dcrat | 8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e

Analysis

max time kernel
146s
max time network
145s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e.exe
Size

1.3MB
MD5

049a4ac3800907fedbf95374df3219fd
SHA1

798bf5c5263f9d3b3faf1e177d9617ea0f37f0cb
SHA256

8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e
SHA512

7c489140c3745db47e1008cbf807fd8f1fd9adcecbdde8b96a671aa50e6cfbc2d6592d86823b4ef8669d06f51439fa623aa4e33136d079f32ff782767403380e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 27 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2608	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1440	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2692	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1080	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2868	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1700	2868	schtasks.exe	34

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cf0-9.dat	dcrat
behavioral1/memory/3028-13-0x0000000001020000-0x0000000001130000-memory.dmp	dcrat
behavioral1/memory/2668-57-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1724-149-0x0000000000210000-0x0000000000320000-memory.dmp	dcrat
behavioral1/memory/1004-209-0x0000000000FA0000-0x00000000010B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 10 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2096	powershell.exe
2732	powershell.exe
2028	powershell.exe
1864	powershell.exe
2556	powershell.exe
376	powershell.exe
888	powershell.exe
324	powershell.exe
1940	powershell.exe
948	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
3028	DllCommonsvc.exe
2668	conhost.exe
1724	conhost.exe
1004	conhost.exe
2612	conhost.exe
1832	conhost.exe
1084	conhost.exe
3024	conhost.exe
2348	conhost.exe
812	conhost.exe
376	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2928	cmd.exe
2928	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\0a1fd5f707cd16	DllCommonsvc.exe
File opened for modification	C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\Mozilla Firefox\defaults\pref\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\es-ES\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Common Files\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ehome\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\ehome\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 27 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2796	schtasks.exe
2152	schtasks.exe
1700	schtasks.exe
580	schtasks.exe
1612	schtasks.exe
2248	schtasks.exe
1080	schtasks.exe
1928	schtasks.exe
2608	schtasks.exe
112	schtasks.exe
2776	schtasks.exe
1192	schtasks.exe
2192	schtasks.exe
2216	schtasks.exe
2008	schtasks.exe
2900	schtasks.exe
1104	schtasks.exe
584	schtasks.exe
1440	schtasks.exe
2252	schtasks.exe
2960	schtasks.exe
2000	schtasks.exe
1160	schtasks.exe
2604	schtasks.exe
2412	schtasks.exe
2692	schtasks.exe
932	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
3028	DllCommonsvc.exe
2668	conhost.exe
2732	powershell.exe
2028	powershell.exe
324	powershell.exe
1940	powershell.exe
948	powershell.exe
376	powershell.exe
2096	powershell.exe
2556	powershell.exe
888	powershell.exe
1864	powershell.exe
1724	conhost.exe
1004	conhost.exe
2612	conhost.exe
1832	conhost.exe
1084	conhost.exe
3024	conhost.exe
2348	conhost.exe
812	conhost.exe
376	conhost.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	3028	DllCommonsvc.exe
Token: SeDebugPrivilege	2668	conhost.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2028	powershell.exe
Token: SeDebugPrivilege	324	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	948	powershell.exe
Token: SeDebugPrivilege	376	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1864	powershell.exe
Token: SeDebugPrivilege	1724	conhost.exe
Token: SeDebugPrivilege	1004	conhost.exe
Token: SeDebugPrivilege	2612	conhost.exe
Token: SeDebugPrivilege	1832	conhost.exe
Token: SeDebugPrivilege	1084	conhost.exe
Token: SeDebugPrivilege	3024	conhost.exe
Token: SeDebugPrivilege	2348	conhost.exe
Token: SeDebugPrivilege	812	conhost.exe
Token: SeDebugPrivilege	376	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2408 wrote to memory of 2724	2408	JaffaCakes118_8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e.exe	30
PID 2408 wrote to memory of 2724	2408	JaffaCakes118_8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e.exe	30
PID 2408 wrote to memory of 2724	2408	JaffaCakes118_8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e.exe	30
PID 2408 wrote to memory of 2724	2408	JaffaCakes118_8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e.exe	30
PID 2724 wrote to memory of 2928	2724	WScript.exe	31
PID 2724 wrote to memory of 2928	2724	WScript.exe	31
PID 2724 wrote to memory of 2928	2724	WScript.exe	31
PID 2724 wrote to memory of 2928	2724	WScript.exe	31
PID 2928 wrote to memory of 3028	2928	cmd.exe	33
PID 2928 wrote to memory of 3028	2928	cmd.exe	33
PID 2928 wrote to memory of 3028	2928	cmd.exe	33
PID 2928 wrote to memory of 3028	2928	cmd.exe	33
PID 3028 wrote to memory of 2096	3028	DllCommonsvc.exe	62
PID 3028 wrote to memory of 2096	3028	DllCommonsvc.exe	62
PID 3028 wrote to memory of 2096	3028	DllCommonsvc.exe	62
PID 3028 wrote to memory of 2732	3028	DllCommonsvc.exe	63
PID 3028 wrote to memory of 2732	3028	DllCommonsvc.exe	63
PID 3028 wrote to memory of 2732	3028	DllCommonsvc.exe	63
PID 3028 wrote to memory of 1940	3028	DllCommonsvc.exe	64
PID 3028 wrote to memory of 1940	3028	DllCommonsvc.exe	64
PID 3028 wrote to memory of 1940	3028	DllCommonsvc.exe	64
PID 3028 wrote to memory of 376	3028	DllCommonsvc.exe	65
PID 3028 wrote to memory of 376	3028	DllCommonsvc.exe	65
PID 3028 wrote to memory of 376	3028	DllCommonsvc.exe	65
PID 3028 wrote to memory of 888	3028	DllCommonsvc.exe	66
PID 3028 wrote to memory of 888	3028	DllCommonsvc.exe	66
PID 3028 wrote to memory of 888	3028	DllCommonsvc.exe	66
PID 3028 wrote to memory of 324	3028	DllCommonsvc.exe	67
PID 3028 wrote to memory of 324	3028	DllCommonsvc.exe	67
PID 3028 wrote to memory of 324	3028	DllCommonsvc.exe	67
PID 3028 wrote to memory of 2028	3028	DllCommonsvc.exe	68
PID 3028 wrote to memory of 2028	3028	DllCommonsvc.exe	68
PID 3028 wrote to memory of 2028	3028	DllCommonsvc.exe	68
PID 3028 wrote to memory of 948	3028	DllCommonsvc.exe	69
PID 3028 wrote to memory of 948	3028	DllCommonsvc.exe	69
PID 3028 wrote to memory of 948	3028	DllCommonsvc.exe	69
PID 3028 wrote to memory of 2556	3028	DllCommonsvc.exe	71
PID 3028 wrote to memory of 2556	3028	DllCommonsvc.exe	71
PID 3028 wrote to memory of 2556	3028	DllCommonsvc.exe	71
PID 3028 wrote to memory of 1864	3028	DllCommonsvc.exe	72
PID 3028 wrote to memory of 1864	3028	DllCommonsvc.exe	72
PID 3028 wrote to memory of 1864	3028	DllCommonsvc.exe	72
PID 3028 wrote to memory of 2668	3028	DllCommonsvc.exe	82
PID 3028 wrote to memory of 2668	3028	DllCommonsvc.exe	82
PID 3028 wrote to memory of 2668	3028	DllCommonsvc.exe	82
PID 2668 wrote to memory of 1592	2668	conhost.exe	83
PID 2668 wrote to memory of 1592	2668	conhost.exe	83
PID 2668 wrote to memory of 1592	2668	conhost.exe	83
PID 1592 wrote to memory of 2920	1592	cmd.exe	85
PID 1592 wrote to memory of 2920	1592	cmd.exe	85
PID 1592 wrote to memory of 2920	1592	cmd.exe	85
PID 1592 wrote to memory of 1724	1592	cmd.exe	86
PID 1592 wrote to memory of 1724	1592	cmd.exe	86
PID 1592 wrote to memory of 1724	1592	cmd.exe	86
PID 1724 wrote to memory of 2040	1724	conhost.exe	87
PID 1724 wrote to memory of 2040	1724	conhost.exe	87
PID 1724 wrote to memory of 2040	1724	conhost.exe	87
PID 2040 wrote to memory of 776	2040	cmd.exe	89
PID 2040 wrote to memory of 776	2040	cmd.exe	89
PID 2040 wrote to memory of 776	2040	cmd.exe	89
PID 2040 wrote to memory of 1004	2040	cmd.exe	90
PID 2040 wrote to memory of 1004	2040	cmd.exe	90
PID 2040 wrote to memory of 1004	2040	cmd.exe	90
PID 1004 wrote to memory of 1820	1004	conhost.exe	91

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8da11906d8579e11f9fda67d3a3f3eec2feadd32672cdb9270b36fc93d8b4c3e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2408
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2724
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2928
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:324
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ehome\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Searches\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1864
    - - C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2668
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2920
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1724
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:776
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat"
        10⤵
        
        PID:1820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1736
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat"
        12⤵
        
        PID:876
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2276
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat"
        14⤵
        
        PID:2124
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1520
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        16⤵
        
        PID:324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:740
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat"
        18⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2880
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat"
        20⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2668
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat"
        22⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2096
        
        C:\Program Files\Common Files\conhost.exe
        
        "C:\Program Files\Common Files\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files\Mozilla Firefox\defaults\pref\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Photo Viewer\es-ES\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\ehome\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\ehome\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Windows\ehome\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Common Files\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Common Files\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\Searches\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Searches\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Searches\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
02b6f3bdb7505012b6e462a7d570f591

SHA1
ec37005a479ca83d1fae1c8f9981bc8eb18d07d5

SHA256
6e4c7f284123b08c9f405fa62a354bdfc383a3c274d06bb882c31e0e1c924089

SHA512
134dc4e7eab521dd5bade3e4a5a44009cb1889a7c91a4636499acc05cbcdf8d429429a4b028f399ffde700d8a3dca266d3a4d292f76fe4b38ee07c02757690e6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2754e42a95cc5587286e0201d42aed9a

SHA1
297aded6f67a0c52070b8e3a10409b02625e7ff7

SHA256
d577a083b22cae54bb880c5fde5435624528da4669416227d03de4c21cb5a143

SHA512
f611c4186a200eba89dfa95d979d7c6b826e18d4cf1a630147e644ca60952635d6eab9981aa31d1a7ec56df55a37f936c4b5441bec478825ed576ef16b9896be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f8ff449cc51474e9474d33612623e81

SHA1
bb3b48e26ef39f0e6eaf523b5a5c0c62782709d2

SHA256
4af6418ccf45c2d5de7ba358a0619c5e9e4e3efe511282057efaacd3d4380f96

SHA512
b770083c2877127bba1c7be2e9313a921a7e8d841ce1038a7e18524744523ed7fd4c90bdb012eb098ab3db533a8ba8d30c4170ba92183e8f96f868da56d929a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
365a8567b4a3b327537bf83097877bef

SHA1
ae808277fefd8004a8969e650bcbffc57c271aab

SHA256
4b6081239d072bf9e1c9e9d2b820ae8f9a654cdd0e014235e32a04425652b322

SHA512
2d085f5dd24371f11011db210d8d76755dea85b16c4e89e8dd76ecd51e86f4a407374189a7bccd44196b5196cb01f71a63c32e26da7155906cec36335d39c65b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9a5f2183ba8dc6407bd853c91cd86192

SHA1
1dc8437dc2f8fb5677ae1bd9b1925aecb38af499

SHA256
60551d819fe2ac61444ef2d6a21b0724abe46ec2d0eaaa110c77fa7ca2c6f065

SHA512
7f3de331bfcbc6c9be08383f556d4addc355179ac2ca8287b9e8c660f9283ac1a4b13a999e3f05b6fbb7aff2316e37c3d2d14ccf829ffbfd37f1d2ed45e8c142

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2709aa273d07d150f0e8a587e66d7bde

SHA1
edab3ba159d3863961c7aedd543cf162c3b5628b

SHA256
64038105bfaa52e53bc72afd1b45117ed6d2f10b154f67644b92f059659a2483

SHA512
f986bd8f8aa2e444498ffe71a7d6c1f627936427133b1fd2a23dda6ea9eaf5c6c86c43898aaf03ef2cfeaace2646bd6ab2eea5fe058f82ff90b3a55de9406f1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60afeefd4bf1fa16abb450293f3f928d

SHA1
b18f543c5c1aab9d5e50dc63f1063b8ca46bf45d

SHA256
ab2693f405eda8e7fc3f655174361b8dd3aa7f9fa42abb8c96009d0fed358b41

SHA512
debcef6fb94f4d4be41fc008579097b1c2055b9b9257f53cf74c88a8db6b9876e82f1b0e4ebcdf331c81a2229749165e89ff6bafdbc4637f0bbaf5cec8cac244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0800e44ed7fdea3ef475c341cd5ea96e

SHA1
0b6a7c0e93aa23e530741dc58bf725f03ad31149

SHA256
ced5848065a321e67cf47d280c38fc7f4560967203becdfcc562e43373db95cb

SHA512
0fffbcc933896f72105da5d54b4c644c3c6474bd7181e0d086d5f5e2e5e1296d320350ade3b3517df19deae237db7841a2c9bc7139733ea2c5a953c0b996ffd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\1CE969IshF.bat

Filesize
206B

MD5
561c343b4d69d45f71d7e775e974194a

SHA1
3c7aac7000371a3dd85009a0c6d4e7158ae6907d

SHA256
10ffd92cdcece8810f44ccdc61c4bc985ab89c80823e0ed1ce3112b2bba84c04

SHA512
250247b621d4e2463f6894463628e8cd709a4ccf54885e124df9e140e6098d785c38c2d023d485ad46631a0554d532570e22f84a1bc1b7096abe7f8dc81e62f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\2sHl3bGdB9.bat

Filesize
206B

MD5
0361c3b2b23badb622ac33fbfe7870b3

SHA1
1fba3e2e61f784497495524589a6667a67e89d89

SHA256
e26fa432d98de19385dcb4a92237a0d32a7d9fcdbf47754e6c1b89296c498af1

SHA512
b177fb6eddaaeb9362d7b226504ceffcc07b2111e4027e642b077f9b05a0a2ef74f9227fa7bff59821e04b2260064b9253688c57dd7206b481cf55c7cfa6dffb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CL2HVdYORd.bat

Filesize
206B

MD5
a0e7a29504fa752652f799d938309c5b

SHA1
4fcbe5ce54ddaf5a2ebad8f32cd243056a8ab515

SHA256
29e595b1b2fcc72461d40ca323c63c886dc693477bd2e0cd6cce7850060dda0c

SHA512
bca11c329b43919b175e0c7d16af895e12c1b9b4a31769eb06437c2f3286802135338c753bafdeba06fd12f378661941c5e9f5f439032475484d33157fe9835e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab418.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
206B

MD5
0db62fb0611226faf8e7fc8e4b18148d

SHA1
162e0addcd939b293bc11007e156bdbcad99c483

SHA256
1c101c01000ed905c0a1bcfb9303a6e338ed3cee0281a0ec87bf3d621f5876ce

SHA512
c4ee89fe49a5518bd4012c143a90a80a0342a7c7604902d2a25c7c4320aecb9708d5576bdb206a2a84fa3a7b18ca324f9c172d818b4f52f3689f01f0917e4550

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nm0aad8I0L.bat

Filesize
206B

MD5
22d3457406e200c346d9de6fffb7400b

SHA1
f50d567539de1f7e3f3aa0237d9c92538dbb31aa

SHA256
9cdb4beb8c32038df5c82e57b0de28ac73572caa71521e5c142f477e1dd5ee21

SHA512
2f0e424e0c17699aa69cb9c94511a5e401bbd8baa384acee892adb8d38b0588c8b3fad944e90a47097a35338be78c608fd7b4b2b99e8c32476a100d1c7ca319f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar42B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\cV1vwDPsky.bat

Filesize
206B

MD5
ee9d195cbf48a19d78e9d498f98e6d35

SHA1
204df4bd45739b057dcead29b8e87441a0c1ebc8

SHA256
578946fbba5b3a7b40c0ffe867780a99f72f384c9ee6e3360b5d1c9dda5483e6

SHA512
ce1e8e00515b00ba1209cee29239ff95ab1353c67ed87dda36b6c1caac4f244fd502aba9ecccb46094af9693abc171024e97083636e1f24727583a5aef1f5eba

Download Submit
C:\Users\Admin\AppData\Local\Temp\dk6czFnjgV.bat

Filesize
206B

MD5
6b3495b80cf979849d4ec7836c815f0a

SHA1
5149efa28b31362f66cd4f1089fd0659028f7518

SHA256
a13d67dead8d947af453393005575b58bf781af57b4245c10c88f8b491068ceb

SHA512
1ab9f621e8e8455a87d0b634c19bef3e989fb1ea2dd66962d2bc67c6e9ca7ed2d00331a2e13d525654485a9846abee1ed070d735b6806fc86c485e754d08c81e

Download Submit
C:\Users\Admin\AppData\Local\Temp\sSDDfDN1Wn.bat

Filesize
206B

MD5
4ec4ac39597744d17f6d2432f6099c30

SHA1
566a31bbf53be18844ee10058b25affc07e798f2

SHA256
5ad8447ce5aee1da4d3aafcdb985ccc831d98cf771d42df41cbb8eda2ff8a287

SHA512
96199f4424cd8b9f8f6bd72633d6f9310d750d8e9aae78df7abc63976a19391bea32212f82d07ff21260a8042b7817d88bdd6a358375e7a0a23e89d74dcaa29f

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
206B

MD5
b35e016d19453e270436265353c7734b

SHA1
7193a6107160d4317911ccb998f2ce568b1dd532

SHA256
86d35dd8f3130788968e33d6d9f209b709c8a3d1e56ea2248422612403cdb1fd

SHA512
cad4bca92ec067f20a737d0416f308836c48037cbe2cfe53fc4f21c163438e02d95549dbf3bdf72714fca256cea65e3281369aba5a3b2abfc70aaaf0530a4983

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
de2c5a274c6ac57d38b5cf523d35a2a0

SHA1
33185dc369f083c14a98f49d29e94063a33ea142

SHA256
5e57327d07bc31bae8bfdb9cf8f31a988c764f9411ba193c45568c5040d62485

SHA512
ebb0e063794e0d4f330075d4c7220a39cd0130d294fc303236d7ac379fba9fd853d6eec9d42dde1713fc2c4c0a8bf22688b188481a779631c9303d76b0255ad6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/376-89-0x000000001B420000-0x000000001B702000-memory.dmp

Filesize
2.9MB

Download
memory/1004-209-0x0000000000FA0000-0x00000000010B0000-memory.dmp

Filesize
1.1MB

Download
memory/1724-149-0x0000000000210000-0x0000000000320000-memory.dmp

Filesize
1.1MB

Download
memory/1832-328-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2668-57-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-90-0x0000000001ED0000-0x0000000001ED8000-memory.dmp

Filesize
32KB

Download
memory/3028-14-0x00000000004C0000-0x00000000004D2000-memory.dmp

Filesize
72KB

Download
memory/3028-17-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/3028-15-0x00000000004D0000-0x00000000004DC000-memory.dmp

Filesize
48KB

Download
memory/3028-16-0x000000001B010000-0x000000001B01C000-memory.dmp

Filesize
48KB

Download
memory/3028-13-0x0000000001020000-0x0000000001130000-memory.dmp

Filesize
1.1MB

Download