dcrat | 4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 00:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7.exe
Size

1.3MB
MD5

f3991c2f98d5cf243bf2471d4621820b
SHA1

e0ee43306388c5507bae17c7ab8be9f0beca5e0f
SHA256

4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7
SHA512

b88071a850420f574219f051618ec5ec700010e21fa354faca176aa69593549ff4835ae530d0840e1e210b7d33706474dc17902f6602bb623aeff52dd103bac5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2276	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2936	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2936	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016033-10.dat	dcrat
behavioral1/memory/2184-13-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/1264-108-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/1764-167-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/612-227-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/2648-287-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1080	powershell.exe
2152	powershell.exe
1720	powershell.exe
1704	powershell.exe
1288	powershell.exe
1592	powershell.exe
1872	powershell.exe
2188	powershell.exe
2904	powershell.exe
1520	powershell.exe
1368	powershell.exe
612	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2184	DllCommonsvc.exe
1264	conhost.exe
1764	conhost.exe
612	conhost.exe
2648	conhost.exe
2472	conhost.exe
3012	conhost.exe
2128	conhost.exe
2400	conhost.exe
632	conhost.exe
1664	conhost.exe
2888	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
3064	cmd.exe
3064	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
32	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2832	schtasks.exe
1948	schtasks.exe
3012	schtasks.exe
2628	schtasks.exe
2592	schtasks.exe
896	schtasks.exe
1864	schtasks.exe
1188	schtasks.exe
1596	schtasks.exe
2856	schtasks.exe
2656	schtasks.exe
1488	schtasks.exe
1976	schtasks.exe
848	schtasks.exe
1772	schtasks.exe
2144	schtasks.exe
1712	schtasks.exe
2688	schtasks.exe
2276	schtasks.exe
1692	schtasks.exe
2780	schtasks.exe
2196	schtasks.exe
828	schtasks.exe
2996	schtasks.exe
1628	schtasks.exe
1788	schtasks.exe
2516	schtasks.exe
2864	schtasks.exe
2868	schtasks.exe
1848	schtasks.exe
2452	schtasks.exe
1920	schtasks.exe
1084	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
2184	DllCommonsvc.exe
1080	powershell.exe
612	powershell.exe
1720	powershell.exe
1704	powershell.exe
1288	powershell.exe
1872	powershell.exe
1520	powershell.exe
1592	powershell.exe
2188	powershell.exe
2152	powershell.exe
2904	powershell.exe
1368	powershell.exe
1264	conhost.exe
1764	conhost.exe
612	conhost.exe
2648	conhost.exe
2472	conhost.exe
3012	conhost.exe
2128	conhost.exe
2400	conhost.exe
632	conhost.exe
1664	conhost.exe
2888	conhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2184	DllCommonsvc.exe
Token: SeDebugPrivilege	1080	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1720	powershell.exe
Token: SeDebugPrivilege	1704	powershell.exe
Token: SeDebugPrivilege	1288	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1592	powershell.exe
Token: SeDebugPrivilege	2188	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2904	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1264	conhost.exe
Token: SeDebugPrivilege	1764	conhost.exe
Token: SeDebugPrivilege	612	conhost.exe
Token: SeDebugPrivilege	2648	conhost.exe
Token: SeDebugPrivilege	2472	conhost.exe
Token: SeDebugPrivilege	3012	conhost.exe
Token: SeDebugPrivilege	2128	conhost.exe
Token: SeDebugPrivilege	2400	conhost.exe
Token: SeDebugPrivilege	632	conhost.exe
Token: SeDebugPrivilege	1664	conhost.exe
Token: SeDebugPrivilege	2888	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 3040	2508	JaffaCakes118_4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7.exe	30
PID 2508 wrote to memory of 3040	2508	JaffaCakes118_4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7.exe	30
PID 2508 wrote to memory of 3040	2508	JaffaCakes118_4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7.exe	30
PID 2508 wrote to memory of 3040	2508	JaffaCakes118_4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7.exe	30
PID 3040 wrote to memory of 3064	3040	WScript.exe	31
PID 3040 wrote to memory of 3064	3040	WScript.exe	31
PID 3040 wrote to memory of 3064	3040	WScript.exe	31
PID 3040 wrote to memory of 3064	3040	WScript.exe	31
PID 3064 wrote to memory of 2184	3064	cmd.exe	33
PID 3064 wrote to memory of 2184	3064	cmd.exe	33
PID 3064 wrote to memory of 2184	3064	cmd.exe	33
PID 3064 wrote to memory of 2184	3064	cmd.exe	33
PID 2184 wrote to memory of 1368	2184	DllCommonsvc.exe	68
PID 2184 wrote to memory of 1368	2184	DllCommonsvc.exe	68
PID 2184 wrote to memory of 1368	2184	DllCommonsvc.exe	68
PID 2184 wrote to memory of 1592	2184	DllCommonsvc.exe	69
PID 2184 wrote to memory of 1592	2184	DllCommonsvc.exe	69
PID 2184 wrote to memory of 1592	2184	DllCommonsvc.exe	69
PID 2184 wrote to memory of 1872	2184	DllCommonsvc.exe	70
PID 2184 wrote to memory of 1872	2184	DllCommonsvc.exe	70
PID 2184 wrote to memory of 1872	2184	DllCommonsvc.exe	70
PID 2184 wrote to memory of 1080	2184	DllCommonsvc.exe	71
PID 2184 wrote to memory of 1080	2184	DllCommonsvc.exe	71
PID 2184 wrote to memory of 1080	2184	DllCommonsvc.exe	71
PID 2184 wrote to memory of 2152	2184	DllCommonsvc.exe	72
PID 2184 wrote to memory of 2152	2184	DllCommonsvc.exe	72
PID 2184 wrote to memory of 2152	2184	DllCommonsvc.exe	72
PID 2184 wrote to memory of 612	2184	DllCommonsvc.exe	73
PID 2184 wrote to memory of 612	2184	DllCommonsvc.exe	73
PID 2184 wrote to memory of 612	2184	DllCommonsvc.exe	73
PID 2184 wrote to memory of 1720	2184	DllCommonsvc.exe	74
PID 2184 wrote to memory of 1720	2184	DllCommonsvc.exe	74
PID 2184 wrote to memory of 1720	2184	DllCommonsvc.exe	74
PID 2184 wrote to memory of 2188	2184	DllCommonsvc.exe	75
PID 2184 wrote to memory of 2188	2184	DllCommonsvc.exe	75
PID 2184 wrote to memory of 2188	2184	DllCommonsvc.exe	75
PID 2184 wrote to memory of 2904	2184	DllCommonsvc.exe	76
PID 2184 wrote to memory of 2904	2184	DllCommonsvc.exe	76
PID 2184 wrote to memory of 2904	2184	DllCommonsvc.exe	76
PID 2184 wrote to memory of 1520	2184	DllCommonsvc.exe	77
PID 2184 wrote to memory of 1520	2184	DllCommonsvc.exe	77
PID 2184 wrote to memory of 1520	2184	DllCommonsvc.exe	77
PID 2184 wrote to memory of 1704	2184	DllCommonsvc.exe	78
PID 2184 wrote to memory of 1704	2184	DllCommonsvc.exe	78
PID 2184 wrote to memory of 1704	2184	DllCommonsvc.exe	78
PID 2184 wrote to memory of 1288	2184	DllCommonsvc.exe	79
PID 2184 wrote to memory of 1288	2184	DllCommonsvc.exe	79
PID 2184 wrote to memory of 1288	2184	DllCommonsvc.exe	79
PID 2184 wrote to memory of 2320	2184	DllCommonsvc.exe	89
PID 2184 wrote to memory of 2320	2184	DllCommonsvc.exe	89
PID 2184 wrote to memory of 2320	2184	DllCommonsvc.exe	89
PID 2320 wrote to memory of 2772	2320	cmd.exe	94
PID 2320 wrote to memory of 2772	2320	cmd.exe	94
PID 2320 wrote to memory of 2772	2320	cmd.exe	94
PID 2320 wrote to memory of 1264	2320	cmd.exe	96
PID 2320 wrote to memory of 1264	2320	cmd.exe	96
PID 2320 wrote to memory of 1264	2320	cmd.exe	96
PID 1264 wrote to memory of 2688	1264	conhost.exe	97
PID 1264 wrote to memory of 2688	1264	conhost.exe	97
PID 1264 wrote to memory of 2688	1264	conhost.exe	97
PID 2688 wrote to memory of 2656	2688	cmd.exe	99
PID 2688 wrote to memory of 2656	2688	cmd.exe	99
PID 2688 wrote to memory of 2656	2688	cmd.exe	99
PID 2688 wrote to memory of 1764	2688	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4318b372cbb0d931ba8b5957591e3fb594cc01f01f7db3b7cb777b170c3d57b7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3040
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3064
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1080
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1720
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1288
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZIn5qYtmAl.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2320
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2772
      - C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1264
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2656
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        9⤵
        
        PID:832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2024
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat"
        11⤵
        
        PID:1080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2704
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2648
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat"
        13⤵
        
        PID:2596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2400
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat"
        15⤵
        
        PID:2980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1704
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat"
        17⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2816
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
        19⤵
        
        PID:1340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2004
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat"
        21⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2764
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        23⤵
        
        PID:1996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2152
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat"
        25⤵
        
        PID:2916
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2800
        
        C:\Program Files (x86)\Uninstall Information\conhost.exe
        
        "C:\Program Files (x86)\Uninstall Information\conhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\Chrome\Application\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Uninstall Information\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Uninstall Information\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Synchronization Services\ADO.NET\v1.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3df65a865cbb310a9b2ce93f4a879347

SHA1
2f4ccb22140f06c9f176378d2d3c01322596dd3e

SHA256
d2dfea6a773ff95944bfb23e822554810661070ade5ffbb219cc09e1f4ca26ee

SHA512
bcdf7f7361ea64f23aefd010f59de4d980ce7c50a92fa7fddc589e856f3fdaa2fa0bb157d3138db72d869b92b24d6fd441e3cecb63055d048e82084485a4324c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b7394a13742c514b2679e5a29256583b

SHA1
7310d3d3c8469ae2cea57124332473e358e68261

SHA256
d1b2c15c6bc5ea1ed6be17b5a6b9756580411f2df8ae2e3efbb0189c7043d535

SHA512
41f0834d6e9b7342e59a3bd70def560aeda6c8170cab7434331873da3b42f612c64e95546fecb7b415fceec2749fa03af40eb61682626b3ab84d20f99e59e7ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e996cb95bc84b20c9ee2fb974e9cb99

SHA1
d85307e3e08a5634814cfa4ad2a60045656cc349

SHA256
fcc9f3baedc06ed6d5672612faff11ba1d5a460a468201d9a1f21986bddb1f08

SHA512
c79ba71b5d943459dc9f61962b31488ae76186d51de9e3c06b65002ea0d28b962e257a76eef9956eea92faa18db86ae7a1c89a1fb31c35ae13beb5c9efdb6bc5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad627f96bdbe646ee40a7c31d901b2d4

SHA1
4f5582233c7b1f322db24c9b8b1c794741845b84

SHA256
ee4cf6ae7f764e2d6aab405a8d092de1c0a1e8528d2aad99985dd88ca436c1bc

SHA512
5d62cfa3f39d68cf726e65d4d1bcc28ade00b67b3686b8a558794bbe44dfcd0ccfbd2978eb621e3758ea1eab6a44234b980e6b2e92f2e18f5bcc96885ea13b54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
64668dbba487f8d44fe290ef712671e0

SHA1
34b047e639640a0e7d2e382117263c7cd7cdcddb

SHA256
dcac2666ccd390a0df26f1083ef1b1c8d03e9ad991851d7016f3b8ab469e9a77

SHA512
bd516259e431322426997d75225f067c31b4ee92d41c67908e0fbe5818b5c94a429176061414a5d24221bd6f547b567cd37aa6d3d284aa19d4404a67f5fa9c18

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d66b52048d0f5f01039af88ccb22a5e

SHA1
5c67bf7c78f4d06b61bdb6f1c33c0f84759e3c65

SHA256
4ed32d97ee66388c5f59f2c3d5b26948da8c834d8b255c0779ec9cfcfd1175f0

SHA512
ab34a0134b31b2d722b59cb3d3bcbe3b3e5eff5b93a49304bc86319de959147bb9da48309ff1def96464f4dde1dc2ac327e3e923cde25c9ad6d424f1cc3533cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8d3325efeda570d54ad5effedc4e0be

SHA1
ca6c50f8f5ad859cbe9d3f063e5373fd46fde699

SHA256
d3e53c355177ae903c8b9ccdfb7e8a47e4189eda197f514ee84e0477718698c7

SHA512
ad5b199d43510e7b0d1d86fe5c9bf5753e3bb08631c2ae1013f0df8618ddb16bd038135f28e0b9337386d97720f16f2859d48ebbd3ae15e984ec3818442506c2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b003c773cc0d07f55473ddfedc54dfc

SHA1
6d0eea3367bec23494b49efe2de8754d8e4440c1

SHA256
5793dc8c058a19e0585026ef8a5eec193fedff4a2f09b93fab9b6d074d6af522

SHA512
aafd395615a56020d04e3516dbda614113b670153b3f023577bc3b37e41c526ae98875e4df620dcf9c2bf1a7b25bfc804d56f69a13c0b081dc7d50148d47d9de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6c07ecff161fd4d7c1de7f1e35e1d4ba

SHA1
f154166e2ad144e936f4f6fdb6ed8ae2d83ea0e5

SHA256
3e15fc1c0c942ba8bf7a4fcf909e8134bbdb3a7e5359d296640f40d2ab2f8976

SHA512
55de48ca8551546bcf798f6797b09e522170994ec5fb1eb41216524e5ddf8426a93bd1730fc53167804fcdcff5c618abc6fde1d0e534111f721ace11e3e8f479

Download Submit
C:\Users\Admin\AppData\Local\Temp\9dbjknkRRi.bat

Filesize
221B

MD5
fef48ba65cc1d4f1fce5b1ea1eac9e7f

SHA1
8d1a104672dc146ba7a627d0529e9c09d6953ad0

SHA256
920ddbb71f1c1470d1206fdf21a69bb1fe1321e78b5f5875de1a386b1423c89b

SHA512
cdc4330ca7bcbe3da8c31807de18fefbe217ccc6962b84fd3ba39eae2665dd336fbed2a9eed5878c8e316d76a997626e3e63c2857989700f4448a62e246510fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
221B

MD5
ef5dd4ec8e7433b2fe5dfd824e6a819a

SHA1
e7f5927af41651899f8948f20578aae9449b1024

SHA256
d42e009302701bee77d491905b8e6fb84c54eeaf2cb471f8c0a2996237847ea1

SHA512
90b3d03111c380ab711d6e58bebc55a106209d1bcc8dbac7e1ed9d85f1417451f5daccdf626716690df3f15082a8767283da6f77f5c71eefa24988fbb6d2f078

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF98D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

Filesize
221B

MD5
91f5deae4fd00ac9f97e6f35f5b5fca4

SHA1
0f743ddae03c9c730fb657fb6ea4e957bfcef06a

SHA256
7d413ec84c8b2153fe504eb775c7dba5d538e95d3f986114a2477b8a5348aacb

SHA512
7094c99b8c60dd7d2a93bce0c1bc2794365a783cb02a1f335c180f0d907955fb8412d5848dd8bed88c06f0d4667c86ea87e3ac260af3fe03b47a5b79d5e4d3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\I1IMKnnpZ2.bat

Filesize
221B

MD5
d36e5b6212c9284a3704353ef6fa459c

SHA1
ff4623a6731d63826af45cd4c9bfdf62c47b01d0

SHA256
84ac8687e2217b131e7e184aba6e42d812554f3f48e7e2630cfda9e174a3bcfa

SHA512
80c30d5ed8acec97c000d543783f808e8d9578e8352ae5d10037ff44a903db864112639bd19dd72ead6fe01c38e65b9b2844a53a0f6ddd55b529fd3fd5288b3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\IycQG8Pfyu.bat

Filesize
221B

MD5
0369c2272709c3a2dfbdc240913902c4

SHA1
f940506240461e0060a8585d5d9601579f0db257

SHA256
12de24614af5ad33801b35a5b6fd15ecf2038b9eed41e12281083ac345d23d18

SHA512
986399b6b44256b911f9e29da81675e646d35b704a40ee0458c29ba946b8f5d9446d5670fa4c0fcf37ab91ba3db8af19c2132417797781ac9e76257b942a625c

Download Submit
C:\Users\Admin\AppData\Local\Temp\NfeiSKMyn5.bat

Filesize
221B

MD5
adc5dc68e84b7a11575f6b0d0979a9cb

SHA1
0996d65820d1b50c8669dac143740e8fd176e0c0

SHA256
c7c265579ebe67f870f2138e47ebe341a377f0f7686fcc4eeba9d28f67f6cfef

SHA512
71a25b80ad910c6af9d2d740a2da6e7cf4f7d448a1539a3c80751c3d8f36ddfe2159735dfc44eb671589d1c138e436ffdbca2b9c13235e9f0fe66e705c8ad1bd

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF9AF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZIn5qYtmAl.bat

Filesize
221B

MD5
fa2ff4b969b2f37e67547412cd9a0160

SHA1
af4dfd405e56d96db9cecf4ff69bb5ff3e3d73cf

SHA256
476bf7546fe99325744ce87354e53bc495ec97ea8196f89570f4a8b2fd3f69a5

SHA512
013e90c468ef35b833b6c2dd96415be2c2579751a57cf381f796a3848e4a05920c49f1dcb68f6fbf31fb8c0ae0d92fdc090c1c9c4ebbd5fe5b339b1c72ee45ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\arqkgCRh4V.bat

Filesize
221B

MD5
259f0f78ec8fef231b685aba63e8dd03

SHA1
e851c4e88a93f923e7dda7f383d8388e78afeff5

SHA256
e85cd10bfbeb1d8477578e464bfaf7db49658760b4e52d861e1adf8ae37b6110

SHA512
9568e95d7a8a67a0ce1910d432ca42e1bed265b58c7e1c2ccf2f05f6d0d71086364cf4f0dac36adc122f97fac78d13d337b1931cd521076e998fa0191b0f66ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
221B

MD5
bc98eb2995b9846882b61af5e707679a

SHA1
b0e8001428f41d802d6959683431b46298aec36c

SHA256
c977817a0f033baf64365ddf960acc45aefe742e0a3d63a311ae9f3a3ecdf7aa

SHA512
117e8a31d34bb7568529ef7e4ffe43c00ea4ab1b76975d0758c088d31b3fa99f7f4fe07daf4a8437e2f585270e56d031898f65b8e3c35e84a8d87afc0352a248

Download Submit
C:\Users\Admin\AppData\Local\Temp\pgCyA6Uc1O.bat

Filesize
221B

MD5
2ef06f326ec583daf15a473373af2330

SHA1
56d93b262f9542244d6b1afd452254b9e7af9dd1

SHA256
bb9501f08b54a27713a05bd344fa7c4d0ace27c3056624ba2a2c6154d13e2e88

SHA512
b851f002e8e782ac36bb3e7997699b81eda5b1295b42348bc5ea5bf6874a6d6f8f18280bca66c05ebc16e101605d7a9d0665cd132342681bf42cefd8add16815

Download Submit
C:\Users\Admin\AppData\Local\Temp\rm9ahlPG2t.bat

Filesize
221B

MD5
5b1b3d35925057abce1f634825719ae9

SHA1
5201c14ac8dc36b2e8da6b5ef42ac45ad5c0fa7b

SHA256
efef1197273a13d5470b9724e9cc51a8a8212bb49bf988c101e203bd46f285f4

SHA512
2f38133bf8e008347950213a0fde28c502b51ceb819e55de908bb0c64de7bdf9bcc340adf2b5798ca87edaa4bab06a46d17d418faf828302dd9fb2a3d8847156

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7faa8213a0b225486a920ca1dc4fb30c

SHA1
c59c2cbaae06c9820411d278b377bcd43458b2ab

SHA256
877d355dfd9437afa95e40ea4c2ea3541cfcb3e1243ff2934d6154b4f98b24c6

SHA512
9fcf67c8f791a77abbc28e252401124012e6783de182fa784a8dc8dca4badbda289d70744381ac9518e3c976f6cd008071df88b6245b57076fe29b09d8df9690

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/612-227-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/632-584-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1080-59-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/1080-58-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/1264-108-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/1664-644-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/1764-167-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2184-14-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/2184-15-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/2184-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2184-13-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/2184-17-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2648-287-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/3012-406-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download