dcrat | 8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 23:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3.exe
Size

1.3MB
MD5

0bfe99c4b22420d32b5e2bcde13ea163
SHA1

ed3ed3efea008edd26f186b0680e07508dc2b654
SHA256

8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3
SHA512

c22d5507f7e348039b42428f1649d343dcf6f9399771c4526c0c4d446c4a4ac09880cc8ecd51441d499382db4aa64f6388b52c75438e2a50fe2e762302286f22
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 24 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2108	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1280	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2884	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2884	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000175ae-12.dat	dcrat
behavioral1/memory/2280-13-0x0000000001320000-0x0000000001430000-memory.dmp	dcrat
behavioral1/memory/1636-40-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat
behavioral1/memory/2152-205-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat
behavioral1/memory/2772-265-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/2924-325-0x0000000000250000-0x0000000000360000-memory.dmp	dcrat
behavioral1/memory/1936-386-0x0000000001190000-0x00000000012A0000-memory.dmp	dcrat
behavioral1/memory/1684-446-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2504-506-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2168-566-0x0000000001330000-0x0000000001440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 9 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1880	powershell.exe
2208	powershell.exe
2256	powershell.exe
1628	powershell.exe
2212	powershell.exe
1956	powershell.exe
2272	powershell.exe
2192	powershell.exe
2076	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2280	DllCommonsvc.exe
1636	cmd.exe
2028	cmd.exe
2152	cmd.exe
2772	cmd.exe
2924	cmd.exe
1936	cmd.exe
1684	cmd.exe
2504	cmd.exe
2168	cmd.exe
2892	cmd.exe
2756	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2712	cmd.exe
2712	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 24 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1680	schtasks.exe
2180	schtasks.exe
2848	schtasks.exe
1608	schtasks.exe
2168	schtasks.exe
1276	schtasks.exe
648	schtasks.exe
2392	schtasks.exe
2072	schtasks.exe
1280	schtasks.exe
2276	schtasks.exe
2636	schtasks.exe
1764	schtasks.exe
1688	schtasks.exe
2156	schtasks.exe
2928	schtasks.exe
3064	schtasks.exe
2560	schtasks.exe
2108	schtasks.exe
3052	schtasks.exe
536	schtasks.exe
2260	schtasks.exe
2980	schtasks.exe
2420	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
2280	DllCommonsvc.exe
1628	powershell.exe
2076	powershell.exe
1880	powershell.exe
1956	powershell.exe
2272	powershell.exe
2208	powershell.exe
2192	powershell.exe
2212	powershell.exe
2256	powershell.exe
1636	cmd.exe
2028	cmd.exe
2152	cmd.exe
2772	cmd.exe
2924	cmd.exe
1936	cmd.exe
1684	cmd.exe
2504	cmd.exe
2168	cmd.exe
2892	cmd.exe
2756	cmd.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	2280	DllCommonsvc.exe
Token: SeDebugPrivilege	1636	cmd.exe
Token: SeDebugPrivilege	1628	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	1880	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2192	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	2256	powershell.exe
Token: SeDebugPrivilege	2028	cmd.exe
Token: SeDebugPrivilege	2152	cmd.exe
Token: SeDebugPrivilege	2772	cmd.exe
Token: SeDebugPrivilege	2924	cmd.exe
Token: SeDebugPrivilege	1936	cmd.exe
Token: SeDebugPrivilege	1684	cmd.exe
Token: SeDebugPrivilege	2504	cmd.exe
Token: SeDebugPrivilege	2168	cmd.exe
Token: SeDebugPrivilege	2892	cmd.exe
Token: SeDebugPrivilege	2756	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2716	2508	JaffaCakes118_8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3.exe	30
PID 2508 wrote to memory of 2716	2508	JaffaCakes118_8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3.exe	30
PID 2508 wrote to memory of 2716	2508	JaffaCakes118_8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3.exe	30
PID 2508 wrote to memory of 2716	2508	JaffaCakes118_8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3.exe	30
PID 2716 wrote to memory of 2712	2716	WScript.exe	31
PID 2716 wrote to memory of 2712	2716	WScript.exe	31
PID 2716 wrote to memory of 2712	2716	WScript.exe	31
PID 2716 wrote to memory of 2712	2716	WScript.exe	31
PID 2712 wrote to memory of 2280	2712	cmd.exe	33
PID 2712 wrote to memory of 2280	2712	cmd.exe	33
PID 2712 wrote to memory of 2280	2712	cmd.exe	33
PID 2712 wrote to memory of 2280	2712	cmd.exe	33
PID 2280 wrote to memory of 2076	2280	DllCommonsvc.exe	59
PID 2280 wrote to memory of 2076	2280	DllCommonsvc.exe	59
PID 2280 wrote to memory of 2076	2280	DllCommonsvc.exe	59
PID 2280 wrote to memory of 2212	2280	DllCommonsvc.exe	60
PID 2280 wrote to memory of 2212	2280	DllCommonsvc.exe	60
PID 2280 wrote to memory of 2212	2280	DllCommonsvc.exe	60
PID 2280 wrote to memory of 1956	2280	DllCommonsvc.exe	61
PID 2280 wrote to memory of 1956	2280	DllCommonsvc.exe	61
PID 2280 wrote to memory of 1956	2280	DllCommonsvc.exe	61
PID 2280 wrote to memory of 1880	2280	DllCommonsvc.exe	62
PID 2280 wrote to memory of 1880	2280	DllCommonsvc.exe	62
PID 2280 wrote to memory of 1880	2280	DllCommonsvc.exe	62
PID 2280 wrote to memory of 2208	2280	DllCommonsvc.exe	63
PID 2280 wrote to memory of 2208	2280	DllCommonsvc.exe	63
PID 2280 wrote to memory of 2208	2280	DllCommonsvc.exe	63
PID 2280 wrote to memory of 2256	2280	DllCommonsvc.exe	64
PID 2280 wrote to memory of 2256	2280	DllCommonsvc.exe	64
PID 2280 wrote to memory of 2256	2280	DllCommonsvc.exe	64
PID 2280 wrote to memory of 2272	2280	DllCommonsvc.exe	65
PID 2280 wrote to memory of 2272	2280	DllCommonsvc.exe	65
PID 2280 wrote to memory of 2272	2280	DllCommonsvc.exe	65
PID 2280 wrote to memory of 2192	2280	DllCommonsvc.exe	66
PID 2280 wrote to memory of 2192	2280	DllCommonsvc.exe	66
PID 2280 wrote to memory of 2192	2280	DllCommonsvc.exe	66
PID 2280 wrote to memory of 1628	2280	DllCommonsvc.exe	67
PID 2280 wrote to memory of 1628	2280	DllCommonsvc.exe	67
PID 2280 wrote to memory of 1628	2280	DllCommonsvc.exe	67
PID 2280 wrote to memory of 1636	2280	DllCommonsvc.exe	73
PID 2280 wrote to memory of 1636	2280	DllCommonsvc.exe	73
PID 2280 wrote to memory of 1636	2280	DllCommonsvc.exe	73
PID 1636 wrote to memory of 1276	1636	cmd.exe	78
PID 1636 wrote to memory of 1276	1636	cmd.exe	78
PID 1636 wrote to memory of 1276	1636	cmd.exe	78
PID 1276 wrote to memory of 536	1276	cmd.exe	80
PID 1276 wrote to memory of 536	1276	cmd.exe	80
PID 1276 wrote to memory of 536	1276	cmd.exe	80
PID 1276 wrote to memory of 2028	1276	cmd.exe	81
PID 1276 wrote to memory of 2028	1276	cmd.exe	81
PID 1276 wrote to memory of 2028	1276	cmd.exe	81
PID 2028 wrote to memory of 2900	2028	cmd.exe	82
PID 2028 wrote to memory of 2900	2028	cmd.exe	82
PID 2028 wrote to memory of 2900	2028	cmd.exe	82
PID 2900 wrote to memory of 2696	2900	cmd.exe	84
PID 2900 wrote to memory of 2696	2900	cmd.exe	84
PID 2900 wrote to memory of 2696	2900	cmd.exe	84
PID 2900 wrote to memory of 2152	2900	cmd.exe	85
PID 2900 wrote to memory of 2152	2900	cmd.exe	85
PID 2900 wrote to memory of 2152	2900	cmd.exe	85
PID 2152 wrote to memory of 2944	2152	cmd.exe	86
PID 2152 wrote to memory of 2944	2152	cmd.exe	86
PID 2152 wrote to memory of 2944	2152	cmd.exe	86
PID 2944 wrote to memory of 3004	2944	cmd.exe	88

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8dbd50b1e0bd1faca45ab10def5ef4b372813ae6908e7c9ac9c16fb8dd9f3af3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2712
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Favorites\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1880
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Recorded TV\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
    - - C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1636
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:536
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2028
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2696
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat"
        10⤵
        Suspicious use of WriteProcessMemory
        
        PID:2944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3004
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat"
        12⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:972
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat"
        14⤵
        
        PID:2116
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2028
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat"
        16⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1812
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat"
        18⤵
        
        PID:824
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:3064
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        20⤵
        
        PID:628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2992
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat"
        22⤵
        
        PID:2132
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2828
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat"
        24⤵
        
        PID:1064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:236
        
        C:\Program Files\Uninstall Information\cmd.exe
        
        "C:\Program Files\Uninstall Information\cmd.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Windows Portable Devices\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\Favorites\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Recorded TV\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\Videos\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Admin\Videos\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Videos\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Uninstall Information\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d2d142600095e83bdf45099f690f683

SHA1
9338a411ec3e138391e6efac904d11d467ba750f

SHA256
1f034d3c3f490b3add49b66715e32ce5afe8dd4f9adedc52e153842388083d10

SHA512
2ff4558bb6dfd78aba31ab8720411273aaa069ef0f2d30b5211c0451895daf7ef03ee10e5570b77af46670d7a38e2516f89697c7aa40e42416932b8f1457a278

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09b315b1f4b36386403b5dda0bff26bf

SHA1
7c8d1d7347ba21a340fb32be2326ae08b6e596a4

SHA256
b83905a435e7cb73c967ae7b956168ebde2a811efb412cc3802b06ff81b53d6a

SHA512
45cb28b7e70eea64b65fb495a1c3bd2246fcf588c2b33b901346d2010c3737ac8104e8fff20d433adf7a13d7cea0d3c1e72494b590b9ee2c4fa44b22cb6a263d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c9ca8274bc9c19f0b00b262d0fe4e4b

SHA1
bde93dd0a734acc356b7a2c63445bc9fc707bb57

SHA256
4d929f333063828d6955a3b9417fe6ac35be59206cd4e64afa50bff70e357c9e

SHA512
423f6a1e8789e06c10762b443dd0ba04a50eaef3a69d2726156fd196de39b0771f92216579db9f5c002c0e34b167d3d1aef8c55ce2afbda9e960c4c339f85426

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9cc3d7bd826489f429ea3c0e2e4b7627

SHA1
a2bcb8ebc63e1bbcbf81c0e3e152a578864e7766

SHA256
55ab4d675d163857fb20b2e780b1a0e10082eb202e5610b82beced2ac5e35526

SHA512
23fb28fce2962732deba9badd488ed0b8cbe8eb1606e16838ea57e686f16e922dc5a03ac7375e896975b923f1c27592fac4ec12e36e15371dc0dca787e3cf711

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c4f5b5d0d0ea6fd80cdf403449fe81b2

SHA1
03bc3a5b8add71fd9d7eeb6cbdf397fd289a8161

SHA256
a4d8af2cb1f86de8e762767d825c1bf5a144031cfdd264ba9bec789f41e9ff57

SHA512
6a189ab039325c7f90c1dedb6aedac28f62c6bd2415e683a45b9dc4ec832146585249cf7c7a47b49dfd4653136efd114da49afac3eceb4ea829e08b2ae453218

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2b88505b6b38654aa583a565b157390

SHA1
7cb72345dd7e135ab40661e775362972262c6a29

SHA256
ef5afdc12a5d1691ff56b561c843ebb59fbde9fe8d687bd8cb52c7e2c7712e56

SHA512
4287c77892bde9a82b6bcf71bde4745a7282c14cbda5315ae24e7c0b85567ae1afbe72c94e288b04cb3279c83b472b505bfd3a4853fa89be57847438bed1aa19

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
404f512e07d11dcdb0e164b529c2423e

SHA1
932cbd32b2a6ea42dbcd8299ce8d59dd24b69202

SHA256
101e0ab4253be77fafd51e66f9503d21c90371b41a6475cbcd2a9d54649fa17e

SHA512
c1d7e1b3c951246c6c8b1efc4e86850df198375d31aca54c71257ab628abf91500aed6e292c59f7fd62d47b838929278f7a3ab9b3e0ee4fb7335587c5d0f7c8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
50870be8a126afee17c2c48b2c63fb18

SHA1
6ac194e1ea76c3d92e7339cd0e7b79e30b13c04e

SHA256
408bd6cac5246240d3538d585ab1668f3b897a748f0ccfb76b2b1229b0fd7f38

SHA512
37afdde94e57bcfa1e071d88f3fff2fce8bd7de1c7c0576c4ef82f879f39657fe88771ddb7eabf892c6ca3a7bee97a9d9ea5a73582b188b278e9d02e409d6f27

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4056ce860756d3bb4ae4387b771e786e

SHA1
3388b1cf384e300b00a2dfbfddde1270fe47d55e

SHA256
fcc015940e19f1c1c8795dfcfb1f027a7bca6468e5c145d93c00456da7a0b36a

SHA512
07d1fc50f0ee27d56e9b6fdb0f6cd44f9c81d633fa7c11e4f4a996892c32a12b5946494be1883ba819e32bf7be9618308701bd53f1e268c00ebe4634210d2f3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\7JTBpj7DN0.bat

Filesize
211B

MD5
6d203a2ec8114a407a1ced80eddf35d9

SHA1
903016d85b88e593a2bba848f86b58778c1063fb

SHA256
18228f47643567b4264647a73e6470f293caf63b42fc23b27dc20dc3a5258f3a

SHA512
27251d69166f344f1d50624bc067806d6a56f7be89e9bd8acc472a0d58e875282fc425c8e5e6467b391a64310a2e1e9c097ae9d18dc1a871cd73048dcaa0e01d

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
211B

MD5
2af8747cb2c62d4a1cfce83e2a40a324

SHA1
f8eb34f36e0f812e5834c8545e2bd25794781106

SHA256
678bb4b6bd148a8eafd8a666c920fedc4cb5f9664de9b5c15dd0c9234005add1

SHA512
6998763dd74f4072ea5d619619b15cc909615f2246693ce2b3926273c9281963145c863f9b2a0531f25099ce248896eda9ae5d9dc8bf29b9432fca7246fe88bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD230.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\JFTIgCVObE.bat

Filesize
211B

MD5
c69858857cbf056a5ed3b4214797015d

SHA1
ee124db5424fb41cc7f04ed051bf4bfcea49cb62

SHA256
8b4ef242d07f6f677a6b83c655a7eb84c99005ab40973343d92770145445cb29

SHA512
b0546001e492db280cd92c632ae08c739dabbb1c7093c7bbf478ce18313f687f0127df98e8369bf8dfb1a84810324bd11f66cf44be97a7c36196a15b2510c61d

Download Submit
C:\Users\Admin\AppData\Local\Temp\MKE9IzBoeI.bat

Filesize
211B

MD5
acd9110dfc93d936a71ad1cad44cd528

SHA1
dfff40c67124f2d8bf7b8ca659246cda0c0b97c1

SHA256
0ffd0a5b6762c33ee97411e73f2d7681ce0d73398bf3eec55369533650619643

SHA512
e0a4a04e1431fa407cfd85e9ec7498d4ecce3994a91d200b6ba5b4110ffb11d521304ba5c53b85f5a2d2fdc44ee69ee23470a746852ce9446b438926d619b5ca

Download Submit
C:\Users\Admin\AppData\Local\Temp\THL7XCWxQ1.bat

Filesize
211B

MD5
566a431dd06d7bfaa59206e99f31fa5b

SHA1
5736f4e3954eab57dede44633f160f87751bcf32

SHA256
6d20a4db515cc997fc56aa5ec3c5c73e73027f736f0efeb6d44a2828aa54aee3

SHA512
f5f572d5129372517e0d3b1d6db392ab148fe04819d14b076b7482b30712b8472eac8e67699bee59745a188c3ca0e78335a2cd05e5d1c14450913641eccc8418

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD242.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZDYK5nApHO.bat

Filesize
211B

MD5
be8aaf4de7e2cc239cbd87669628e9d9

SHA1
3a1d6e678dd5446cd6df402d87ec1041c4b6acd0

SHA256
5083cb9d0f1fe1df2efa2dd6236010eefe9730611fa7de32549ca1038e271090

SHA512
0b2b7b4c20753b5ccf8d59ccffc11cf43dd30f50b29456699c57380c72558e6bd1cb93cecce53cf044bfe3e659e6fc44a3dcb1b638d2733378d8efdedec56598

Download Submit
C:\Users\Admin\AppData\Local\Temp\avPRQTW9Zy.bat

Filesize
211B

MD5
817cf110c8f6b01c54a98e27823b63ce

SHA1
47fbdc844d41e7fbccc8e9b4569ddca4e4578bb5

SHA256
6f60ec53d68b686ca0653a234fe76b5b5591bf4aaa6075f147d9e7346506f10a

SHA512
e91b99550599e85d2bcbfffb7a559f8ae7ae16e96280aa0e5f393e620d95b11908a708e0cabfcd0036412c6b9b9444a4eb4ccdff12679001f2fce9353ce0f54a

Download Submit
C:\Users\Admin\AppData\Local\Temp\jkzlbVqk90.bat

Filesize
211B

MD5
f5f5a6055d253d73e2e7676f64b720e0

SHA1
00e403d5751da2d7b5764921b23a8b3c00b8e177

SHA256
5db41240ae40e4b7afbcdc4421e8b4ca94d47496ce5bb2e9304afee79ab7a0d1

SHA512
90a1c2916fa97ef2562fb32f393071ba78e8c4bcf93130227b7653f0c661869713f339276e4961d6dd565b9297bd258af5c25b6fcabcb777aa7d724ffb39fd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\o4pIGJu18c.bat

Filesize
211B

MD5
8fd5e35362b862f58bd24d506d26ffd2

SHA1
fc2b85f128d406612047994c39e01598915e3392

SHA256
3f4ff4f6aafbd0893748ddfcbdb4066c4aa4c91f8911400406e265f8acc05626

SHA512
cc7b5e4e7f818a097a13376defcafcfadc4660ca677e84d7e475b3a42e517df244ba20b5d4336c21d0a61c9f87fcbc70a565a556672cd347a9a5541d934bc7a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\rHhDMS4c5i.bat

Filesize
211B

MD5
59d8d173d1c13e9670c3010372468c5f

SHA1
e0ca1d6e9129d2d17303874597a1c3b349e7656c

SHA256
322b7257d6e018b914f58f204d39749c4f730f6aa47f1c4b96148cb4d3c0de45

SHA512
2b1d8e5eda711dd5b75f962c3bde6761aba4a078f7a91f7379cfacfed0651eab023df3a97cc1be0194a6fe4f91ddfe9db0089d667c187abb441d478a42b4d4c2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
8c79374cbcee25dbf86dd859169b9237

SHA1
0e08084d960533834cd04730bab3137d3ba66ae4

SHA256
e7c1a26420e1b6bc734c2d747044acf47ff2deac61f3ae3c98a6deb97f5b6874

SHA512
17dc83ef933177e128ec41fac4b5f42dff8e70951fc2e5a2cd6ea9fe3aae9b6f9bdaa9a66d58c06626e4a54b21de37470e1382306ede0fccca6e3d44578e3577

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1628-62-0x00000000029A0000-0x00000000029A8000-memory.dmp

Filesize
32KB

Download
memory/1628-61-0x000000001B460000-0x000000001B742000-memory.dmp

Filesize
2.9MB

Download
memory/1636-40-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/1636-82-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/1684-446-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/1936-386-0x0000000001190000-0x00000000012A0000-memory.dmp

Filesize
1.1MB

Download
memory/2152-205-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2168-566-0x0000000001330000-0x0000000001440000-memory.dmp

Filesize
1.1MB

Download
memory/2280-17-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2280-16-0x00000000005E0000-0x00000000005EC000-memory.dmp

Filesize
48KB

Download
memory/2280-15-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2280-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2280-13-0x0000000001320000-0x0000000001430000-memory.dmp

Filesize
1.1MB

Download
memory/2504-506-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2772-265-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2924-326-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2924-325-0x0000000000250000-0x0000000000360000-memory.dmp

Filesize
1.1MB

Download