dcrat | 72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2.exe
Size

1.3MB
MD5

06ef314529a010360831031024a37a6d
SHA1

e4c179957c01b702f2bc303b5d87d9c1d028f3ff
SHA256

72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2
SHA512

978a64f8a621e96c766abfa9f4add9fe0b5b3ae7c90a51f3593e58614ba7f4fa654fbd4c36302f397e300cdeb2e77964e25bc14735f888ca542a373b5eeee7d1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2688	schtasks.exe	32
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2688	schtasks.exe	32

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c73-9.dat	dcrat
behavioral1/memory/2948-13-0x0000000000B10000-0x0000000000C20000-memory.dmp	dcrat
behavioral1/memory/1000-50-0x0000000000980000-0x0000000000A90000-memory.dmp	dcrat
behavioral1/memory/2636-138-0x0000000001110000-0x0000000001220000-memory.dmp	dcrat
behavioral1/memory/2752-494-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2780-554-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/1688-614-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2872-675-0x0000000000EC0000-0x0000000000FD0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2036	powershell.exe
2292	powershell.exe
2024	powershell.exe
2396	powershell.exe
1704	powershell.exe
1632	powershell.exe
1968	powershell.exe
1600	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2948	DllCommonsvc.exe
1000	spoolsv.exe
2636	spoolsv.exe
912	spoolsv.exe
2164	spoolsv.exe
1648	spoolsv.exe
1532	spoolsv.exe
1736	spoolsv.exe
2752	spoolsv.exe
2780	spoolsv.exe
1688	spoolsv.exe
2872	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2296	cmd.exe
2296	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
12	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\a76d7bf15d8370	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\088424020bedd6	DllCommonsvc.exe
File created	C:\Windows\es-ES\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\es-ES\conhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2512	schtasks.exe
1792	schtasks.exe
2636	schtasks.exe
2668	schtasks.exe
2972	schtasks.exe
1296	schtasks.exe
648	schtasks.exe
2316	schtasks.exe
1364	schtasks.exe
3036	schtasks.exe
2748	schtasks.exe
2628	schtasks.exe
2532	schtasks.exe
2828	schtasks.exe
3044	schtasks.exe
2616	schtasks.exe
2648	schtasks.exe
1432	schtasks.exe
1652	schtasks.exe
1436	schtasks.exe
2400	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2948	DllCommonsvc.exe
2036	powershell.exe
1600	powershell.exe
1968	powershell.exe
1632	powershell.exe
2396	powershell.exe
1704	powershell.exe
2024	powershell.exe
2292	powershell.exe
1000	spoolsv.exe
2636	spoolsv.exe
912	spoolsv.exe
2164	spoolsv.exe
1648	spoolsv.exe
1532	spoolsv.exe
1736	spoolsv.exe
2752	spoolsv.exe
2780	spoolsv.exe
1688	spoolsv.exe
2872	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2948	DllCommonsvc.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	2396	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1000	spoolsv.exe
Token: SeDebugPrivilege	2636	spoolsv.exe
Token: SeDebugPrivilege	912	spoolsv.exe
Token: SeDebugPrivilege	2164	spoolsv.exe
Token: SeDebugPrivilege	1648	spoolsv.exe
Token: SeDebugPrivilege	1532	spoolsv.exe
Token: SeDebugPrivilege	1736	spoolsv.exe
Token: SeDebugPrivilege	2752	spoolsv.exe
Token: SeDebugPrivilege	2780	spoolsv.exe
Token: SeDebugPrivilege	1688	spoolsv.exe
Token: SeDebugPrivilege	2872	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1032 wrote to memory of 2052	1032	JaffaCakes118_72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2.exe	28
PID 1032 wrote to memory of 2052	1032	JaffaCakes118_72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2.exe	28
PID 1032 wrote to memory of 2052	1032	JaffaCakes118_72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2.exe	28
PID 1032 wrote to memory of 2052	1032	JaffaCakes118_72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2.exe	28
PID 2052 wrote to memory of 2296	2052	WScript.exe	29
PID 2052 wrote to memory of 2296	2052	WScript.exe	29
PID 2052 wrote to memory of 2296	2052	WScript.exe	29
PID 2052 wrote to memory of 2296	2052	WScript.exe	29
PID 2296 wrote to memory of 2948	2296	cmd.exe	31
PID 2296 wrote to memory of 2948	2296	cmd.exe	31
PID 2296 wrote to memory of 2948	2296	cmd.exe	31
PID 2296 wrote to memory of 2948	2296	cmd.exe	31
PID 2948 wrote to memory of 2024	2948	DllCommonsvc.exe	54
PID 2948 wrote to memory of 2024	2948	DllCommonsvc.exe	54
PID 2948 wrote to memory of 2024	2948	DllCommonsvc.exe	54
PID 2948 wrote to memory of 2396	2948	DllCommonsvc.exe	55
PID 2948 wrote to memory of 2396	2948	DllCommonsvc.exe	55
PID 2948 wrote to memory of 2396	2948	DllCommonsvc.exe	55
PID 2948 wrote to memory of 1704	2948	DllCommonsvc.exe	56
PID 2948 wrote to memory of 1704	2948	DllCommonsvc.exe	56
PID 2948 wrote to memory of 1704	2948	DllCommonsvc.exe	56
PID 2948 wrote to memory of 1632	2948	DllCommonsvc.exe	57
PID 2948 wrote to memory of 1632	2948	DllCommonsvc.exe	57
PID 2948 wrote to memory of 1632	2948	DllCommonsvc.exe	57
PID 2948 wrote to memory of 2292	2948	DllCommonsvc.exe	58
PID 2948 wrote to memory of 2292	2948	DllCommonsvc.exe	58
PID 2948 wrote to memory of 2292	2948	DllCommonsvc.exe	58
PID 2948 wrote to memory of 2036	2948	DllCommonsvc.exe	59
PID 2948 wrote to memory of 2036	2948	DllCommonsvc.exe	59
PID 2948 wrote to memory of 2036	2948	DllCommonsvc.exe	59
PID 2948 wrote to memory of 1600	2948	DllCommonsvc.exe	60
PID 2948 wrote to memory of 1600	2948	DllCommonsvc.exe	60
PID 2948 wrote to memory of 1600	2948	DllCommonsvc.exe	60
PID 2948 wrote to memory of 1968	2948	DllCommonsvc.exe	61
PID 2948 wrote to memory of 1968	2948	DllCommonsvc.exe	61
PID 2948 wrote to memory of 1968	2948	DllCommonsvc.exe	61
PID 2948 wrote to memory of 1000	2948	DllCommonsvc.exe	70
PID 2948 wrote to memory of 1000	2948	DllCommonsvc.exe	70
PID 2948 wrote to memory of 1000	2948	DllCommonsvc.exe	70
PID 1000 wrote to memory of 2544	1000	spoolsv.exe	71
PID 1000 wrote to memory of 2544	1000	spoolsv.exe	71
PID 1000 wrote to memory of 2544	1000	spoolsv.exe	71
PID 2544 wrote to memory of 2696	2544	cmd.exe	73
PID 2544 wrote to memory of 2696	2544	cmd.exe	73
PID 2544 wrote to memory of 2696	2544	cmd.exe	73
PID 2544 wrote to memory of 2636	2544	cmd.exe	74
PID 2544 wrote to memory of 2636	2544	cmd.exe	74
PID 2544 wrote to memory of 2636	2544	cmd.exe	74
PID 2636 wrote to memory of 2932	2636	spoolsv.exe	77
PID 2636 wrote to memory of 2932	2636	spoolsv.exe	77
PID 2636 wrote to memory of 2932	2636	spoolsv.exe	77
PID 2932 wrote to memory of 1560	2932	cmd.exe	79
PID 2932 wrote to memory of 1560	2932	cmd.exe	79
PID 2932 wrote to memory of 1560	2932	cmd.exe	79
PID 2932 wrote to memory of 912	2932	cmd.exe	80
PID 2932 wrote to memory of 912	2932	cmd.exe	80
PID 2932 wrote to memory of 912	2932	cmd.exe	80
PID 912 wrote to memory of 1100	912	spoolsv.exe	81
PID 912 wrote to memory of 1100	912	spoolsv.exe	81
PID 912 wrote to memory of 1100	912	spoolsv.exe	81
PID 1100 wrote to memory of 2332	1100	cmd.exe	83
PID 1100 wrote to memory of 2332	1100	cmd.exe	83
PID 1100 wrote to memory of 2332	1100	cmd.exe	83
PID 1100 wrote to memory of 2164	1100	cmd.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_72cb8d8f3abdb6df232526e8c6703867758ee9870e4e7112367126262e64a5a2.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1032
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2052
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2296
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\SendTo\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Contacts\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1000
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2544
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2696
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2636
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1560
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2332
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat"
        12⤵
        
        PID:2760
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2528
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat"
        14⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:3056
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat"
        16⤵
        
        PID:2824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:540
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat"
        18⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2456
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat"
        20⤵
        
        PID:640
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1384
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        22⤵
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2868
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
        24⤵
        
        PID:1512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1692
        
        C:\Users\Admin\Contacts\spoolsv.exe
        
        "C:\Users\Admin\Contacts\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat"
        26⤵
        
        PID:2108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\SendTo\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Portable Devices\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\Proof.fr\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Contacts\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
685178fc06766e952801daa2ff3858f4

SHA1
fc029a5880028cb15d37b779e8b42e40482dba58

SHA256
a3b8df3dc450a7d216d80b5e06e2f3f5813084ee20339f50dc5bb17486924661

SHA512
b673bb05f0d2217cd7a3610351db7fe7dea72ce40ce9bc60a9c606f5e5762df92ab20b874ce3d8ef90d75ff2dc7b9428cef43e5a34e03805c1730a6c2470ea3b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b25a98297508ff21d29d2762b84497f0

SHA1
726131cbbde579fcd40fba290425d57195ad4241

SHA256
e21e556761c94ae096becd2a5f4c6993afdc6a28f261ed0d61898019de5d60de

SHA512
bce30d22863e0b4496ecb1ce8079660f49948bac861d89ac397cdf94fb581515fa93ae872b22cc36e52d5eecb765871e81e4078a94128f3980ad12b032a9b09a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8eaf49cb4e3176390a5bbb6b0b64804c

SHA1
7eecbeb71c6d28b569228c4b5ec0dd7c34e86ba2

SHA256
0bcfbb24dbe07571c8b78a6f7eb1724f2fae0be2d082b3a9adeda52f34eff151

SHA512
4e96b4c085f8dd744188dadd63ef11e90537912bded2ea360c3e906acae19651df6ee039003592c5bb10b351be5cdaef7c9fdb75d2e4acdd17bc7e80e1350796

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a90461d0100e5bcfaadf2f689c52d1dd

SHA1
2df29905a92132fdd769d5db3cb59676d5c5f55a

SHA256
582ad7d496b8527bec4f0a7c52914be9d4de35c05d0f1ce844f6283672ff2d2d

SHA512
98556dd6c4a09b7005c48e3ff811f75b4c0d3ef1167ffce7324ba0740102751e0e101dce197c3f85e160f6c8cc1d71fd5ec40b93b5657160f5bb3db938557244

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e29c34916895e0328f329e11c3bb3557

SHA1
64020d0ca46a964d7fc965946e2cf9339deb2209

SHA256
9d01a2af5068ad0033eeeb2504893ce69b2185460383b759f894e3ee74fad987

SHA512
0e31c8cd2c2c5da8041823001f156b6d37951cb4ed07c1cb19aa69598a24dd60beb8e7abfd1cf4bb96b2be39505097e50146a4b0621394a42d3127169e40b396

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
826eff310fb71b07f82568e348c6932a

SHA1
05981bbfbd4420854d3237a767ccb886fc491094

SHA256
a1cfb0be8fbfd2d36f4086689675c1526bf03b670510a8338704615b043cbfc8

SHA512
f41e1ce384895aaef89d49237ca2efd051303e3f8335880401dd2bd184a83632ed4c63ee6f904de54dde5a5f9513348e258568d07f467d02b2fd10ebc63f9bb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c59fde2791c440622635c38f821bc626

SHA1
0ea9376d569863e4756ae811fade04a467e2e712

SHA256
a430484c22a021591cdcabb0fa6b6a2dce2a3fb700317be4454b412d767bcc3e

SHA512
20b2eed9be5ae57270e6680e46f238d108868c71aa359ac418117d57cc992b9157ffecfc769c7c1ad4eb5b7d2fde7e12538fb6536f1f01a16197662a2ae3a425

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76f2b412706f27decc8c3d023892af68

SHA1
d7f1f2361612e247afaaad67550302358e212e48

SHA256
c73c74f5f4dedcb0878429dba1eede31a0bb50339202a9c66138c0274992bc6d

SHA512
ff7124723ee9de95803d342185240f049f8c6d5e4a77db92ac00d6e0d9d80a05c31d4c8e365e3a168c1975443e417aff2ec3782f048ca7585178dc7de0e12f82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad8671e31165178f586f5624a4627aa2

SHA1
f0f12e5b9eb223c567e8aa45beebb8bca5f6a724

SHA256
db22d78559f69ba03bdc1be98740b681993f060441319fbd4005755a50d3a0f6

SHA512
2ff588aeecdd8ffa8e64ee3a4843b83c1a7f3282ab54fd206b7d50bb7739e68dd3a67eaf731b152c7004d3ae460177f540da81487daf830090e9f4201d064b54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4925e8ccb48d5d4db642f3bfe16ea339

SHA1
fa070048bfd2c0a01dae6c4716d4b38bf293e558

SHA256
9b50a35007f129312d2fb51f7ded327f8a94857e0e6c1396c4ad076c84a7b15d

SHA512
fbd153f3e9f8d24de8d36e4d18e9fe6620ed760c77e3b8b1e40f8d0d41cae27199af0b5af89b99034a1ae279e51d9023d240b5c506cec078c55ec137fa697038

Download Submit
C:\Users\Admin\AppData\Local\Temp\60iZj2KDpL.bat

Filesize
200B

MD5
494e9e016fc3899f01994a040b08ab17

SHA1
bdea8a27adf7be86da7e4ee6c8fbea26c171b373

SHA256
b48f172e339a1a15219aef391cababb6db76ef394d61a51c032b59fbe7964802

SHA512
8f349009477366167b203a437e9b6a06dcf70fb5ca320ec90694a02d4d3ab6a6b72202b756a817477bffa23fc3d212748bbcd685d1a3478cad8a7d77a13b1db0

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabAA84.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\M53DwaTFc6.bat

Filesize
200B

MD5
aecc4008c9a733ecfe2307d8e3147bb7

SHA1
e887870330c82828d523efd0d698fafd97dc62b9

SHA256
beb9b384bff16776df72517fe003f39a5080926806d2686c8aaac8e9e0f787fd

SHA512
6b302821d58018bb56c53114c5864f616881946e38d0ca35d4d5197fe851a1dc1f2f69a852a114d4b12e1beb9fc2fbc78b27e787da4c368d63d9193cafabd35c

Download Submit
C:\Users\Admin\AppData\Local\Temp\OWdtHMBUzi.bat

Filesize
200B

MD5
88a6f60c72bfff2993e6661da77c5aa5

SHA1
2ac475950e82b04a6be9d448af3a082e5e947f06

SHA256
2ceee724aec779583c64689397b0683691f8c7474c6a2c086a427b4bd6917bd4

SHA512
6865afa5ac873de690502264369e4c70a1d2d6393e4da69708e243f8f4a5860aa0ee18d5ed4c6d06fb9db81d09fd32c54d7ebdadf4cec4a534f5a5f37f95e809

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarAAA6.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UxOjVeUiuv.bat

Filesize
200B

MD5
a0f49129e3c024ce247a952d576f6b94

SHA1
59000085608abf92197d895992871dade2fbd701

SHA256
0b86999019025b1d40388ae5c29a90cf1bc7376b9f9a2b658324059b96496157

SHA512
df48055686af893d1f7831544f8107075ddd1c401ed65d8d83c7f662aff495f3b3a24f8c36b8657f7533f8cf1699c9ca96047fae04388d16b59a003f7a65d54e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WLCDTNV5Zk.bat

Filesize
200B

MD5
58cb9a09fadd97f4808fe4be7b28ada5

SHA1
a1dae025d8544121e6d6644d70fb46f1527c5d5e

SHA256
300ced4e48085887fa8e09e96009802e1769a3b537285aafad94f458e10651d4

SHA512
c73e5f26d7b14083a6ddc857c7df76eadd3553802d926677d5a5c12dbc65f7ddcf160d49bd99607264dadc2bed9c3e7a0a4fca76b07eeb26cd92dfdb0784037e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ww6iFNwlpp.bat

Filesize
200B

MD5
69048163de6e45fed143ef07647fd0e7

SHA1
48e0a6dcdb680eb0c59d4382742a911cff7a1c95

SHA256
e2edcaa2145c7f7a63582e970b893ba2cbe1608c6ba4e6a403ee7c341fd4fc2d

SHA512
ca049c95846b53b4a6c37e437cb59c0d6aac706d199bae467cc539f47fed75de7d9955b2a1560daec796856c5387a41ef6bdd7c05c3175920715ed762c7c1d8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
200B

MD5
067d86a63292fc390a6b26cbd75aeb30

SHA1
615a57ec456ca4eb937edb123e1df547c304894e

SHA256
b36acdeadf1a7188707eb43f8e7123b532ba571490d4aabb80da46ca1fd6b76b

SHA512
224c5ee2dc19ac046da2d97664e93944a6681bebc6f6e837ed767a3b14c6095d0f3d74fc84ae221b821c9b43c03e3fd29a33da0d81db55f2adcecfad4547d422

Download Submit
C:\Users\Admin\AppData\Local\Temp\i0MStmnXAe.bat

Filesize
200B

MD5
e84241ef1169066f3275ccae81b7a833

SHA1
ace42966a6988a00760a1188e7d29613c0afaf7c

SHA256
3ba544fe558e500defb8cba262fcf527790e1a0c4b56b558093b51dc64b16e93

SHA512
d7a84d4cc9da651e0492abc0c0fc636a41be7972a964aa373e7ce69c5b4b882a3f8372e65abe42afbebaee74cdd9be31ed79fc169035df9a0bfb06c7425b06d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\iRE9Vp3kbL.bat

Filesize
200B

MD5
a1ee179aecc58f97128ab8ab4145f780

SHA1
a326e4d3a69e70a6ed3ab4d0fea94c07944f002f

SHA256
7c8f53bde03b3f6110f82ba7e67c61027fab94ee44df805a78cb31fa89ba11a8

SHA512
9ac3fa1b76b58734c08572d457b9fbe20f226ed86a0a5cb9d9ea1f00e1ebcbf7769c08dce8f19ec6518be64bda51a37cea4a9ad01b59c5e74519c9c7852be15d

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat

Filesize
200B

MD5
b328524325e438b31de8276eaac8987c

SHA1
6b5e23e0332990262ddd749954f8f1939dbe9d5c

SHA256
25034d064e5c9c6c9c671e63eca267382289ba522645fa86d5b8bcdf12662c2d

SHA512
73ede89daf24c41c47d5766f563d367322cd2ddc268f7cf241cf3a061e4588a086b46aaa701392e0f0b963d793623a6d6f391478c86ab5cfd0c2b99bae4babc1

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkmftNZ3Wr.bat

Filesize
200B

MD5
37120acfc79936c55a7b0c5660ba922b

SHA1
65cebb14bfa98262a26b152792f9eea51ef817d2

SHA256
605049550d431f34b412b78c3382f292e308ecab866d99c90c3a2eda1d882860

SHA512
0b501997823b49561af2c54bb4b364d4543df8d81e61d38ff920ef4e20ce01209e8d74873dc0f7c0b638d679695ffae4f0b80120d0c44045d541d59472eb0007

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
319b55527c0ea7f26629eb5e14290487

SHA1
60e35fec7e70dcdb7c349bf5c278f3f7a3e3c8b6

SHA256
9daa0cf17b4699fcc57be42dc93b78525e671ac2a61e3a8db30b114f6baac2eb

SHA512
913f83e41fb96301c28f29f952f97982536e549246873ee52be1a9fe32e3f7099e93664b2677879373eeebc7e03b33141558296b26140dd95919d97908a3a9ef

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1000-50-0x0000000000980000-0x0000000000A90000-memory.dmp

Filesize
1.1MB

Download
memory/1688-615-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/1688-614-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2036-44-0x0000000002810000-0x0000000002818000-memory.dmp

Filesize
32KB

Download
memory/2036-43-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2164-257-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2636-138-0x0000000001110000-0x0000000001220000-memory.dmp

Filesize
1.1MB

Download
memory/2752-494-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2780-554-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2872-675-0x0000000000EC0000-0x0000000000FD0000-memory.dmp

Filesize
1.1MB

Download
memory/2948-17-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2948-16-0x0000000000350000-0x000000000035C000-memory.dmp

Filesize
48KB

Download
memory/2948-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2948-14-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2948-13-0x0000000000B10000-0x0000000000C20000-memory.dmp

Filesize
1.1MB

Download