dcrat | 8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630.exe
Size

1.3MB
MD5

0ba28f26e8ed6eb6ff0ef2f1b7973762
SHA1

9ac590a82531ae7f07d8b81b848a6d137112461d
SHA256

8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630
SHA512

c921fd4b79b84e5bbd8ecaa0803c69d7f61c2dc0aa0a6bf0a078ed3c732236cbdb5a359bca89a3046dfc247a6076dfcbb76ad39e76e7507b14f9222e189ea0af
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2524	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1180	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	844	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1348	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2312	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2520	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2520	schtasks.exe	34

DCRat payload 7 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001920f-9.dat	dcrat
behavioral1/memory/2384-13-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/1432-38-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1888-138-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/308-198-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2232-614-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/1136-675-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1188	powershell.exe
3000	powershell.exe
2860	powershell.exe
2964	powershell.exe
1196	powershell.exe
2256	powershell.exe
1032	powershell.exe
2952	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2384	DllCommonsvc.exe
1432	conhost.exe
1888	conhost.exe
308	conhost.exe
1524	conhost.exe
1424	conhost.exe
2148	conhost.exe
1624	conhost.exe
2200	conhost.exe
2056	conhost.exe
2232	conhost.exe
1136	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	cmd.exe
2956	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
15	raw.githubusercontent.com
25	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com
21	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\cs-CZ\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Windows\System32\cs-CZ\sppsvc.exe	DllCommonsvc.exe

Drops file in Program Files directory 3 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\audiodg.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Common Files\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\42af1c969fbb7b	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ja-JP\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1348	schtasks.exe
1740	schtasks.exe
2808	schtasks.exe
2676	schtasks.exe
2352	schtasks.exe
2064	schtasks.exe
1260	schtasks.exe
1180	schtasks.exe
1616	schtasks.exe
1996	schtasks.exe
1948	schtasks.exe
2312	schtasks.exe
2744	schtasks.exe
2524	schtasks.exe
2556	schtasks.exe
896	schtasks.exe
844	schtasks.exe
1720	schtasks.exe
1868	schtasks.exe
2748	schtasks.exe
2576	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2384	DllCommonsvc.exe
2384	DllCommonsvc.exe
2384	DllCommonsvc.exe
2964	powershell.exe
2860	powershell.exe
2256	powershell.exe
2952	powershell.exe
3000	powershell.exe
1032	powershell.exe
1188	powershell.exe
1196	powershell.exe
1432	conhost.exe
1888	conhost.exe
308	conhost.exe
1524	conhost.exe
1424	conhost.exe
2148	conhost.exe
1624	conhost.exe
2200	conhost.exe
2056	conhost.exe
2232	conhost.exe
1136	conhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2384	DllCommonsvc.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2860	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1432	conhost.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	3000	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1196	powershell.exe
Token: SeDebugPrivilege	1888	conhost.exe
Token: SeDebugPrivilege	308	conhost.exe
Token: SeDebugPrivilege	1524	conhost.exe
Token: SeDebugPrivilege	1424	conhost.exe
Token: SeDebugPrivilege	2148	conhost.exe
Token: SeDebugPrivilege	1624	conhost.exe
Token: SeDebugPrivilege	2200	conhost.exe
Token: SeDebugPrivilege	2056	conhost.exe
Token: SeDebugPrivilege	2232	conhost.exe
Token: SeDebugPrivilege	1136	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1840 wrote to memory of 2804	1840	JaffaCakes118_8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630.exe	30
PID 1840 wrote to memory of 2804	1840	JaffaCakes118_8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630.exe	30
PID 1840 wrote to memory of 2804	1840	JaffaCakes118_8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630.exe	30
PID 1840 wrote to memory of 2804	1840	JaffaCakes118_8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630.exe	30
PID 2804 wrote to memory of 2956	2804	WScript.exe	31
PID 2804 wrote to memory of 2956	2804	WScript.exe	31
PID 2804 wrote to memory of 2956	2804	WScript.exe	31
PID 2804 wrote to memory of 2956	2804	WScript.exe	31
PID 2956 wrote to memory of 2384	2956	cmd.exe	33
PID 2956 wrote to memory of 2384	2956	cmd.exe	33
PID 2956 wrote to memory of 2384	2956	cmd.exe	33
PID 2956 wrote to memory of 2384	2956	cmd.exe	33
PID 2384 wrote to memory of 1032	2384	DllCommonsvc.exe	56
PID 2384 wrote to memory of 1032	2384	DllCommonsvc.exe	56
PID 2384 wrote to memory of 1032	2384	DllCommonsvc.exe	56
PID 2384 wrote to memory of 2256	2384	DllCommonsvc.exe	57
PID 2384 wrote to memory of 2256	2384	DllCommonsvc.exe	57
PID 2384 wrote to memory of 2256	2384	DllCommonsvc.exe	57
PID 2384 wrote to memory of 1196	2384	DllCommonsvc.exe	58
PID 2384 wrote to memory of 1196	2384	DllCommonsvc.exe	58
PID 2384 wrote to memory of 1196	2384	DllCommonsvc.exe	58
PID 2384 wrote to memory of 1188	2384	DllCommonsvc.exe	59
PID 2384 wrote to memory of 1188	2384	DllCommonsvc.exe	59
PID 2384 wrote to memory of 1188	2384	DllCommonsvc.exe	59
PID 2384 wrote to memory of 2964	2384	DllCommonsvc.exe	60
PID 2384 wrote to memory of 2964	2384	DllCommonsvc.exe	60
PID 2384 wrote to memory of 2964	2384	DllCommonsvc.exe	60
PID 2384 wrote to memory of 2860	2384	DllCommonsvc.exe	62
PID 2384 wrote to memory of 2860	2384	DllCommonsvc.exe	62
PID 2384 wrote to memory of 2860	2384	DllCommonsvc.exe	62
PID 2384 wrote to memory of 3000	2384	DllCommonsvc.exe	64
PID 2384 wrote to memory of 3000	2384	DllCommonsvc.exe	64
PID 2384 wrote to memory of 3000	2384	DllCommonsvc.exe	64
PID 2384 wrote to memory of 2952	2384	DllCommonsvc.exe	67
PID 2384 wrote to memory of 2952	2384	DllCommonsvc.exe	67
PID 2384 wrote to memory of 2952	2384	DllCommonsvc.exe	67
PID 2384 wrote to memory of 1432	2384	DllCommonsvc.exe	72
PID 2384 wrote to memory of 1432	2384	DllCommonsvc.exe	72
PID 2384 wrote to memory of 1432	2384	DllCommonsvc.exe	72
PID 1432 wrote to memory of 2292	1432	conhost.exe	74
PID 1432 wrote to memory of 2292	1432	conhost.exe	74
PID 1432 wrote to memory of 2292	1432	conhost.exe	74
PID 2292 wrote to memory of 840	2292	cmd.exe	76
PID 2292 wrote to memory of 840	2292	cmd.exe	76
PID 2292 wrote to memory of 840	2292	cmd.exe	76
PID 2292 wrote to memory of 1888	2292	cmd.exe	77
PID 2292 wrote to memory of 1888	2292	cmd.exe	77
PID 2292 wrote to memory of 1888	2292	cmd.exe	77
PID 1888 wrote to memory of 2752	1888	conhost.exe	78
PID 1888 wrote to memory of 2752	1888	conhost.exe	78
PID 1888 wrote to memory of 2752	1888	conhost.exe	78
PID 2752 wrote to memory of 1404	2752	cmd.exe	80
PID 2752 wrote to memory of 1404	2752	cmd.exe	80
PID 2752 wrote to memory of 1404	2752	cmd.exe	80
PID 2752 wrote to memory of 308	2752	cmd.exe	81
PID 2752 wrote to memory of 308	2752	cmd.exe	81
PID 2752 wrote to memory of 308	2752	cmd.exe	81
PID 308 wrote to memory of 1696	308	conhost.exe	82
PID 308 wrote to memory of 1696	308	conhost.exe	82
PID 308 wrote to memory of 1696	308	conhost.exe	82
PID 1696 wrote to memory of 2688	1696	cmd.exe	84
PID 1696 wrote to memory of 2688	1696	cmd.exe	84
PID 1696 wrote to memory of 2688	1696	cmd.exe	84
PID 1696 wrote to memory of 1524	1696	cmd.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8106be1f89ad8a8a500c42644a16ac3699e8d18093221c0826b31023844d6630.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1840
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2384
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\cs-CZ\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1432
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:840
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1404
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1696
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2688
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat"
        12⤵
        
        PID:664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:3068
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat"
        14⤵
        
        PID:892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:572
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
        16⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1008
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat"
        18⤵
        
        PID:2632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2108
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat"
        20⤵
        
        PID:1364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1900
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat"
        22⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2028
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2232
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat"
        24⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2680
        
        C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe
        
        "C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Common Files\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Common Files\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0016-0409-0000-0000000FF1CE}-C\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Windows\System32\cs-CZ\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\System32\cs-CZ\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Windows\System32\cs-CZ\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62b2d3877a06722013629628ae67e38e

SHA1
5afe4237c237ad124af92b9897352d8efd0ff7ca

SHA256
74cb479e3b6cd83f153b89708b6834e691be7595036c530ca0e121552ad9afac

SHA512
5b897ddb16653a498a0cc00d372ac939be0c261f27b8e5e44a29062f62af7595471df589b7909d44b942e3d8230225b162da632c80409d9a239b843311decdba

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec6dfac3391188055cb27f34d49d2b53

SHA1
48f322b417ab8705a61c5017393359f4cdecc300

SHA256
49bf6d08472daa1406013d076568ca8a31e939429ecf730917ce15b4c2b5a3bc

SHA512
6419ea365c904f1affa38f5b20fa627dbf5b392d90f9bdd9a349673a760eb2671d9813169cca1a065abdd3965fb56fb15df3cfe61fe586f1f02a324bfdacdadd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6a2000a999bd53401049110546a0e86c

SHA1
33bc94692d2416c3e3d2c79143d3d474b2130e45

SHA256
21d57e70e2dcc91fd82446df7214d266418b28febde81b4cc405bf40c90a4504

SHA512
005f91d5910f3e2bc62ff2b40fc6abac8f0ba711d7aa960589998e59cf816a28d103d43eb4f3dc78fdc6ab1dc9d0755300127860157a3c1158c426504f497075

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e552254160c60d5a40b9f7941b85ef1

SHA1
5a3987f059b30d3d035860893ba1bd9b13833678

SHA256
e00324bceb16a101a7a69a20dbcf1bac9c0ee235cc22a304ae0d7c366ce8a4b2

SHA512
d9e386eda5a41f1ed0b126fd8f4cffd30bb5a08a564d6550cbb74cd8cfdace3b899f506abfb4af6c1f0b5223508d554323a224a4a189c90d7c298b2129677ab2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1b410e4f104918a3025e46fd62ebf53

SHA1
6bd3263895a11e6c12d3c3b83b93a5fa380eab44

SHA256
b59dd6aef26bfb0e1da82440301ce252b0a5763cdae1f0807b40e4b78e84382f

SHA512
d1f5896f7f70f611c8e67e2809f07c27d52cdfec086a368881e3728b65c985e14be3838c4aa48af9dead16ef9704e13f29d2f9d7ac38c95637f11a00c7b9b424

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f39f7e7b0f385896362131ede2122273

SHA1
005972ec412c3856ceece84ec8586fe8f85b1540

SHA256
c1a0b1da6ddd7cbf3f24f1c01f1f3de00fe10b9009da77dbbd3d4406fd523574

SHA512
2c33eca808e7d47b721cc68881638ac0f115ee6494a46abc82f8201f52c351ca4c1e78c4cbb9fc2e9b3536f7119ab7b3992e222e901ac5356c1bc534f187ab56

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
22d5859a1836329f95e605b9ed36c878

SHA1
809b486181ad246902cf51311fdce1fd1d56bb89

SHA256
44e63b40379ca5cc6a9e5ad7152f042071b1586388803b86d23341475a38eecd

SHA512
2eba49626ab85b95e022b7d939aaaee7a417f1d69934552758e09d7f107dafeadb6a035641638e7456dbd7e229ccec668a4784347024e2d9f7e7bf3a1e330535

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c6942a0f4a3638bab1f2c1cae48718d

SHA1
95cff6be442dfb94ad426024bf062b977cb9a12e

SHA256
b231480c8d80424bf5bad57bfa70493455b753f9cbde4d8e3d372525bea78436

SHA512
b2e7ecc00568c996b32a28b8f5ccfd90f77c1c87da512901ba198cd511aba6d823104968d2a7bd183179a830359253189586d759675a0dfd5459b452d03a33de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c605318f1b73d9ed3e3035fc5e6a31fa

SHA1
4d543ea2216cd7b19c32cbba3fbb48b990ab6bc3

SHA256
7dc938e60c4a1d9ea728ac38099ef9a080d5c742aafff6b4bfb19655f6a5d47a

SHA512
2c52ec12daaa882311987517e83a52622078cf57cd10c3dd8d992fe0ed7d888d45557233b068a0adf9eb30e04bc8dcf1835c71fbf3e7339f129a16e56ff0bae1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2Odt5WJZ2f.bat

Filesize
239B

MD5
f662f35219fc7ae620fc857cfc04cde9

SHA1
bd333701572b93c8192da000d2074ab5b6c1f321

SHA256
4ced2b135ddb5772e963fb86007d33f097aee3c5276320266db9c55d1530304f

SHA512
1041aa8d401085689672ded7e0f632a07f2ae376bb7077d06afa4b0e2622c0937332ae77ff45e1e0f7d67ad7bad5db83caba6a559d1e1613b7b64c4b518c7fc9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEF50.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DiMaLaQqUm.bat

Filesize
239B

MD5
d47fe5c96a42bfcacdfd578fa69ebbb9

SHA1
dca051cdc0ef77527ca80ecf9cc0c229b687ce08

SHA256
374e04353857fd5c5ff3e3dbe59d59e85b6409165c2003b81814874eb313253a

SHA512
cd58b95990d66103b12ec3072d92f8694127f0e78b3d60f665c2ba371e6ec7a002da7b800cfd1009bf59ca288b5ff4a9e69670a40e287adae28db9f401237f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEF63.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

Filesize
239B

MD5
41768f1dc22ba0b134d5efbe86f5617e

SHA1
1e40a1c61320310376936bf92dcb27a44c2fa6ee

SHA256
cd2719f07be913afce38b67545a77f81ee49ad310fa2dfb67e920f94bbafe13d

SHA512
072e73028e47eec488a2fa72a77e7d410a8e6f9f3ff0a4be743e7653c3af37a29370ae109410692911dbfbeb2cedfe2158610b447f5c45862dfd2a04929e6e3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys2Wc5gw2w.bat

Filesize
239B

MD5
ddf6257cfdc35a6b1bcc87be27999d7f

SHA1
5ca0d6d63fea8ec716458fa12e6b32cede418239

SHA256
06e9dd45ae4c2d19c51591326fa0a546b75ea1f0fe7ef747d43bc194eebeaf03

SHA512
b7402df3ec1e2f23368193b80c25cdc6563ac28f57b9a917670949f26533942d90fdf85df2faba02eef62271fe83c1e9f335abe4c15624c61998daef2879806b

Download Submit
C:\Users\Admin\AppData\Local\Temp\bhowVEGEG8.bat

Filesize
239B

MD5
46b0b7574eab4d3f51fca680ebbc3e23

SHA1
f81916b7676b95642d92b758c4b1e6df87275205

SHA256
32bc1073492e262fbb86b790b3032def072ccec40add5af3feb0eaca2df60dcb

SHA512
97062e05f121f987b284ed032b0e003d07bf0240e3fae62a6b74d9b90b0be6b4493eb1063a73dd38d70b3f42c6032372d3296bd9bec4345274c30faec2607c91

Download Submit
C:\Users\Admin\AppData\Local\Temp\lE88gYdR15.bat

Filesize
239B

MD5
2c2dbcfc45445c4909beaa74b62ebc62

SHA1
8f74994c5b4886e9e360113b8ff5a85c536c5f84

SHA256
569bdf65632bbeb44278db118545936a9cd984a5fba1c8dcbc4b9e72f3584df1

SHA512
c33db96622d6f3edb3e8f5ac57073ffc1816b7979dc2a68c59a4aed3b1fc926023c85fc89fccc2c9cba2cdcaf5a1ac62496355bbbfc52307f9b52344b7b03204

Download Submit
C:\Users\Admin\AppData\Local\Temp\mylROGge0S.bat

Filesize
239B

MD5
d8127157984aa859139d86cec16f2e52

SHA1
4f874656c10230b207eabde1fddcef5a59211a75

SHA256
f1bf2ece5242cdea7fe4a4cd80b1d6607b6ea3e379b390e3f8ac67c5ba595034

SHA512
25db4dddcb23ceb20cd98f1d1f2937ccc40beb893c14f837f5dac4505065c25a55c5364df1a1139ffdb9044f9ba16666790207d5e023c7373cfa17e7c5c96a8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\u02VouYs0z.bat

Filesize
239B

MD5
92348362b40e43af537ad7e0d35d67cd

SHA1
0db78fa7c5b0aab696c63e5a21287ad14fa4a3bb

SHA256
254b243c0f892ab78768823aee5e3d292eb1e00959644252f58454a77186a834

SHA512
25bc7a153b19535d30aa23b9d5a98f381a4c6f7a471b83f54f57981a399fa765f682944e9cfbfe0feb34fa3b871bead3ff15ffa5ee32f7cbc6587a6228622c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\uruRJY5g5x.bat

Filesize
239B

MD5
42ffac89d4776c72b3d2ee30ecb6c209

SHA1
95be1d6767216d5f97976a341cad817d223b4828

SHA256
4706688fd6b7535496959ef373ac2519ca3c389c7149ac770bcc2a04c0ebb0fd

SHA512
43918a846ff8411708a73e1cb3774671dcd7071f03c6380977b698f9e0eed3cabfd427bcb364763d168b548a5a7309b7d43e040520a2be86030cf3c1186f2160

Download Submit
C:\Users\Admin\AppData\Local\Temp\vF7CrwxjwX.bat

Filesize
239B

MD5
b23cdffce15cd507fd400871ca035233

SHA1
f296f2055e0617818db46692747c18403deb2eb7

SHA256
fd1c0cdbd0769a857b5a811e139633157ddda9da9ef781b550ff050c369c8947

SHA512
604396bdb54a0f5a7d885241b376a43352f6fd9667abcacb57685522ba7a77d03486e5232891e443ea89416c6c090dfa10187635e2debab47c5aa8f7106ebeda

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
6cafbcfa42432146945d80acb87a9ace

SHA1
080baa3a4b5a67bcaf028e6e64f1c3dc1e72987f

SHA256
caa61d00e7d9faaef04db10de1c75b032010633397a6cada354692ebaf4be3b4

SHA512
ed678b6523e023ead568d7ec14c01b26528026a39bb1fb4219b38313d7c952ae35f8209a7e219987dcadbd5afa2522a2b32a98008fc6f03dfdde9893ddaf100e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/308-198-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/1136-675-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/1136-676-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/1432-38-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/1624-435-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/1888-138-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2056-554-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2232-614-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2232-615-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2384-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2384-13-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2384-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2384-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2384-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2964-64-0x0000000001D30000-0x0000000001D38000-memory.dmp

Filesize
32KB

Download
memory/2964-59-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download