dcrat | 4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 22:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793.exe
Size

1.3MB
MD5

c12a8591a62f6039adbf2f47084287a8
SHA1

1a850fc00979bb5a285364052f6368f7e19e99c3
SHA256

4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793
SHA512

acbda79bb0e22b8fd2927f19419786ff160521ef09e47b543a8f301bd9192c0c66ba0ae731893197ff8b09fe8887c4cf0731031ec14e75f2532d340dd34f7f2c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	304	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2408	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	708	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1884	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	444	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1204	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1880	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2672	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	2672	schtasks.exe	34

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000193df-10.dat	dcrat
behavioral1/memory/2876-13-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/1744-46-0x00000000013D0000-0x00000000014E0000-memory.dmp	dcrat
behavioral1/memory/2500-166-0x0000000000050000-0x0000000000160000-memory.dmp	dcrat
behavioral1/memory/2616-226-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/2416-286-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/2340-347-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/1624-407-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/776-467-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1784-528-0x00000000010A0000-0x00000000011B0000-memory.dmp	dcrat
behavioral1/memory/2692-588-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/1584-648-0x0000000001230000-0x0000000001340000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
568	powershell.exe
1936	powershell.exe
1976	powershell.exe
1996	powershell.exe
1396	powershell.exe
2432	powershell.exe
1644	powershell.exe
828	powershell.exe
2916	powershell.exe
1848	powershell.exe
1092	powershell.exe
2136	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2876	DllCommonsvc.exe
1744	sppsvc.exe
2500	sppsvc.exe
2616	sppsvc.exe
2416	sppsvc.exe
2340	sppsvc.exe
1624	sppsvc.exe
776	sppsvc.exe
1784	sppsvc.exe
2692	sppsvc.exe
1584	sppsvc.exe
1720	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2744	cmd.exe
2744	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
26	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
37	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Skins\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\5940a34987c991	DllCommonsvc.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\smss.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\LocalService\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Windows\winsxs\amd64_microsoft-windows-b..core-fonts-kor-boot_31bf3856ad364e35_6.1.7600.16385_none_b6bc71f2aed192c1\lsass.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
708	schtasks.exe
2032	schtasks.exe
1788	schtasks.exe
2648	schtasks.exe
304	schtasks.exe
1748	schtasks.exe
1692	schtasks.exe
2028	schtasks.exe
800	schtasks.exe
264	schtasks.exe
1880	schtasks.exe
2008	schtasks.exe
2644	schtasks.exe
1884	schtasks.exe
3000	schtasks.exe
112	schtasks.exe
2424	schtasks.exe
1204	schtasks.exe
1708	schtasks.exe
2096	schtasks.exe
444	schtasks.exe
1296	schtasks.exe
600	schtasks.exe
2932	schtasks.exe
1568	schtasks.exe
1680	schtasks.exe
2392	schtasks.exe
2936	schtasks.exe
2504	schtasks.exe
960	schtasks.exe
2288	schtasks.exe
2408	schtasks.exe
1624	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
2500	sppsvc.exe
2616	sppsvc.exe
2416	sppsvc.exe
2340	sppsvc.exe
1624	sppsvc.exe
776	sppsvc.exe
1784	sppsvc.exe
2692	sppsvc.exe
1584	sppsvc.exe
1720	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2876	DllCommonsvc.exe
2876	DllCommonsvc.exe
2876	DllCommonsvc.exe
1848	powershell.exe
1396	powershell.exe
568	powershell.exe
1996	powershell.exe
1644	powershell.exe
1092	powershell.exe
2916	powershell.exe
1976	powershell.exe
2432	powershell.exe
1936	powershell.exe
2136	powershell.exe
1744	sppsvc.exe
828	powershell.exe
2500	sppsvc.exe
2616	sppsvc.exe
2416	sppsvc.exe
2340	sppsvc.exe
1624	sppsvc.exe
776	sppsvc.exe
1784	sppsvc.exe
2692	sppsvc.exe
1584	sppsvc.exe
1720	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2876	DllCommonsvc.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	1396	powershell.exe
Token: SeDebugPrivilege	568	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1744	sppsvc.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	2916	powershell.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1936	powershell.exe
Token: SeDebugPrivilege	2136	powershell.exe
Token: SeDebugPrivilege	828	powershell.exe
Token: SeDebugPrivilege	2500	sppsvc.exe
Token: SeDebugPrivilege	2616	sppsvc.exe
Token: SeDebugPrivilege	2416	sppsvc.exe
Token: SeDebugPrivilege	2340	sppsvc.exe
Token: SeDebugPrivilege	1624	sppsvc.exe
Token: SeDebugPrivilege	776	sppsvc.exe
Token: SeDebugPrivilege	1784	sppsvc.exe
Token: SeDebugPrivilege	2692	sppsvc.exe
Token: SeDebugPrivilege	1584	sppsvc.exe
Token: SeDebugPrivilege	1720	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 2804	2112	JaffaCakes118_4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793.exe	30
PID 2112 wrote to memory of 2804	2112	JaffaCakes118_4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793.exe	30
PID 2112 wrote to memory of 2804	2112	JaffaCakes118_4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793.exe	30
PID 2112 wrote to memory of 2804	2112	JaffaCakes118_4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793.exe	30
PID 2804 wrote to memory of 2744	2804	WScript.exe	31
PID 2804 wrote to memory of 2744	2804	WScript.exe	31
PID 2804 wrote to memory of 2744	2804	WScript.exe	31
PID 2804 wrote to memory of 2744	2804	WScript.exe	31
PID 2744 wrote to memory of 2876	2744	cmd.exe	33
PID 2744 wrote to memory of 2876	2744	cmd.exe	33
PID 2744 wrote to memory of 2876	2744	cmd.exe	33
PID 2744 wrote to memory of 2876	2744	cmd.exe	33
PID 2876 wrote to memory of 1644	2876	DllCommonsvc.exe	68
PID 2876 wrote to memory of 1644	2876	DllCommonsvc.exe	68
PID 2876 wrote to memory of 1644	2876	DllCommonsvc.exe	68
PID 2876 wrote to memory of 568	2876	DllCommonsvc.exe	69
PID 2876 wrote to memory of 568	2876	DllCommonsvc.exe	69
PID 2876 wrote to memory of 568	2876	DllCommonsvc.exe	69
PID 2876 wrote to memory of 1092	2876	DllCommonsvc.exe	70
PID 2876 wrote to memory of 1092	2876	DllCommonsvc.exe	70
PID 2876 wrote to memory of 1092	2876	DllCommonsvc.exe	70
PID 2876 wrote to memory of 2432	2876	DllCommonsvc.exe	71
PID 2876 wrote to memory of 2432	2876	DllCommonsvc.exe	71
PID 2876 wrote to memory of 2432	2876	DllCommonsvc.exe	71
PID 2876 wrote to memory of 1848	2876	DllCommonsvc.exe	72
PID 2876 wrote to memory of 1848	2876	DllCommonsvc.exe	72
PID 2876 wrote to memory of 1848	2876	DllCommonsvc.exe	72
PID 2876 wrote to memory of 2916	2876	DllCommonsvc.exe	74
PID 2876 wrote to memory of 2916	2876	DllCommonsvc.exe	74
PID 2876 wrote to memory of 2916	2876	DllCommonsvc.exe	74
PID 2876 wrote to memory of 1396	2876	DllCommonsvc.exe	75
PID 2876 wrote to memory of 1396	2876	DllCommonsvc.exe	75
PID 2876 wrote to memory of 1396	2876	DllCommonsvc.exe	75
PID 2876 wrote to memory of 828	2876	DllCommonsvc.exe	77
PID 2876 wrote to memory of 828	2876	DllCommonsvc.exe	77
PID 2876 wrote to memory of 828	2876	DllCommonsvc.exe	77
PID 2876 wrote to memory of 2136	2876	DllCommonsvc.exe	78
PID 2876 wrote to memory of 2136	2876	DllCommonsvc.exe	78
PID 2876 wrote to memory of 2136	2876	DllCommonsvc.exe	78
PID 2876 wrote to memory of 1996	2876	DllCommonsvc.exe	80
PID 2876 wrote to memory of 1996	2876	DllCommonsvc.exe	80
PID 2876 wrote to memory of 1996	2876	DllCommonsvc.exe	80
PID 2876 wrote to memory of 1976	2876	DllCommonsvc.exe	81
PID 2876 wrote to memory of 1976	2876	DllCommonsvc.exe	81
PID 2876 wrote to memory of 1976	2876	DllCommonsvc.exe	81
PID 2876 wrote to memory of 1936	2876	DllCommonsvc.exe	83
PID 2876 wrote to memory of 1936	2876	DllCommonsvc.exe	83
PID 2876 wrote to memory of 1936	2876	DllCommonsvc.exe	83
PID 2876 wrote to memory of 1744	2876	DllCommonsvc.exe	92
PID 2876 wrote to memory of 1744	2876	DllCommonsvc.exe	92
PID 2876 wrote to memory of 1744	2876	DllCommonsvc.exe	92
PID 2876 wrote to memory of 1744	2876	DllCommonsvc.exe	92
PID 2876 wrote to memory of 1744	2876	DllCommonsvc.exe	92
PID 1744 wrote to memory of 2956	1744	sppsvc.exe	93
PID 1744 wrote to memory of 2956	1744	sppsvc.exe	93
PID 1744 wrote to memory of 2956	1744	sppsvc.exe	93
PID 2956 wrote to memory of 2960	2956	cmd.exe	95
PID 2956 wrote to memory of 2960	2956	cmd.exe	95
PID 2956 wrote to memory of 2960	2956	cmd.exe	95
PID 2956 wrote to memory of 2500	2956	cmd.exe	96
PID 2956 wrote to memory of 2500	2956	cmd.exe	96
PID 2956 wrote to memory of 2500	2956	cmd.exe	96
PID 2956 wrote to memory of 2500	2956	cmd.exe	96
PID 2956 wrote to memory of 2500	2956	cmd.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4beb2354e95483a47dc92692e5d81c77c52455f860ce44b5450525ba4b46a793.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2744
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1396
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\LocalService\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Videos\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Documents\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
    - - C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1744
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2960
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat"
        8⤵
        
        PID:2580
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1200
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat"
        10⤵
        
        PID:2528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1748
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2416
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat"
        12⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2028
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        14⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1520
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat"
        16⤵
        
        PID:480
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1092
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:776
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
        18⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:704
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat"
        20⤵
        
        PID:316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1672
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        22⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:652
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat"
        24⤵
        
        PID:944
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:464
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Media Player\Skins\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Sidebar\fr-FR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\LocalService\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\LocalService\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Windows\ServiceProfiles\LocalService\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Users\Public\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 9 /tr "'C:\Users\Public\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Videos\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Videos\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1204

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\Users\Default User\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Users\Default\Documents\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Default\Documents\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:960

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5cadcfdd9a2c771d1efcd817828cf755

SHA1
18e12bee78a44cf4cf8962cac1b5dbb66c38ed44

SHA256
704f48b2b29e317a259388cb2d887500d68520d48fa0977294ce092960d05f18

SHA512
0435a07ccdb1e4f265602a7d65073ccac8676acb28152bb8fc2fdd02f652360e6270172168a98e0be34f75aa0aa4c6b891882cf596997740b0aa5722b3683055

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5846680d0ab6bd87e6f772920579aa6

SHA1
53f769a00c2fd010f374f840619ed4bf824f7c27

SHA256
93394b3c8259750d19dfd80c53d0960d0bcd4cc2d1391a188df8d0479a91983c

SHA512
89e10748cd8276809147e341d81a573eb05a455fff68efac210a38f5ba49475de6e4b666f9d971ea2b3f5ed9e15f61a9f316b1e9c31af76f8bf2b7897e8c5777

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ed2ed05c48bf8ff01e714e25682044bc

SHA1
9bbfbbbab39ee1636418d780917b8fcf53df37ab

SHA256
ca1abfaf29040eb649dbebfb58b43766e59926eed401adcb00acc51d9ca72702

SHA512
83f39b8561eb1ac7d2890ed6eaaf42b8ba7af909fac0f8f9920a79da0d400e55709d5375e8a280619a3eeb1be09538defda8d9ae7577ce48e490370e727a004e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7658a121076cbca675863e7a387d6794

SHA1
5fd19c7396f597ffa5fe44ed10d7d8183253b959

SHA256
bee3d2ea7ce1529c7763f23dcf7cf073bea591f7f7a6f3fb57a861bf66f57ed2

SHA512
26cd4e6dc6cbe48c53dc04734be97cb2f52ca3ef692ceea5bbd48e4e606a45120fbb9206ba5042ca7f890b644e7067393449f57bc83f953e07d03d1ca5cd1c9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
42c7e964ea9d32800dc9979ed79ebc98

SHA1
e4917cce4b51ac0f936016355478b4c1c3e86f9c

SHA256
2692b403a1135887415bc5650b17532c7c2cf5d36fa0da57583a75dd749fc265

SHA512
4f12f937480a910fbbc8168e7e48f08b9055e33d35f798752ea9d783041f73cf769eb2390749e6016a1fad00e8ceb5fb15b7aff16fe8a6624c723c5d285bcce5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74e580c62a2ddfbb3988a9a1e37ba137

SHA1
826e2ad4258c499dbb6cdf4ba2b1c2350a29bc7c

SHA256
efdeef0e52740a3de5357c4ff262f8de799081f56dcffe9673a25197e38c2dbe

SHA512
3c2dde2587aced39540c09771e735b04a8be8b3846c4b7408860eff43b6a2432707a6dd74694b3e49d187bb78f47a08f3ee5656a7eb33706c9e647a03a5077db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6d1c87507e6a668fc0f9223ad46e7d6d

SHA1
f49b0a36d4abc684a61bdb2d65e16722ac0a57b4

SHA256
316ed03ae9bc115aba650644f8db621d7d7621f6b48656036793cb68184f5d61

SHA512
3f4ff2ecd0461c9a176a81e74a032ebff89e39ebfa1aa65d88792ba43d9bee6189eb9021a0b8dca3ba3e1f28b4db3ef507e09c7849a0f971cc802f9a3fe477db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdc9e70adc55171f35a756a0dfa3376e

SHA1
d840e92e101f5a65c35fd0a57e260fcd206a0000

SHA256
6d36bd042320858bd524a64269226845b3635490ed1bf35966e3f90f6070a6f2

SHA512
59c8080da8bd23f879c48f4ae86c11eb0293c9028cd2fc57882ab5f5452a5efa81bb825b2dc835d7473a53569c62cb35ca080da0173acf7a3ea6bb3c25c98955

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0b1c33a5f9a65d1ff86f0f8675089a20

SHA1
fa7a2e4a61e1e55d26433554f26226ef2d9eb3d8

SHA256
d5c2f1ab1f08f7791d4ac22c2403c867dcb72557550ee87aa7b91ff2c53a4604

SHA512
92944310d3931bd0bf38f01ce11776c1601c5fb58e3393b43d0bca0b1842a710a547058e28f48ce4a8831132c377356fb550750168994f5cf237ddda0c6ab06e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5ceb4612ff17c94529a4918b4d748f5d

SHA1
aeab635b71631cad4a2dc5c8cfddf827ece81e2a

SHA256
4417ae72536c5ffa7d9703616b5625a8a6416e5d8b01dedcb272361d76778490

SHA512
2e11b6d4780c09be7f32ac2015bd4f64e736bc2895cfc0498f5554836d3aed77a202699e4881a479e48728e81ad5c02aa87b677759efc17d18c66b0d1ea33c0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2tBWjDxv5U.bat

Filesize
193B

MD5
613d1a73cec9c746caa7498c56a6785e

SHA1
3e08c0f20a5ffad91c8347fbc798b1e88666bc66

SHA256
79babe6644c9d71c1988019cfbf2de3bc6d1fd467520b0262c1d1352b12e7bd5

SHA512
dfe419f4ff28544f4c2cbe16e351f6dd6283b048b0efd2e509179eeca8f0b7f2a28570b7be3a0db766182fa5a3148350ec5e7fe195e198e234524e3fda95ce14

Download Submit
C:\Users\Admin\AppData\Local\Temp\3a8tNGcxSj.bat

Filesize
193B

MD5
7858c7f362e3e504cf1f8d49acf4c6ae

SHA1
9551eb1d801c14f9184dd63660afd82d3116ce4d

SHA256
2364948275612f65cd5cfef35766dd447be29c5fda4c32878e5957b6fb056c3a

SHA512
fc6997018d8eb26bc54db221d445a0a08fb813b00dfb1ad90d5cae58cbcabd91918721fbfcdf8b002b34fa764ba875e14b8ad98ddb27a1580dc5f9988fccf0d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vfhrz6qhB.bat

Filesize
193B

MD5
b4d2107234233b29920c859dec6c5825

SHA1
52beb860f9d360d081483c66fead8e89fedae5b3

SHA256
b7c129484e78755658ae9e1f5236fefe40e19d4a5ded97343d0b67911856ed9b

SHA512
e7a8a29f0bf37e23ef4d1644a4cab0e228059b017ac3694f492bf26a5a8ffad82195226366ade604b9ba00d5dcf844996d7beaf2f283b1db5d6bbd9823aadc78

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPhDZIwY3l.bat

Filesize
193B

MD5
9b1ae9df0813e27ef08c4b0632940182

SHA1
025dfb8db6b2c312bff4631831a387f161b311fa

SHA256
0f7cd74395f669baf87bd101dbf2d75726ad760fcaf72a6e2dc6e5a4eb924906

SHA512
28de37a821ee617aebd30ce6cfcbeb211f8e4c236cac45a80bfb9309c267eff514f6c3572d4853b72bcc466557d12eb2b654d0243a5133b6ac935401b40d3dfb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4848.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
193B

MD5
5269c7bda06c91877cb558ff8d8aea3b

SHA1
dbd461c80dd7d5e389266a20d4b5122c8b12aa21

SHA256
88300ac0c06a13da2d226f2a34e7b7222a03d309401f2b24aecee0d5916ba93c

SHA512
a673cb733da553914ad37476a8591114a4201362d21e0f0f4ccd2a5af969e7ead0160629c8f5a7e8acd3fb5493178fae18a9e4ab5da83a77507e33056a4e43c0

Download Submit
C:\Users\Admin\AppData\Local\Temp\LkcfmFI5TJ.bat

Filesize
193B

MD5
2b4a2956e4401423921a0d232a897c1d

SHA1
a1d77777016452600073dde4549763bf57c6b727

SHA256
da8c2596f98a0f34d49c25d93e8780b304f8508860ed1ef696b755e332a9d875

SHA512
cf7e86a0ac2cb0522098ea5073c741124233f884b858d2a3f57b6e60b80edfa229407f2629f4009e666e93ae56e4d49ede39b282b529725b36dee088ea801aa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TBzEQtkdDl.bat

Filesize
193B

MD5
de536ec5c18fe916b924ba4e95be2693

SHA1
a4442c41d33f8b7b96b0dc209bdf4860c9fd8d33

SHA256
2e6f0b62ff616dafabf25dc13e210ef6cbcef08eb800e6687f4c7222a5569816

SHA512
e42891d85ec341b1aaee50799c2cdf0d617a1fb60dee78e02c81a90f83fa10d7540d782e3cce91cb3a13170e6ef39bfc517186aa4a811b3f7df93c176435b44c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar484B.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wx0Tv0d3iA.bat

Filesize
193B

MD5
f05d52309003eb8817efdd5aa02e2d34

SHA1
aeed31859521719a625c7937286267f490a02347

SHA256
7d0803085955589eb34ef45ce9886e01bb9593f2ffccfa1fcbf6fe08e874e6e6

SHA512
86eaacc465522418980922a40175053b4d4d3213c5627a18adfaa884e51666b86c7803015dfa5dfa69639b15dd02bafed225169e8b4a53a39f59ed93c6ce3c6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
193B

MD5
293eda6850c09d4cd36251361655f2e8

SHA1
ee4472aad23f93b0a9bdd3d68d85af9acebceb49

SHA256
6fa462bd7d40a84312b6893e6480ad1bb6778c0d3173c47ce9ab872371649932

SHA512
f705d88b0738b0c928a551a31f6d4af797690d82b02ce1ba21c952ac37c08eecfdf71d73b2f1aefd09467dd23c9c83a7f5e93b438e54c0be3bcda52f291209f4

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
51345405d6f8959b8182fd59d13a599e

SHA1
7c39579e093b5d5899f8f26a20785430604041a2

SHA256
0cda741d4111f7997919af189709e84cc226c10a7facdb15ad76bf022f2d2e73

SHA512
59879cb02c2ead670309fb85d3d95507e0993500d61b51d09fc73ae6d4654e54e91076fd597216865cf9adde28b7e249c7e5d62dc0613fcccd509a0c1e6f329d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/776-467-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/776-468-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/1396-57-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/1584-649-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1584-648-0x0000000001230000-0x0000000001340000-memory.dmp

Filesize
1.1MB

Download
memory/1624-407-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1744-46-0x00000000013D0000-0x00000000014E0000-memory.dmp

Filesize
1.1MB

Download
memory/1784-528-0x00000000010A0000-0x00000000011B0000-memory.dmp

Filesize
1.1MB

Download
memory/1848-67-0x00000000020B0000-0x00000000020B8000-memory.dmp

Filesize
32KB

Download
memory/2340-347-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/2416-287-0x00000000001E0000-0x00000000001F2000-memory.dmp

Filesize
72KB

Download
memory/2416-286-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2500-166-0x0000000000050000-0x0000000000160000-memory.dmp

Filesize
1.1MB

Download
memory/2616-226-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2692-588-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2876-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2876-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2876-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2876-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2876-13-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download