dcrat | 1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:02

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02.exe
Size

1.3MB
MD5

c8363fdf8d42df87c33f4c651b3c2379
SHA1

2ea90cc96f0b0092aca339d3d8e820fe258dc064
SHA256

1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02
SHA512

2a2b82dd2f3f79cea0be2a5e9fcd53ab914035e443fdc19db0c4bc67af573b53078f85b0a2891f4d23e8d8e5fe1c1dd6fa550dbd895e91c290ab30be63e9f853
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1460	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1912	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	940	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	896	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2888	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	2888	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016c7c-9.dat	dcrat
behavioral1/memory/2928-13-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/1476-102-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2548-162-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/2844-223-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/612-284-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/352-344-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/496-405-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/2612-465-0x0000000000C90000-0x0000000000DA0000-memory.dmp	dcrat
behavioral1/memory/2996-525-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1088	powershell.exe
824	powershell.exe
2180	powershell.exe
1368	powershell.exe
1728	powershell.exe
1540	powershell.exe
684	powershell.exe
2512	powershell.exe
1528	powershell.exe
668	powershell.exe
1872	powershell.exe
984	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2928	DllCommonsvc.exe
1476	spoolsv.exe
2548	spoolsv.exe
2844	spoolsv.exe
612	spoolsv.exe
352	spoolsv.exe
496	spoolsv.exe
2612	spoolsv.exe
2996	spoolsv.exe
1936	spoolsv.exe
2952	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2416	cmd.exe
2416	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
37	raw.githubusercontent.com
12	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\en-US\lsass.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\1033\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\f3b6ecef712a24	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
588	schtasks.exe
1724	schtasks.exe
2820	schtasks.exe
940	schtasks.exe
2596	schtasks.exe
1476	schtasks.exe
2424	schtasks.exe
2528	schtasks.exe
408	schtasks.exe
2068	schtasks.exe
2032	schtasks.exe
2380	schtasks.exe
2224	schtasks.exe
2872	schtasks.exe
2248	schtasks.exe
1720	schtasks.exe
2552	schtasks.exe
796	schtasks.exe
2648	schtasks.exe
896	schtasks.exe
2996	schtasks.exe
1676	schtasks.exe
2292	schtasks.exe
1460	schtasks.exe
1912	schtasks.exe
2184	schtasks.exe
828	schtasks.exe
1976	schtasks.exe
1824	schtasks.exe
2444	schtasks.exe
1496	schtasks.exe
2792	schtasks.exe
2616	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2928	DllCommonsvc.exe
2928	DllCommonsvc.exe
2928	DllCommonsvc.exe
2928	DllCommonsvc.exe
2928	DllCommonsvc.exe
1728	powershell.exe
2180	powershell.exe
1088	powershell.exe
824	powershell.exe
2512	powershell.exe
668	powershell.exe
1872	powershell.exe
1528	powershell.exe
984	powershell.exe
1368	powershell.exe
1540	powershell.exe
684	powershell.exe
1476	spoolsv.exe
2548	spoolsv.exe
2844	spoolsv.exe
612	spoolsv.exe
352	spoolsv.exe
496	spoolsv.exe
2612	spoolsv.exe
2996	spoolsv.exe
1936	spoolsv.exe
2952	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2928	DllCommonsvc.exe
Token: SeDebugPrivilege	2180	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	1088	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	1872	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1368	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1476	spoolsv.exe
Token: SeDebugPrivilege	2548	spoolsv.exe
Token: SeDebugPrivilege	2844	spoolsv.exe
Token: SeDebugPrivilege	612	spoolsv.exe
Token: SeDebugPrivilege	352	spoolsv.exe
Token: SeDebugPrivilege	496	spoolsv.exe
Token: SeDebugPrivilege	2612	spoolsv.exe
Token: SeDebugPrivilege	2996	spoolsv.exe
Token: SeDebugPrivilege	1936	spoolsv.exe
Token: SeDebugPrivilege	2952	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2328 wrote to memory of 2340	2328	JaffaCakes118_1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02.exe	31
PID 2328 wrote to memory of 2340	2328	JaffaCakes118_1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02.exe	31
PID 2328 wrote to memory of 2340	2328	JaffaCakes118_1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02.exe	31
PID 2328 wrote to memory of 2340	2328	JaffaCakes118_1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02.exe	31
PID 2340 wrote to memory of 2416	2340	WScript.exe	32
PID 2340 wrote to memory of 2416	2340	WScript.exe	32
PID 2340 wrote to memory of 2416	2340	WScript.exe	32
PID 2340 wrote to memory of 2416	2340	WScript.exe	32
PID 2416 wrote to memory of 2928	2416	cmd.exe	34
PID 2416 wrote to memory of 2928	2416	cmd.exe	34
PID 2416 wrote to memory of 2928	2416	cmd.exe	34
PID 2416 wrote to memory of 2928	2416	cmd.exe	34
PID 2928 wrote to memory of 2512	2928	DllCommonsvc.exe	69
PID 2928 wrote to memory of 2512	2928	DllCommonsvc.exe	69
PID 2928 wrote to memory of 2512	2928	DllCommonsvc.exe	69
PID 2928 wrote to memory of 824	2928	DllCommonsvc.exe	70
PID 2928 wrote to memory of 824	2928	DllCommonsvc.exe	70
PID 2928 wrote to memory of 824	2928	DllCommonsvc.exe	70
PID 2928 wrote to memory of 2180	2928	DllCommonsvc.exe	71
PID 2928 wrote to memory of 2180	2928	DllCommonsvc.exe	71
PID 2928 wrote to memory of 2180	2928	DllCommonsvc.exe	71
PID 2928 wrote to memory of 1528	2928	DllCommonsvc.exe	72
PID 2928 wrote to memory of 1528	2928	DllCommonsvc.exe	72
PID 2928 wrote to memory of 1528	2928	DllCommonsvc.exe	72
PID 2928 wrote to memory of 1368	2928	DllCommonsvc.exe	73
PID 2928 wrote to memory of 1368	2928	DllCommonsvc.exe	73
PID 2928 wrote to memory of 1368	2928	DllCommonsvc.exe	73
PID 2928 wrote to memory of 1728	2928	DllCommonsvc.exe	74
PID 2928 wrote to memory of 1728	2928	DllCommonsvc.exe	74
PID 2928 wrote to memory of 1728	2928	DllCommonsvc.exe	74
PID 2928 wrote to memory of 1540	2928	DllCommonsvc.exe	75
PID 2928 wrote to memory of 1540	2928	DllCommonsvc.exe	75
PID 2928 wrote to memory of 1540	2928	DllCommonsvc.exe	75
PID 2928 wrote to memory of 1088	2928	DllCommonsvc.exe	76
PID 2928 wrote to memory of 1088	2928	DllCommonsvc.exe	76
PID 2928 wrote to memory of 1088	2928	DllCommonsvc.exe	76
PID 2928 wrote to memory of 984	2928	DllCommonsvc.exe	77
PID 2928 wrote to memory of 984	2928	DllCommonsvc.exe	77
PID 2928 wrote to memory of 984	2928	DllCommonsvc.exe	77
PID 2928 wrote to memory of 1872	2928	DllCommonsvc.exe	80
PID 2928 wrote to memory of 1872	2928	DllCommonsvc.exe	80
PID 2928 wrote to memory of 1872	2928	DllCommonsvc.exe	80
PID 2928 wrote to memory of 668	2928	DllCommonsvc.exe	82
PID 2928 wrote to memory of 668	2928	DllCommonsvc.exe	82
PID 2928 wrote to memory of 668	2928	DllCommonsvc.exe	82
PID 2928 wrote to memory of 684	2928	DllCommonsvc.exe	84
PID 2928 wrote to memory of 684	2928	DllCommonsvc.exe	84
PID 2928 wrote to memory of 684	2928	DllCommonsvc.exe	84
PID 2928 wrote to memory of 1060	2928	DllCommonsvc.exe	87
PID 2928 wrote to memory of 1060	2928	DllCommonsvc.exe	87
PID 2928 wrote to memory of 1060	2928	DllCommonsvc.exe	87
PID 1060 wrote to memory of 2012	1060	cmd.exe	95
PID 1060 wrote to memory of 2012	1060	cmd.exe	95
PID 1060 wrote to memory of 2012	1060	cmd.exe	95
PID 1060 wrote to memory of 1476	1060	cmd.exe	96
PID 1060 wrote to memory of 1476	1060	cmd.exe	96
PID 1060 wrote to memory of 1476	1060	cmd.exe	96
PID 1476 wrote to memory of 548	1476	spoolsv.exe	97
PID 1476 wrote to memory of 548	1476	spoolsv.exe	97
PID 1476 wrote to memory of 548	1476	spoolsv.exe	97
PID 548 wrote to memory of 448	548	cmd.exe	99
PID 548 wrote to memory of 448	548	cmd.exe	99
PID 548 wrote to memory of 448	548	cmd.exe	99
PID 548 wrote to memory of 2548	548	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1d3db872a8d7c0666752a59eaacc2fd97e07f5865d6ba5cba2de942e7a0c2f02.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2328
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2340
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1368
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1088
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWpHcMbYi.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1060
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2012
      - C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:548
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:448
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat"
        9⤵
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2664
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        11⤵
        
        PID:1436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2124
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat"
        13⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2020
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat"
        15⤵
        
        PID:2140
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2664
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat"
        17⤵
        
        PID:2844
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1072
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        19⤵
        
        PID:1120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:920
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat"
        21⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2880
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat"
        23⤵
        
        PID:684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2428
        
        C:\Windows\Tasks\spoolsv.exe
        
        "C:\Windows\Tasks\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat"
        25⤵
        
        PID:2936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files\Microsoft Office\Office14\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c2e94e6c192a39316261fa094819f08a

SHA1
a089e0ce2d7bd96ad4f2b5a12f07aff19764e871

SHA256
f72f49b9ecfde528fbd180852b0b2589d67398d71b56e4204f610189a3902ec2

SHA512
2f7ff6c267c089bcbcd8e0ff2c799aa56e197d16c8d0c0825e2d6986a57104cccf8ed639d196752ae5cc194c083a34543b84b9b6adf416dbd0d2c7e2cf2e4c48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
10bb4423a0100d119f46754c2538e745

SHA1
8b3e7f904bafdb2b8c1c44e61fe56ba6f13297d5

SHA256
e5a92dd48622247814f18ea3ca2f590c92a057696c630474dafedcea64f016e7

SHA512
2a64941b90b03e9aab60c01a2a8a1f6a6a78a3604e268cb3b9c728a1ab48183514bebb398b07f2a80d7793694c2a10d8cfd5e1a5530362b96aae611ca1c47c87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8acc1d7d7a97f09259c79096c85b727

SHA1
f52b09cf2e9264d24988b7c77ee20cf2fe80c6d6

SHA256
64052513ddba6e9b6318c391746afb0dc8d72a690c8e69074055953eff939586

SHA512
a703535decdb4e6b06553e09ad4e216fd5ea010d64ea97fbfb462a7a492b412943a49108691fa6bea21a8279379d2b3f28cf98be74ab10a808541baf0beaa400

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fa6a52db80c5bdcc28c3eff830190833

SHA1
4949824aca1f796444066b8ae5dd463401782b63

SHA256
424089634b3ecb8369fd833388f293f669164e007d5a1db02ca0af548b614400

SHA512
18255c437896b5e19485547927750ddf21211d7bb9c33800cbbc6a369a503b92d939ed32611821f5dd59e0cd10422b64bcb8e01ae03a9482c06dc53327117706

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
037419aeca86abf225f73b4fc7b40122

SHA1
c7ee5940a0ce20360f8938332210cc6863a6da23

SHA256
e5a055fd8eb5f939b3b40d1f2db0e12e18554e88ffc2b471682ad12b7b2a9fd5

SHA512
700de97e89f0959ce87836f438a36cccb3cc26391e62fceddc182f0d6d8f4d40b893cf38c5634eea89c70f162060731f4537a21a2bf2f422e6e0a7c9123c4dcd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2e1173c9e14492266ec839e21345571

SHA1
5b0f3578459dbd401f5bc52829159bc9d6e78df9

SHA256
34c6d77666c46d662fdf00a2abddb5fc5cdd6d5e7d8333dd6df010180e3674a2

SHA512
d2bdfae14b15c2af0bf37769cbc35e258c1b9948958f36b47de677f594ef9608148f4e05c123f0b09aab8cd714d92c4b5ccf5b9539a4c15fe6487b657b7339d7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
051ae6cc27062dbf71175a90c25b46d4

SHA1
d8af788a6a6c2df49f835c204b849ed45e3d58a0

SHA256
502a8fd4998fe71c0986bc5e789769d234fb2a691c4bbb2d1f3bfbb46ffc4901

SHA512
61a6c5bd71b0f447323cb810f990a1c8722e3b5059b4bc30cf281312832cb1b3024ab807b1ac734d0544680efd121b8cedacd2faa32ec0b0a043435a48c0481e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b44b32ba4826645c871e2bfd68f6e7df

SHA1
83508a909aa9cf873461a899acd85f1663c145d0

SHA256
42c3c11dfeaef18126bee376598d18fcd509ba739cd2664d0fb63a507b3ba2a6

SHA512
0ee7265b677b30aff5d88d35e694c1baaed81580100fae597606ba3c8230c0ee8b609203a03f62091ebd724594f6498abc7ffe3ca3a2447fa0b0de3d86868f63

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f612d7cc5d760e3ef76db9a4603f059

SHA1
eb09ccfe3c623d8217d237cc13681579821826d4

SHA256
22c0b1e2b66d6b63dbcc5993342dc8549a683917d1208cfbc27285c434a8c53b

SHA512
5349afd5b3b2822df62f80c5a7b0c9c9e0330dbcf7fc2d24c3a4d69ec3bf5b8a8227156b3305922828e49e244afc086a217ee459257b30cc405199a4361bb75f

Download Submit
C:\Users\Admin\AppData\Local\Temp\9avng9MHpa.bat

Filesize
193B

MD5
7ecc102c7bf4aac00e6ce0a3ac4e904c

SHA1
27b4eb60433fc835a154842bb962340476ef860a

SHA256
67f6d8fd2a8537572295f595895f1203dd920275acf901580019a669a3f25561

SHA512
06392ea83457de1ae44e2de2fc618b124129293df0039a353215f7f47be9d047fedb8c673e8731a7b7af0661686837d7fd035f2ea3d935275913cceb566e3799

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4730.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzDSmeWZ76.bat

Filesize
193B

MD5
63de30f767215619776847674c0e1063

SHA1
aa97a237dad768437d38857b5befd19ed0536b99

SHA256
850299b4b3a4bd58abde95ce22c3816436176d9ea323f6788629ce24b2ae3c9d

SHA512
237b7651c494945ae271bb0073fe58062ef3ab493ed201ce9cf1a7a2956b65993e839405f535460aa47ff1d863b1cf01575ac87a3b82c0bfd98a8f17f05f226f

Download Submit
C:\Users\Admin\AppData\Local\Temp\FEON83D8AI.bat

Filesize
193B

MD5
cb445772db7f570ec1084720a1ab2ca1

SHA1
609f21555bdf662282de79ceb926924acefe2ad0

SHA256
bed0d1613be03bafe592c9d6b2e4bf9f3917574ba7fa02d66f32b18d4233d100

SHA512
82750e6d8f2d2402ea10878266be3497b7a3b1054cd1ee5e1449843021c812a408353da1ead737739a440b2c931f2e97698a0a0215a20add3ca8507d59e09cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\KqyXtY4PgZ.bat

Filesize
193B

MD5
548f5a0f74ca10b2f6755e3910ddcadd

SHA1
754887b257969d23197e328ccef857a60e2fd2e0

SHA256
14cbb5927b7d89417efb2823d6a700ea763f25b8740ac6a165f9d127f24dc5f8

SHA512
5603c4c8ee9ace59f8bc120c9b60e94b47189335a5dc7f64be47a788db34910afca9edacf64f259f4c7302add3c0803b71cb7108683ef0553bb68471408ac7e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4752.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YUw1O57cI2.bat

Filesize
193B

MD5
13062326e34af6574ecbbab822dbb112

SHA1
14abddbe9b8845ee7b76010fd3cdb39c059eaa74

SHA256
730f826b6530e28114a2797b8a89354bc4f80ede747b7ce1ca425800fee40992

SHA512
54cd79303472c0a74116e4ed18dad8f38db35f0083b883b3325a44df0e0355817a408ce902d96f12a55e183d95ee78f3ab871561a691c50847d08e2d1c383352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zcl4dB2r8y.bat

Filesize
193B

MD5
9453190e8acdc57603c5d0028be01192

SHA1
156520be417ae8dbd3d070fc2019b9ee5902b4e0

SHA256
aaf88ad75b3c9a4b4938408b32e20d2cf188c69c33bf3b3eb5ce306fafd6f0f7

SHA512
d2bf1b4c3684750c2064be6307e030e89458a08c625ae73a75a90345a4a7bf695fe0fd2fb80e5c372be5072aa8bd6fa0e7ff0e9033a81b735385491a157ec27f

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
193B

MD5
e4663870aaee721bcac1ac4dff3f4478

SHA1
1b021e30c671cedc8606e540c416063b67219021

SHA256
5b3a2aaee90656b0fba6cfb9af14d7d1f956b8de3cc46fa3556cd24eda7bb8d3

SHA512
c848cb726362d41dff34d1c144e63229b084dd29cd7cf73e218c241e38b3cebe22bf85fb41ecc8b4e10eace5427e2ff42b2a3cc019aeb58837d06c46931057ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jClCs9nEU3.bat

Filesize
193B

MD5
1fbb146ca8345144bba53a6cdf20e332

SHA1
ade9c21547e918e2887e776709fc0537578fa2df

SHA256
ec304afeb76ee1214c4a40c1231acdd2d8bff2d118c6727adc591a6069102db6

SHA512
11fdd98339c04b49e51e0ec6f88171767c26f07e8b38c1e6f4f110f20b7d6b333086e2a98a1b0d7c7666674e27afacd3b3263800ab11430074844e4dfb674dd9

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

Filesize
193B

MD5
1e208b472dc0a800a18a5c06c38b6f07

SHA1
481eba832bf249583abd3ab654ad0f3a2945d291

SHA256
cc778cbe428445f50796650fb3bb2101c4b9bd470f80de3c1a82d1b0a3dc6733

SHA512
4c9467c61f476d76d8421e5187f10d22cb793eda2417942c072c57242cf7640d9dd277ff278cb6ed7aae8b858dfd37099093583c8f69c11a8da8f0910fc025a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\mrWpHcMbYi.bat

Filesize
193B

MD5
cc66ec0c18c92a382b3ea01effb54792

SHA1
0278f9c6d0c1c514eaa05c334afdbbbfbbce49ec

SHA256
e563f46d5e348f6a25bfa83302595f63df55d3083f39c42049d77da16057ede4

SHA512
5c86e5a8c7ed0774e6e28af4c8a12554a156955c3078320fee250ddc20862ff8f300e90ed56ad2d5f6fe3612a54d0e0a07688acaeb405df849758e220cb756e8

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
193B

MD5
24ce1be738187aad4b80bed15f05e8bd

SHA1
f0aeb4bdf8bf7e66382c485f2cea6eef8b1329bf

SHA256
e2ad58e0be8a22b1c9b26d0af4c71ab00640a568bac88fdb598cdf78c603d225

SHA512
b6365c6d63895996f07cd57e00ff3d0733a567f8aba3cf58cfde8c90c5cc30874f0df948f7695b026a51599e6eb2408cbb2078f95e23bfaed5787aef6fef0cca

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4531842378021d2e579cb712ca8d20a8

SHA1
d4b7c5301ea10d65830c9c479ba735993f51c2fd

SHA256
fd50ef712a3beaf02b2511b0850c3447811a1928acf3b8bb60ba579da8d15c03

SHA512
bbf1193c79d3d5067ad88df43ae6f4b9528f3857e9c952d53d55dce9980a323ed3e0148ae6b0cde1d92474385818b9900f40be4ed4b644365d40e8668b815b77

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/352-344-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/352-345-0x0000000000640000-0x0000000000652000-memory.dmp

Filesize
72KB

Download
memory/496-405-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/612-284-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/1476-103-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1476-102-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/1728-69-0x0000000001DA0000-0x0000000001DA8000-memory.dmp

Filesize
32KB

Download
memory/1728-53-0x000000001B550000-0x000000001B832000-memory.dmp

Filesize
2.9MB

Download
memory/2548-163-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2548-162-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/2612-465-0x0000000000C90000-0x0000000000DA0000-memory.dmp

Filesize
1.1MB

Download
memory/2844-224-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2844-223-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2928-17-0x0000000000390000-0x000000000039C000-memory.dmp

Filesize
48KB

Download
memory/2928-16-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2928-15-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2928-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2928-13-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2952-644-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2996-525-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download