dcrat | 42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae

Analysis

max time kernel
149s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe
Size

1.3MB
MD5

2dbe5c9a6f56201a4bc0519ca6e689bb
SHA1

63922b16f54dc160a7434a8358113b1d2050fbe8
SHA256

42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae
SHA512

c0a4c289aa4d8b7b9327c783699b92317954ea18578a785d6f83b1882586dc9336c97b2a190629b44874d8207ed446ae4277ac119bed53d1ecd24ee549d8e7c3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2044	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1400	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1768	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2520	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2376	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2124	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1088	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2536	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2536	schtasks.exe	35

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016cec-9.dat	dcrat
behavioral1/memory/2704-13-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/2952-100-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2424-337-0x00000000002C0000-0x00000000003D0000-memory.dmp	dcrat
behavioral1/memory/2188-397-0x0000000000AC0000-0x0000000000BD0000-memory.dmp	dcrat
behavioral1/memory/1056-458-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/1556-518-0x0000000000260000-0x0000000000370000-memory.dmp	dcrat
behavioral1/memory/2116-578-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2020	powershell.exe
1684	powershell.exe
1924	powershell.exe
692	powershell.exe
1032	powershell.exe
1868	powershell.exe
2516	powershell.exe
844	powershell.exe
1568	powershell.exe
956	powershell.exe
1640	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2704	DllCommonsvc.exe
2952	Idle.exe
2692	Idle.exe
2148	Idle.exe
1628	Idle.exe
2424	Idle.exe
2188	Idle.exe
1056	Idle.exe
1556	Idle.exe
2116	Idle.exe
2832	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2548	cmd.exe
2548	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
21	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Photo Viewer\de-DE\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Media Renderer\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\L2Schemas\lsass.exe	DllCommonsvc.exe
File created	C:\Windows\L2Schemas\6203df4a6bafc7	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1976	schtasks.exe
1400	schtasks.exe
1192	schtasks.exe
2328	schtasks.exe
2376	schtasks.exe
2124	schtasks.exe
1592	schtasks.exe
1432	schtasks.exe
1952	schtasks.exe
1088	schtasks.exe
2372	schtasks.exe
2220	schtasks.exe
2664	schtasks.exe
2848	schtasks.exe
2940	schtasks.exe
2420	schtasks.exe
1044	schtasks.exe
1768	schtasks.exe
1656	schtasks.exe
2204	schtasks.exe
2496	schtasks.exe
2972	schtasks.exe
2044	schtasks.exe
1028	schtasks.exe
2600	schtasks.exe
2520	schtasks.exe
272	schtasks.exe
2076	schtasks.exe
1104	schtasks.exe
2088	schtasks.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

pid	Process
2704	DllCommonsvc.exe
956	powershell.exe
1684	powershell.exe
1032	powershell.exe
1640	powershell.exe
692	powershell.exe
1924	powershell.exe
1868	powershell.exe
844	powershell.exe
2516	powershell.exe
2020	powershell.exe
1568	powershell.exe
2952	Idle.exe
2692	Idle.exe
2148	Idle.exe
1628	Idle.exe
2424	Idle.exe
2188	Idle.exe
1056	Idle.exe
1556	Idle.exe
2116	Idle.exe
2832	Idle.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2704	DllCommonsvc.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	692	powershell.exe
Token: SeDebugPrivilege	1924	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	2952	Idle.exe
Token: SeDebugPrivilege	2692	Idle.exe
Token: SeDebugPrivilege	2148	Idle.exe
Token: SeDebugPrivilege	1628	Idle.exe
Token: SeDebugPrivilege	2424	Idle.exe
Token: SeDebugPrivilege	2188	Idle.exe
Token: SeDebugPrivilege	1056	Idle.exe
Token: SeDebugPrivilege	1556	Idle.exe
Token: SeDebugPrivilege	2116	Idle.exe
Token: SeDebugPrivilege	2832	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1560 wrote to memory of 2652	1560	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe	31
PID 1560 wrote to memory of 2652	1560	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe	31
PID 1560 wrote to memory of 2652	1560	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe	31
PID 1560 wrote to memory of 2652	1560	JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe	31
PID 2652 wrote to memory of 2548	2652	WScript.exe	32
PID 2652 wrote to memory of 2548	2652	WScript.exe	32
PID 2652 wrote to memory of 2548	2652	WScript.exe	32
PID 2652 wrote to memory of 2548	2652	WScript.exe	32
PID 2548 wrote to memory of 2704	2548	cmd.exe	34
PID 2548 wrote to memory of 2704	2548	cmd.exe	34
PID 2548 wrote to memory of 2704	2548	cmd.exe	34
PID 2548 wrote to memory of 2704	2548	cmd.exe	34
PID 2704 wrote to memory of 2516	2704	DllCommonsvc.exe	66
PID 2704 wrote to memory of 2516	2704	DllCommonsvc.exe	66
PID 2704 wrote to memory of 2516	2704	DllCommonsvc.exe	66
PID 2704 wrote to memory of 1640	2704	DllCommonsvc.exe	67
PID 2704 wrote to memory of 1640	2704	DllCommonsvc.exe	67
PID 2704 wrote to memory of 1640	2704	DllCommonsvc.exe	67
PID 2704 wrote to memory of 1868	2704	DllCommonsvc.exe	68
PID 2704 wrote to memory of 1868	2704	DllCommonsvc.exe	68
PID 2704 wrote to memory of 1868	2704	DllCommonsvc.exe	68
PID 2704 wrote to memory of 2020	2704	DllCommonsvc.exe	70
PID 2704 wrote to memory of 2020	2704	DllCommonsvc.exe	70
PID 2704 wrote to memory of 2020	2704	DllCommonsvc.exe	70
PID 2704 wrote to memory of 1684	2704	DllCommonsvc.exe	71
PID 2704 wrote to memory of 1684	2704	DllCommonsvc.exe	71
PID 2704 wrote to memory of 1684	2704	DllCommonsvc.exe	71
PID 2704 wrote to memory of 844	2704	DllCommonsvc.exe	72
PID 2704 wrote to memory of 844	2704	DllCommonsvc.exe	72
PID 2704 wrote to memory of 844	2704	DllCommonsvc.exe	72
PID 2704 wrote to memory of 1924	2704	DllCommonsvc.exe	73
PID 2704 wrote to memory of 1924	2704	DllCommonsvc.exe	73
PID 2704 wrote to memory of 1924	2704	DllCommonsvc.exe	73
PID 2704 wrote to memory of 1568	2704	DllCommonsvc.exe	74
PID 2704 wrote to memory of 1568	2704	DllCommonsvc.exe	74
PID 2704 wrote to memory of 1568	2704	DllCommonsvc.exe	74
PID 2704 wrote to memory of 1032	2704	DllCommonsvc.exe	75
PID 2704 wrote to memory of 1032	2704	DllCommonsvc.exe	75
PID 2704 wrote to memory of 1032	2704	DllCommonsvc.exe	75
PID 2704 wrote to memory of 956	2704	DllCommonsvc.exe	76
PID 2704 wrote to memory of 956	2704	DllCommonsvc.exe	76
PID 2704 wrote to memory of 956	2704	DllCommonsvc.exe	76
PID 2704 wrote to memory of 692	2704	DllCommonsvc.exe	77
PID 2704 wrote to memory of 692	2704	DllCommonsvc.exe	77
PID 2704 wrote to memory of 692	2704	DllCommonsvc.exe	77
PID 2704 wrote to memory of 2952	2704	DllCommonsvc.exe	88
PID 2704 wrote to memory of 2952	2704	DllCommonsvc.exe	88
PID 2704 wrote to memory of 2952	2704	DllCommonsvc.exe	88
PID 2952 wrote to memory of 2000	2952	Idle.exe	89
PID 2952 wrote to memory of 2000	2952	Idle.exe	89
PID 2952 wrote to memory of 2000	2952	Idle.exe	89
PID 2000 wrote to memory of 3060	2000	cmd.exe	91
PID 2000 wrote to memory of 3060	2000	cmd.exe	91
PID 2000 wrote to memory of 3060	2000	cmd.exe	91
PID 2000 wrote to memory of 2692	2000	cmd.exe	92
PID 2000 wrote to memory of 2692	2000	cmd.exe	92
PID 2000 wrote to memory of 2692	2000	cmd.exe	92
PID 2692 wrote to memory of 1756	2692	Idle.exe	93
PID 2692 wrote to memory of 1756	2692	Idle.exe	93
PID 2692 wrote to memory of 1756	2692	Idle.exe	93
PID 1756 wrote to memory of 3004	1756	cmd.exe	95
PID 1756 wrote to memory of 3004	1756	cmd.exe	95
PID 1756 wrote to memory of 3004	1756	cmd.exe	95
PID 1756 wrote to memory of 2148	1756	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_42d12da824f798e6e025d672c8f56719d4c9dc7f9bc89f8723d9df0469d24bae.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1560
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2652
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2548
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\L2Schemas\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1924
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
    - - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2952
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3060
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:3004
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat"
        10⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2992
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat"
        12⤵
        
        PID:2060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2828
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat"
        14⤵
        
        PID:2520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2348
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat"
        16⤵
        
        PID:2352
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1536
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat"
        18⤵
        
        PID:1784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:780
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat"
        20⤵
        
        PID:2800
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3064
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat"
        22⤵
        
        PID:1944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2020
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Users\All Users\Templates\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\All Users\Templates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\Media Renderer\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 6 /tr "'C:\Windows\L2Schemas\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Windows\L2Schemas\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Photo Viewer\de-DE\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2124

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbffd44eea0f12c267a6013504269f66

SHA1
44c43e822d6790f84de96d60f21921ee70426423

SHA256
3a04a7bae2cc4359e3002440495add0c4ebbd4986377768f0b4977fc12bd9236

SHA512
1e83eb1269f90bad4f78224925f2e2102f1834c01682750367a70156514e3b7ad54d3a3b0e6f479656c3c4a17003a1359d12871b7ae7a05f8d61f149f71736f1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
57c61cb33ccf915f69faa095ce90897b

SHA1
0fee39d96bea58ed15c80cbd88474ac2445348ba

SHA256
8b00c962a3f4d185b80e30b9cae3489715c7d5ba5638ce9d86b21d0e93b3c158

SHA512
3b2f13fee2fa9b3b10b062971a38df158924dd0912bc1c145f38ef4c1aaea67de5281ba69eaf3a8c49691e75febffc73bc5405f340a108eca7b666b7890fe1df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
190b419b41be4f5b7daddcbc7aa07038

SHA1
f6c69d1d083e1230e36e85290a5e1cb3cd3672ce

SHA256
1ac4c01e5560975ea6f432baafd0c23b18296e00c842cb307615923f0f94c7a1

SHA512
ac8178a589bd883954a8394365b56920ffed71b4029f9f3d5ed8fdd9134e6f2ee55d69b3bdb9ac8cda1d3f6bd76cc559fde21c0828dd7938ab173653d7399ee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04c823404032cf8d47624bc4742a4ef9

SHA1
b485e52219ca7c960385df489d9b5c314aa2fe76

SHA256
251e2a87e4559f156085e68db320e6f99bd85b7bc9ea3a36a0105dda4af15b96

SHA512
e50266e1bd1f3c21d87c43a3be4995c06c42ed44ac992c4fa592a342da3876ca5384f9d7be96238d586b3eedb82633bb75dc5ed04ca090002c2894ba49edddd1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
21afb22b83534d0723c5a2c3c7bb300a

SHA1
73aced23638132aa1470ac1b2b3570ffe3f4e082

SHA256
c8fddb6e35c8a926794382802fde52a9999e50eb0db30d3b7387fd45067997a8

SHA512
4262a8718bdef08ea2f40cd961e586e3c8b3aba3d795a1e76e7e3e25477ab60a1190af4e4f143b3463f0f99bcb19f4451033e4fcbc532caf9deacf8ab50d3be6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
03e60263bb5815771985f83d86e8e915

SHA1
8e704fe06337a7fff4c4ddcabff04c54bd55d13b

SHA256
a144691a624e3e674935d307fb796e18efaf00c8355fcbd8b54f9e006cff0f67

SHA512
a7a5809c7e275d16ad773c4c7c6ff0e94da37f6515ed49cc2c9ba214751c70cd9cac2465a961f1ae369d2217eae3f3b6e630dc9b4c3eb492c2ed8134f4db7456

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62605d875fd20c981e34cbd1dfb680c0

SHA1
662a1f55d19ac2b10bbf44ab2aa914ca82531f6d

SHA256
27dee48015b308183c4e1153d39a820ad0c17ad27930e5bf1f1aad78aba3e4a7

SHA512
ecf789f084e28a4e1e66c05a1d24c595ced496cc2f04662823185b57d95b87a34e4248f26b5d751ffec49e1681ebe96b7113f8b6704075c333efaf414d1c2843

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ec70e21e97b2fcd1b1eb1c14deb65a2

SHA1
2bc1f639fc48ed122dab8c312c302d0f87f3f0c8

SHA256
fed4836a5df2b2a6b9966a21ba99d11bd895cf72e69f1aa6d3f89a31807dee24

SHA512
e7c7cb62da17b8bb6242e66043e5b44f945ad094145b4957202fd67398e207b8f38aa5c9ecd4895d134351bdc862d42edaa62da8d7fb72dd74d4a7f033ab3bb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\6SU00hIhBO.bat

Filesize
191B

MD5
5d903a262ed9f01960772708806b7788

SHA1
ac4ecc991ecb554ab8c95ffaa18c28726f76e794

SHA256
6287ce6fba52d520b2fb5a59c3de403bac1e1658bd5693d6d1d119db1cd5c38b

SHA512
1996dc0d7bf444c8c4f5d29cfd019ff6b0bbc1414fa99135572079f9dac87710856113112c6d6c44f0d0435704c00466bc4610501d11e59c5390dd410232ea7d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab341D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F8wGhM86rN.bat

Filesize
191B

MD5
4a60531d95695fd519a262344beb4b27

SHA1
369923af16dd7cdc635cab6b54094120b2154cae

SHA256
5c8404d31d559e0931f37741ed81bba8d26465607f775421ba3767a6c2446a5e

SHA512
8296ff72f5924baec958d1e8bb3fbaab200c6dc4bf4b57411604bc8bfc9bb87db143bd490d09e6fb3c01a59edc8870121a4d68cc302786ec1f84fdc2203ff549

Download Submit
C:\Users\Admin\AppData\Local\Temp\KLWAYFjljO.bat

Filesize
191B

MD5
6a7ccbe96cab9cd721857ecdbcdf7e08

SHA1
a8a1ba72eb6ced81d3712ca3abadb21678b02602

SHA256
fdf7aad1bcd0532b30563b41195665717d72084883e3d5406f22e507bba5c0ee

SHA512
57982b9e5224c238d3085b5c868f6d199fc3eb958d65f26154d965f2e90f1c291756f31ffad0f3849e01dbbfe83f26c7f55520940840282d90510d53961a84ab

Download Submit
C:\Users\Admin\AppData\Local\Temp\MTMDnLe0ZL.bat

Filesize
191B

MD5
50e47fad3714536b7310d37fea2c9e06

SHA1
86f5f985e9ed658277a41c809e51d7231b9f40d1

SHA256
222fb158b96d67890a6b34067ebec0632cffad41351df2dd38fab59d03072a90

SHA512
44e9cb74acd2da19e71c5d46c138fe0187f24c6d1b5ad20a9a79c80a29c1e9de6f12db2ea273d38cf10c1bceb8f16004f2e99cac2b0cb05f8e1d0e1e2156c44d

Download Submit
C:\Users\Admin\AppData\Local\Temp\QLPJAVlmCt.bat

Filesize
191B

MD5
de348fb0ff02be94e127821e66fc0599

SHA1
0823be10ec617e6aeb614e9b7ff0dffa6e3d53aa

SHA256
cdbb06769ec1f7d58846c7961dd82a70c66bdf003fde67ec19f2bcf0ab3665f4

SHA512
8dc8b03f1e6e2791092dd25516d7a2080c7a560f88fd00a06a18cbdae2786f1ebabf7a744a260c7fc55145bc8f06e619652d825417da9c28bc9c5868bae20af3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Rhkc0SdEF2.bat

Filesize
191B

MD5
15009915977ea2b3d8311ddaaf131a1c

SHA1
8d9e69b4bdfeee7e82ddd01492448993a4d20d3a

SHA256
7ee5126269c54aa2a5cefe9e59ac580100197515d663ed734167ed4feef3a700

SHA512
feb3a803b8aa7b8b1ad16c36d47b85fe3773540bc0f03b04d8f51d4fd9e15f61c51b45eaa9dec1bc76ad18ea813efd1721683601d140fde92868875d9c356458

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3420.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\USq6qxpMr5.bat

Filesize
191B

MD5
8c302545dc3ab2905ca7101cada47536

SHA1
0f91f5d407088b5b1c73258c675c1488d221cbd0

SHA256
79a77b103bd21b5a9f09b9c1ee22cb9017be486607f03122d5fcbdcdc7d904bb

SHA512
cddb8f53c1b4a232dd003799eab25e440380717d4fb3545cf09da526b4cfdf4dc41872637c10e71efdd8910110b260513ac1f10b9e3035865225e9aeadab3a8a

Download Submit
C:\Users\Admin\AppData\Local\Temp\XaHtVPtwVH.bat

Filesize
191B

MD5
bd696ad00a969f9021492c442dce0075

SHA1
b4da080d3e8cb46770d65a9b9a3098399d129ddd

SHA256
24ca47589e013756c29308633614548d992638770727c48a2fcf4dfd7ce4f9a9

SHA512
8e566b200acd8195d69c4e384b84cefda8462349c87c4d750fa16557ef4b36a24dcb8a24303047c12412eaddebe5f1df78e9f0af37c4dc6be1c904effc671d77

Download Submit
C:\Users\Admin\AppData\Local\Temp\hANH4lx1y1.bat

Filesize
191B

MD5
5029b8c8f832b8e7950b896b456ca19d

SHA1
5f76c2b3e68295eb044cdd392ed702d37c02fb92

SHA256
ca2db9dbb644eb776124056151dc7b849c59397084284a2c05a38131f361942c

SHA512
e4390c4e28079c4a84ccf96047d6dac35d9c81fa01e616580b41a3e0e7cf7133aab3da6d0bdcdde6ca1a2d1912f1d8d7f83d7d47aac30476aea6826bf7cbfbe8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
ba01d4e9c5592fee35e649b91f175b4b

SHA1
ff5064ed06135cc3623489d5a771ca896996f4b2

SHA256
ed2eb331f170b58085e15fcc6301b7bf2dc9ef0c7942e613ec99be803b0d6bd2

SHA512
629484abf8916b9b84260d82f1f19aa75d90543e91695336614f97bfb03e79ce6b427dc51ef03d14a5f8bf464d3b8191fcac0a7cfcb2d5043fe99793d8b8196d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/956-60-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/1056-458-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/1556-518-0x0000000000260000-0x0000000000370000-memory.dmp

Filesize
1.1MB

Download
memory/1684-59-0x000000001B620000-0x000000001B902000-memory.dmp

Filesize
2.9MB

Download
memory/2116-578-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2188-398-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2188-397-0x0000000000AC0000-0x0000000000BD0000-memory.dmp

Filesize
1.1MB

Download
memory/2424-337-0x00000000002C0000-0x00000000003D0000-memory.dmp

Filesize
1.1MB

Download
memory/2692-159-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2704-14-0x00000000005C0000-0x00000000005D2000-memory.dmp

Filesize
72KB

Download
memory/2704-15-0x0000000000A10000-0x0000000000A1C000-memory.dmp

Filesize
48KB

Download
memory/2704-13-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2704-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2704-16-0x00000000005D0000-0x00000000005DC000-memory.dmp

Filesize
48KB

Download
memory/2952-100-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download