesize
48KB

Download
memory/2828-444-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2828-443-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download