dcrat | 86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170.exe
Size

1.3MB
MD5

696825cd26f51941a7ede521adfa1287
SHA1

46a64b14f4570aa17c301e4cacf1b3f49a1f6a4b
SHA256

86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170
SHA512

beb6204a581800ae06574f0682edff36b00f60c8db0f13ed59bbc9d8f35f8a544bef82e924a3ff2280570f267e8cabe07d62b44bd72d3fef7e5439f3568f43b9
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 21 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2724	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1152	2800	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2800	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016cc9-9.dat	dcrat
behavioral1/memory/2112-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp	dcrat
behavioral1/memory/2148-80-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/928-139-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/1572-258-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2468-318-0x0000000000A50000-0x0000000000B60000-memory.dmp	dcrat
behavioral1/memory/1780-379-0x0000000000F60000-0x0000000001070000-memory.dmp	dcrat
behavioral1/memory/2912-439-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2448-500-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/1764-620-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/2332-680-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 8 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1952	powershell.exe
2188	powershell.exe
2372	powershell.exe
296	powershell.exe
1804	powershell.exe
2764	powershell.exe
2256	powershell.exe
1692	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2112	DllCommonsvc.exe
2148	dllhost.exe
928	dllhost.exe
1360	dllhost.exe
1572	dllhost.exe
2468	dllhost.exe
1780	dllhost.exe
2912	dllhost.exe
2448	dllhost.exe
1608	dllhost.exe
1764	dllhost.exe
2332	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
848	cmd.exe
848	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
5	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\Lang\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\101b941d020240	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\PLA\System\dwm.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\PLA\System\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\System\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Windows\ja-JP\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\ja-JP\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 21 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3044	schtasks.exe
1696	schtasks.exe
1652	schtasks.exe
3008	schtasks.exe
3068	schtasks.exe
2844	schtasks.exe
2672	schtasks.exe
2720	schtasks.exe
2580	schtasks.exe
1284	schtasks.exe
2872	schtasks.exe
2040	schtasks.exe
1152	schtasks.exe
2984	schtasks.exe
2140	schtasks.exe
2724	schtasks.exe
2756	schtasks.exe
2076	schtasks.exe
2732	schtasks.exe
2516	schtasks.exe
2144	schtasks.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2112	DllCommonsvc.exe
1804	powershell.exe
2764	powershell.exe
2188	powershell.exe
2256	powershell.exe
1692	powershell.exe
296	powershell.exe
1952	powershell.exe
2372	powershell.exe
2148	dllhost.exe
928	dllhost.exe
1360	dllhost.exe
1572	dllhost.exe
2468	dllhost.exe
1780	dllhost.exe
2912	dllhost.exe
2448	dllhost.exe
1608	dllhost.exe
1764	dllhost.exe
2332	dllhost.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	2112	DllCommonsvc.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2764	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	1952	powershell.exe
Token: SeDebugPrivilege	296	powershell.exe
Token: SeDebugPrivilege	2372	powershell.exe
Token: SeDebugPrivilege	2148	dllhost.exe
Token: SeDebugPrivilege	928	dllhost.exe
Token: SeDebugPrivilege	1360	dllhost.exe
Token: SeDebugPrivilege	1572	dllhost.exe
Token: SeDebugPrivilege	2468	dllhost.exe
Token: SeDebugPrivilege	1780	dllhost.exe
Token: SeDebugPrivilege	2912	dllhost.exe
Token: SeDebugPrivilege	2448	dllhost.exe
Token: SeDebugPrivilege	1608	dllhost.exe
Token: SeDebugPrivilege	1764	dllhost.exe
Token: SeDebugPrivilege	2332	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2500 wrote to memory of 2156	2500	JaffaCakes118_86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170.exe	30
PID 2500 wrote to memory of 2156	2500	JaffaCakes118_86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170.exe	30
PID 2500 wrote to memory of 2156	2500	JaffaCakes118_86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170.exe	30
PID 2500 wrote to memory of 2156	2500	JaffaCakes118_86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170.exe	30
PID 2156 wrote to memory of 848	2156	WScript.exe	31
PID 2156 wrote to memory of 848	2156	WScript.exe	31
PID 2156 wrote to memory of 848	2156	WScript.exe	31
PID 2156 wrote to memory of 848	2156	WScript.exe	31
PID 848 wrote to memory of 2112	848	cmd.exe	33
PID 848 wrote to memory of 2112	848	cmd.exe	33
PID 848 wrote to memory of 2112	848	cmd.exe	33
PID 848 wrote to memory of 2112	848	cmd.exe	33
PID 2112 wrote to memory of 1804	2112	DllCommonsvc.exe	56
PID 2112 wrote to memory of 1804	2112	DllCommonsvc.exe	56
PID 2112 wrote to memory of 1804	2112	DllCommonsvc.exe	56
PID 2112 wrote to memory of 2764	2112	DllCommonsvc.exe	57
PID 2112 wrote to memory of 2764	2112	DllCommonsvc.exe	57
PID 2112 wrote to memory of 2764	2112	DllCommonsvc.exe	57
PID 2112 wrote to memory of 2256	2112	DllCommonsvc.exe	58
PID 2112 wrote to memory of 2256	2112	DllCommonsvc.exe	58
PID 2112 wrote to memory of 2256	2112	DllCommonsvc.exe	58
PID 2112 wrote to memory of 1692	2112	DllCommonsvc.exe	59
PID 2112 wrote to memory of 1692	2112	DllCommonsvc.exe	59
PID 2112 wrote to memory of 1692	2112	DllCommonsvc.exe	59
PID 2112 wrote to memory of 1952	2112	DllCommonsvc.exe	60
PID 2112 wrote to memory of 1952	2112	DllCommonsvc.exe	60
PID 2112 wrote to memory of 1952	2112	DllCommonsvc.exe	60
PID 2112 wrote to memory of 2188	2112	DllCommonsvc.exe	61
PID 2112 wrote to memory of 2188	2112	DllCommonsvc.exe	61
PID 2112 wrote to memory of 2188	2112	DllCommonsvc.exe	61
PID 2112 wrote to memory of 2372	2112	DllCommonsvc.exe	62
PID 2112 wrote to memory of 2372	2112	DllCommonsvc.exe	62
PID 2112 wrote to memory of 2372	2112	DllCommonsvc.exe	62
PID 2112 wrote to memory of 296	2112	DllCommonsvc.exe	63
PID 2112 wrote to memory of 296	2112	DllCommonsvc.exe	63
PID 2112 wrote to memory of 296	2112	DllCommonsvc.exe	63
PID 2112 wrote to memory of 2384	2112	DllCommonsvc.exe	68
PID 2112 wrote to memory of 2384	2112	DllCommonsvc.exe	68
PID 2112 wrote to memory of 2384	2112	DllCommonsvc.exe	68
PID 2384 wrote to memory of 756	2384	cmd.exe	74
PID 2384 wrote to memory of 756	2384	cmd.exe	74
PID 2384 wrote to memory of 756	2384	cmd.exe	74
PID 2384 wrote to memory of 2148	2384	cmd.exe	75
PID 2384 wrote to memory of 2148	2384	cmd.exe	75
PID 2384 wrote to memory of 2148	2384	cmd.exe	75
PID 2148 wrote to memory of 2688	2148	dllhost.exe	77
PID 2148 wrote to memory of 2688	2148	dllhost.exe	77
PID 2148 wrote to memory of 2688	2148	dllhost.exe	77
PID 2688 wrote to memory of 1220	2688	cmd.exe	79
PID 2688 wrote to memory of 1220	2688	cmd.exe	79
PID 2688 wrote to memory of 1220	2688	cmd.exe	79
PID 2688 wrote to memory of 928	2688	cmd.exe	80
PID 2688 wrote to memory of 928	2688	cmd.exe	80
PID 2688 wrote to memory of 928	2688	cmd.exe	80
PID 928 wrote to memory of 1480	928	dllhost.exe	81
PID 928 wrote to memory of 1480	928	dllhost.exe	81
PID 928 wrote to memory of 1480	928	dllhost.exe	81
PID 1480 wrote to memory of 3024	1480	cmd.exe	83
PID 1480 wrote to memory of 3024	1480	cmd.exe	83
PID 1480 wrote to memory of 3024	1480	cmd.exe	83
PID 1480 wrote to memory of 1360	1480	cmd.exe	84
PID 1480 wrote to memory of 1360	1480	cmd.exe	84
PID 1480 wrote to memory of 1360	1480	cmd.exe	84
PID 1360 wrote to memory of 1304	1360	dllhost.exe	85

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_86de3eaf59943a4912962536c0638c0570871bfbc273445a45c7ef0c8cc0c170.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:848
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2112
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\System\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ja-JP\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:296
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\svxx5o0Swo.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2384
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:756
      - C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1220
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:928
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        9⤵
        Suspicious use of WriteProcessMemory
        
        PID:1480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:3024
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        11⤵
        
        PID:1304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1724
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat"
        13⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2664
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        15⤵
        
        PID:560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1472
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat"
        17⤵
        
        PID:564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2424
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        19⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2036
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat"
        21⤵
        
        PID:900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1972
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat"
        23⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:696
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat"
        25⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2668
        
        C:\Windows\ja-JP\dllhost.exe
        
        "C:\Windows\ja-JP\dllhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\System\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\PLA\System\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\System\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 7 /tr "'C:\Program Files\7-Zip\Lang\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Windows\ja-JP\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Windows\ja-JP\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10038765cce2e3278b85e3fe8eb173a3

SHA1
24d18aa55d238cbbeeaf35d612c69771c2c3ee4d

SHA256
06b155a3d41cbf4483a39bc11f2c9bf0fa049116e721207f208fb3d3c52ab61c

SHA512
836be94a70d71dd14eafce8ce8280b0fb10425e846397da280e38eee07b9652c822c5d08fec45f1bceff586de5eca4e7a76fbcdbf2fcdae9eb1c494ba0b34828

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3dede192046f410ee8aabc0c9161a524

SHA1
b36e068014bd41675355973320a89b720e9bd599

SHA256
239736d0d59c38a3c5be416e20b8f5988db2063093a1c6c40826bc3cb318a61c

SHA512
51756044fc0258685b572c25730040032425c728d950ff0c570b0bf942a3a8df153a0fa97f8443fac508d9da6eda8a0021d6733ac55022117626dfaefa6ce170

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e625c21239ce272abb4851ffafeb47e

SHA1
997be3557394c25258cd4372f57ef7a7de1e1b17

SHA256
c04643e3986d44811feb653441a942458ecda74138336c67e189cf5b7a896e9f

SHA512
1ea16ddf3edd84fbc485878bd0a74c7d6a61ef433038afe8c7cf1a4be0b29070b5d1b7b17646b6948d1308c309831c3aaa96e831febbfddf46d0ced2419fb0d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b24aef97b696ef129786a5a8d8c4bf0

SHA1
de4aa7cc366f131f64b1d696ce5612d96c87d59b

SHA256
7a9dc365bfad098b7815f5637e227650586b996ed6cfb8b864fd33eb6a1f9d5b

SHA512
167cda2af8f6d93b1fdf3345f74356fc4fb1ca5eac85a13a86f4925be994027c1899a531e2b66843ab763f4aa7d470a64f2040d225a1df5036fb7d3d61074012

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f3a25d6691626978e5e58bfcd853dac

SHA1
92f8f5554b235568e3af94226a3d64c401b4684a

SHA256
9d5262f2673a89d78e6a675dcc303edd256d311f7d96aac8ad0cdbff23655557

SHA512
08778aae7e739ba64ce3ea8fc5404b96652a6591f7af0e69d2fcfdeecf8f9cd3f630ac23c46f705f208489390e2c17eb6668692e3795cfd1a750f7352ba264be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
852ed66e499d4f9dadf16433da867e24

SHA1
2f22c7b0e518b666e3e574629e1479f15a024ad7

SHA256
4b138d6907b9404b5ce67408e0c8fa1549ab602a09f3705aca691aea22f3b214

SHA512
46434b27e371392ac268495a59a19096e2ab361d37902460cbaddc10a2add5b7a0dc76a6dcb24e89e19310a18bb662a86205372e3100494cbd435a05920c1ada

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d83ca6f1bb586bf89d58f8aa314b59d4

SHA1
6d1faf45bfb984fe86e0901bd48fa06116c3630d

SHA256
c11d95cb8722db6dc764fd2642a2a996dd0e550315b3c52bb6535e21b1524645

SHA512
a57be8ae1ebf06d7e2027fe3ea8cdbd7334a3a63c896f3db441f023d17bf917e55528e44321a0ea3c7f9b54851a70d234b6adba382db8c9dd71b820df8856fe3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f3acb1cd5adcfba0e8b24f57adbac55

SHA1
c7cf431dab8617b0d69c7ca66ed1c45b3152b8b4

SHA256
8b4fa0372840a72e4adaebae69678b0a30122262acb3a3f18a45258008c9a02d

SHA512
c9d1c6282036864917d6c661ebb75517c5644b0bc7ebb90c64b6398b12f314e55843e35c204d3e5da5e993806337fdf6c0269a6428df53db4a8cc8f7ec3e9ec2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e237a404d34f73b9c15c51ff322dfc0a

SHA1
f5f63818dfee989568f009f4d8f8f155b366f783

SHA256
f1aa0ebad5d0971725692970ca869d4cfe7a7617f611e735bb102f54c55748b6

SHA512
0230f129b3b8d80e04a8e70e76a2793992fd55536f35531530730525dcfa94ad20db093fb34ff2dabd45bcbca1c158b2917c89b549851e2de963d4abdc55ee18

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
193B

MD5
6fcdb1019857768c75817c19fea0a940

SHA1
db1274f863791bf310922bdee0be71f36de93ebd

SHA256
f9d330b86162ee9b2eb063aa44ac9fa9f4f02d18cb8bb049e63d26e34bad9e4b

SHA512
cd6ee20c4bf2d703f5aedeb3ff5135465505ca5769ac9239e9b6c60342267a2b3ae085fcb744d4a62604c1ac1cae2ff1ed2576151a735d84d20696a504a34abf

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
193B

MD5
56884771008c2d004dd0cc15dceff133

SHA1
5f3ca0c878d7c0c7e283a583c5b36722cdd83c1f

SHA256
175e86afa0900f1f299f99a44974db9f48293c640e36c4ff9d509d2c1843844e

SHA512
304bba2d40700a77d1b24c25761df2cdf37293395925c9bf99a8809bdc31e11a904bcc94c16dbbf8b6cd95dd23bcd5ec704cabaf36b3af7fdb4a692c0e0b12fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\80JI9OTYea.bat

Filesize
193B

MD5
b7f6725e87941ef620183fed06052b3c

SHA1
95b52650fca75ef2bf642802fe29f45f684a2871

SHA256
8f1e4fce0fa5c1b029df618c2b1b0504c5b2263bbac8162f47237abe687d1643

SHA512
809fef0215b897637d9e4012f1a54454dee6d131945ea4f0b15d1881f48c52ca5c90a3e86f4f856381510a7ff05c684d220b863b43e98a77e541317efaeb97a9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabE14C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D6YKtyItKL.bat

Filesize
193B

MD5
de83e1062657614a4483211d43d58706

SHA1
0aeb4b3f6f6bff9eeb765a5181a703f6b6dd0df7

SHA256
f9f717a9ce7525e1991b49335f250acf4f8dd479e705c5532e2308d5ffcff407

SHA512
b73728f55ee34bfdca688edd2507f7cf74ad32e9869f7fbde977032ee6f9e1bd95797c39068e3bbf35caf29afd6b58761ccdd6730112e0472efdd38b0af0e6c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\OMb46N11BK.bat

Filesize
193B

MD5
4e69ac32acfe6a89847908c666a6da36

SHA1
2fa597077018e82fdfba74b28dda568f31dbbe71

SHA256
36b92e017ac6a616d3a3a8f5e7587750e9354b3b493d0c03902e4135dd3d06c8

SHA512
43a6dd4e39eaec4009516a62b3c091c688ef1c37f9f3f2f83ffefbbb0866d68a2ffb85622d63939869d1fb15cad0582cce5964dec6a2aeeb204a909e6ed01d0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarE15F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UMVEid32eq.bat

Filesize
193B

MD5
e6e4c21672815f0f0449688237c812b5

SHA1
c82a7f697a2f74c0fce7e51c23a92616e747702d

SHA256
3ab5a5dbd9ad187a2ad8aa16bbdab9b3c232c56dae319436ec4a25d1705110c7

SHA512
c28694f48eb74eee7686f274eb99a51674e8cc1c18932885d292cf633c610c5e16615b321ee5a4463ebb73dba052d3c8f4f00fd379dc5d45cb140636eda8cb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
193B

MD5
4460dfd7d0dc804ac4c22eb4bfd6dfad

SHA1
392744843ff63afb7e7460a173be27faaa69b924

SHA256
bed54b203e85763b341e00034873b588170f7e7e8ab812f5c0927f77b039b966

SHA512
5e4f8a75d4f519f9106069f07001f7dd2ec031ec5b2d875d4987cec75a8da44391addb4f25753f46e69123046326e0c2ce31e8a061dd97510d216f7537fdf90e

Download Submit
C:\Users\Admin\AppData\Local\Temp\jnfhf9Euk8.bat

Filesize
193B

MD5
aba85108eb95db5c27aa9faff391ba3e

SHA1
ee601d638a4fc29e121faf382c831bb2eb52fee0

SHA256
60ac6d5af215bc1288f786a32c2bcb9434cf552515ed16298ef68d6298271658

SHA512
11b975d4a4420c95fbdba6f85c3ec60ff12819371ab36748acb6992ccfaf833e2582bc8cfddb42fea2db82a3cfd3235e3d5087c10535fe10dfca4c8afdd0f79e

Download Submit
C:\Users\Admin\AppData\Local\Temp\n3vYZhDjEH.bat

Filesize
193B

MD5
3054c1f06dfa80bcb70d04e692ff1396

SHA1
6a3dcf0988632680ca6e848f04e4552b32a7144f

SHA256
7d1ac72710ccf5cd33cd8b90c3371536570b568910715c3ec045f5d64136dd85

SHA512
5df65aae8bfcadf93c6fc28b9371fb6a3dabcf3e7f5a1d09593343297715e6d04cdd61cc887d75d946bcb3f3efed6c261ddd71ec561bf9820865011d25c78e69

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
193B

MD5
46d562be08e3f7f7e6c329f2a91f58ea

SHA1
c0c6607af73d96b8a02ed17a66ceaf9a1565f236

SHA256
0a1bb850fdf906b1929a118b2b5249694147a6828d96c593c7a2ebfefecea627

SHA512
90256055bc5d201192eb6affd09361dd10ef5bf72bb940b3e3d5d3be16e62cc7ac6844c37cfd4dc65e75d08495fff168dacb8dbcfc70935ad8eebd91c8edbad4

Download Submit
C:\Users\Admin\AppData\Local\Temp\svxx5o0Swo.bat

Filesize
193B

MD5
a79add9db6b38bee620f6b4011080f42

SHA1
dd43486cf3daa166073e9c930d045b03db4e26f6

SHA256
d08cd9638a1071a084eeefffac2504a716addfd9f02428d5eaa6d4017292393b

SHA512
c386e8396c946da2935e6b9fe6a77391f65093839e9d9351d681131692d8942b337166be423cac7001dc14927698e89aa37a700f00be08d3e464e7cb2d088d35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
fe14e6ae6dbb9529b43ccae9b9318f01

SHA1
bb3d06b011a4b4613b05d200d9c056530c5d80f6

SHA256
290cfeccbf2ecc524dbc9e20daae735288ea17d63d610c6b7204b9ff869fa2eb

SHA512
0dd27864ad97711fabfb6cff82c1064b226fb8d5cfca15fb88da5e057c606481f575e5f301e25ec8bf2d9aba0abec3d5266d08fdb41dfffb0aeaaac1348edd11

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/928-139-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/1572-258-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1608-560-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1764-620-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/1780-379-0x0000000000F60000-0x0000000001070000-memory.dmp

Filesize
1.1MB

Download
memory/1804-50-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2112-13-0x0000000000AB0000-0x0000000000BC0000-memory.dmp

Filesize
1.1MB

Download
memory/2112-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2112-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2112-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2112-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2148-80-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/2188-52-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2332-680-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2448-500-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/2468-319-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2468-318-0x0000000000A50000-0x0000000000B60000-memory.dmp

Filesize
1.1MB

Download
memory/2912-440-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2912-439-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download