dcrat | 3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263.exe
Size

1.3MB
MD5

0582981616536926acae6e8df460d0cc
SHA1

30fcd653f6381b07673c5c9b9e83c2ba2c07d464
SHA256

3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263
SHA512

92e00121dfe31cfb9d5251ea691a24697f4d9c2ed269ff26370ee1ad4c456f02635b0b01bd84e861ba0da8b447028e546ce49a17201b6a9a1ce1e7a8dcec4748
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2584	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2760	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	300	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1688	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2224	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2224	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d47-12.dat	dcrat
behavioral1/memory/2260-13-0x0000000000ED0000-0x0000000000FE0000-memory.dmp	dcrat
behavioral1/memory/2472-46-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/1128-284-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/2712-345-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2064-405-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/2848-465-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2836-525-0x00000000011B0000-0x00000000012C0000-memory.dmp	dcrat
behavioral1/memory/2488-644-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2888-704-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/840-764-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
984	powershell.exe
1232	powershell.exe
1564	powershell.exe
1700	powershell.exe
1840	powershell.exe
3036	powershell.exe
1052	powershell.exe
2152	powershell.exe
2540	powershell.exe
1980	powershell.exe
1544	powershell.exe
2980	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2260	DllCommonsvc.exe
2472	winlogon.exe
2892	winlogon.exe
2848	winlogon.exe
1128	winlogon.exe
2712	winlogon.exe
2064	winlogon.exe
2848	winlogon.exe
2836	winlogon.exe
2360	winlogon.exe
2488	winlogon.exe
2888	winlogon.exe
840	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2528	cmd.exe
2528	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\fr-FR\6cb0b6c459d5d3	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\24dbde2999530e	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\winlogon.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2788	schtasks.exe
2748	schtasks.exe
2616	schtasks.exe
2772	schtasks.exe
1236	schtasks.exe
2776	schtasks.exe
2812	schtasks.exe
1632	schtasks.exe
1488	schtasks.exe
1668	schtasks.exe
2584	schtasks.exe
300	schtasks.exe
3000	schtasks.exe
2024	schtasks.exe
2176	schtasks.exe
2568	schtasks.exe
1244	schtasks.exe
1832	schtasks.exe
976	schtasks.exe
556	schtasks.exe
264	schtasks.exe
1540	schtasks.exe
1688	schtasks.exe
676	schtasks.exe
2928	schtasks.exe
2320	schtasks.exe
2856	schtasks.exe
2324	schtasks.exe
3008	schtasks.exe
2400	schtasks.exe
2808	schtasks.exe
2760	schtasks.exe
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2260	DllCommonsvc.exe
2260	DllCommonsvc.exe
2260	DllCommonsvc.exe
2260	DllCommonsvc.exe
2260	DllCommonsvc.exe
3036	powershell.exe
2540	powershell.exe
1052	powershell.exe
2980	powershell.exe
984	powershell.exe
1840	powershell.exe
2152	powershell.exe
1564	powershell.exe
1544	powershell.exe
1980	powershell.exe
1232	powershell.exe
1700	powershell.exe
2472	winlogon.exe
2892	winlogon.exe
2848	winlogon.exe
1128	winlogon.exe
2712	winlogon.exe
2064	winlogon.exe
2848	winlogon.exe
2836	winlogon.exe
2360	winlogon.exe
2488	winlogon.exe
2888	winlogon.exe
840	winlogon.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	DllCommonsvc.exe
Token: SeDebugPrivilege	3036	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	1052	powershell.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	984	powershell.exe
Token: SeDebugPrivilege	1840	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2472	winlogon.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	1232	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	2892	winlogon.exe
Token: SeDebugPrivilege	2848	winlogon.exe
Token: SeDebugPrivilege	1128	winlogon.exe
Token: SeDebugPrivilege	2712	winlogon.exe
Token: SeDebugPrivilege	2064	winlogon.exe
Token: SeDebugPrivilege	2848	winlogon.exe
Token: SeDebugPrivilege	2836	winlogon.exe
Token: SeDebugPrivilege	2360	winlogon.exe
Token: SeDebugPrivilege	2488	winlogon.exe
Token: SeDebugPrivilege	2888	winlogon.exe
Token: SeDebugPrivilege	840	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 3044	2132	JaffaCakes118_3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263.exe	30
PID 2132 wrote to memory of 3044	2132	JaffaCakes118_3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263.exe	30
PID 2132 wrote to memory of 3044	2132	JaffaCakes118_3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263.exe	30
PID 2132 wrote to memory of 3044	2132	JaffaCakes118_3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263.exe	30
PID 3044 wrote to memory of 2528	3044	WScript.exe	31
PID 3044 wrote to memory of 2528	3044	WScript.exe	31
PID 3044 wrote to memory of 2528	3044	WScript.exe	31
PID 3044 wrote to memory of 2528	3044	WScript.exe	31
PID 2528 wrote to memory of 2260	2528	cmd.exe	33
PID 2528 wrote to memory of 2260	2528	cmd.exe	33
PID 2528 wrote to memory of 2260	2528	cmd.exe	33
PID 2528 wrote to memory of 2260	2528	cmd.exe	33
PID 2260 wrote to memory of 1840	2260	DllCommonsvc.exe	68
PID 2260 wrote to memory of 1840	2260	DllCommonsvc.exe	68
PID 2260 wrote to memory of 1840	2260	DllCommonsvc.exe	68
PID 2260 wrote to memory of 3036	2260	DllCommonsvc.exe	69
PID 2260 wrote to memory of 3036	2260	DllCommonsvc.exe	69
PID 2260 wrote to memory of 3036	2260	DllCommonsvc.exe	69
PID 2260 wrote to memory of 1052	2260	DllCommonsvc.exe	70
PID 2260 wrote to memory of 1052	2260	DllCommonsvc.exe	70
PID 2260 wrote to memory of 1052	2260	DllCommonsvc.exe	70
PID 2260 wrote to memory of 984	2260	DllCommonsvc.exe	71
PID 2260 wrote to memory of 984	2260	DllCommonsvc.exe	71
PID 2260 wrote to memory of 984	2260	DllCommonsvc.exe	71
PID 2260 wrote to memory of 1980	2260	DllCommonsvc.exe	72
PID 2260 wrote to memory of 1980	2260	DllCommonsvc.exe	72
PID 2260 wrote to memory of 1980	2260	DllCommonsvc.exe	72
PID 2260 wrote to memory of 1544	2260	DllCommonsvc.exe	73
PID 2260 wrote to memory of 1544	2260	DllCommonsvc.exe	73
PID 2260 wrote to memory of 1544	2260	DllCommonsvc.exe	73
PID 2260 wrote to memory of 1232	2260	DllCommonsvc.exe	74
PID 2260 wrote to memory of 1232	2260	DllCommonsvc.exe	74
PID 2260 wrote to memory of 1232	2260	DllCommonsvc.exe	74
PID 2260 wrote to memory of 2540	2260	DllCommonsvc.exe	75
PID 2260 wrote to memory of 2540	2260	DllCommonsvc.exe	75
PID 2260 wrote to memory of 2540	2260	DllCommonsvc.exe	75
PID 2260 wrote to memory of 2152	2260	DllCommonsvc.exe	76
PID 2260 wrote to memory of 2152	2260	DllCommonsvc.exe	76
PID 2260 wrote to memory of 2152	2260	DllCommonsvc.exe	76
PID 2260 wrote to memory of 2980	2260	DllCommonsvc.exe	77
PID 2260 wrote to memory of 2980	2260	DllCommonsvc.exe	77
PID 2260 wrote to memory of 2980	2260	DllCommonsvc.exe	77
PID 2260 wrote to memory of 1700	2260	DllCommonsvc.exe	78
PID 2260 wrote to memory of 1700	2260	DllCommonsvc.exe	78
PID 2260 wrote to memory of 1700	2260	DllCommonsvc.exe	78
PID 2260 wrote to memory of 1564	2260	DllCommonsvc.exe	79
PID 2260 wrote to memory of 1564	2260	DllCommonsvc.exe	79
PID 2260 wrote to memory of 1564	2260	DllCommonsvc.exe	79
PID 2260 wrote to memory of 2472	2260	DllCommonsvc.exe	86
PID 2260 wrote to memory of 2472	2260	DllCommonsvc.exe	86
PID 2260 wrote to memory of 2472	2260	DllCommonsvc.exe	86
PID 2472 wrote to memory of 672	2472	winlogon.exe	95
PID 2472 wrote to memory of 672	2472	winlogon.exe	95
PID 2472 wrote to memory of 672	2472	winlogon.exe	95
PID 672 wrote to memory of 2496	672	cmd.exe	97
PID 672 wrote to memory of 2496	672	cmd.exe	97
PID 672 wrote to memory of 2496	672	cmd.exe	97
PID 672 wrote to memory of 2892	672	cmd.exe	98
PID 672 wrote to memory of 2892	672	cmd.exe	98
PID 672 wrote to memory of 2892	672	cmd.exe	98
PID 2892 wrote to memory of 2328	2892	winlogon.exe	99
PID 2892 wrote to memory of 2328	2892	winlogon.exe	99
PID 2892 wrote to memory of 2328	2892	winlogon.exe	99
PID 2328 wrote to memory of 604	2328	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3b2f29e0d6e5e4169576e854602f0b72bf2e336167a076461e333696182c9263.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2528
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Desktop\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:984
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1232
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2472
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2496
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:604
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        10⤵
        
        PID:2532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2812
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        12⤵
        
        PID:2968
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2876
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat"
        14⤵
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2652
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat"
        16⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1776
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"
        18⤵
        
        PID:1792
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:868
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"
        20⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2556
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat"
        22⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:736
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat"
        24⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2416
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat"
        26⤵
        
        PID:2076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2772
        
        C:\Users\Public\winlogon.exe
        
        "C:\Users\Public\winlogon.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Users\Public\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Users\Public\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Desktop\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\Users\Public\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:300

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Program Files\Internet Explorer\de-DE\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Program Files\DVD Maker\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\fr-FR\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f233264ef3e55aa9edeecf29c8b6c7ef

SHA1
d6ff480de23b5e77ede89d361855c86f0faa9fd8

SHA256
b6841dd30bfde0c40fae3eb63c7187a7ef7043c9bbbf391f89bfcdf39e34a3d1

SHA512
aca04fe3abcabfc40e326fa1fc8fb4c1672bb8f757d31c366f7c55d15c08d8a093a7e5c4dc5c4b2fa636333ad62c096ce7c28558fcd659e4f3d6c987d58d542d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e352ee49d46426fb5557f7d51748d9e8

SHA1
d63bd899c56a2dd3edcc6a0806ed7bd07c67f5d6

SHA256
317f2dee01fa17a01ba67e0303d7cecd3ef42090fc6c081265c40c1a1d7ff2ae

SHA512
b903536ea095465de336bbe02a1c222a6046a934a8e4e7398698c57bb4cc57141a74eb99dd4f5488479623c2c92b522de32633d2fa3f26ee9157b1176859f13f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb64fe72dccc5f90523b133e93b4fb00

SHA1
7f925cfc197572103f266713ea9e14bfd550e581

SHA256
1bb78497ee9d13872e1edf23a50b3517375313e21e8737ff7df24e0226044459

SHA512
d917de20a0abab222b292087756eac91e17d0ff81b50d69faa0b282372318c13cf290f53ccc6dff4a95691e5654fccadf53a30d376db4f7801f22c2056aef84c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9f112e3e60b9e0a1e965b706da355d7

SHA1
0baf52cef2c68ef450132e9074a0feda006041cb

SHA256
924c655d81d06b5578c6fada58a9db0b7d520161819971b40895506ec54caa48

SHA512
70cb0bc2d36cd1158795787b8b6a4764fe63616fe3dd3fb709fdcefff0930088e6779d0fb9fd960c22a45c24642b4ced35123a225b155b6cdd20646ed4dbafe9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
07a6f2119536f32c535bb11184b48791

SHA1
b21ca9153671e177ec6ac95bf321374076b8b427

SHA256
e8348178eba35205612199cfbb9f11993ee3fae5243372f1cecdaa024dd57f27

SHA512
e792b31a50c64940a20b5c876d86eff721929d56b33febffe75e1f6bea3ae1290e2eaa5ed2b6e2ec6bfdcbcffbc9c6fb130cc2864bf35426794b595a82b44ef7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
30f60d027908d544035efe322e6d261e

SHA1
1655c52e3cf2702defb28394de736383841306d4

SHA256
390191ee3480173aa25318b63feba9a2302769858883eb86c8fb1f0ff49e8525

SHA512
b29a95fa64d780d950a882b710c720999428e08dc3214913c05027b21fd76da58a5be572c043a433377ed2dec7351417f4d787dfdea581ee79785c65a7deed1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
709a87ed6707e88b5089c0debfc3f3c1

SHA1
785f82289cb38dc54f9110604622a1628773c248

SHA256
d77f4991d402669a24e0d5ec474c66224b20a36a9ce24295093a0cf061cda0ad

SHA512
340d6848b0748590776adcded189d80507963b1787369aa23635b4b7b8ca6bb5ec3ef353c051ba4c2b2610b69edccb4cd1e1c56b973b85f8df86728aedf55b43

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba4fc2a379d700fdcbf91ff378ebadc8

SHA1
d76e6273d248078c10c9eb6ebb523a3b9020fd41

SHA256
eb36cc988fcbbe71c68eea641166dbc235b28963a2ff86c8a0fae22fe0e65a72

SHA512
b1021ebeb3de954a7eca429e33a04988d2e5fc9f711058f921503d7c559243ba3926689f57111e8af9042a7b6d4aad8f269d42cc9f5f0abbd9f9a92a0eaf68e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
82a87f685fd38afea6a63f2584d195aa

SHA1
b2b1e34331826ebbacbf9196d3aee1498b688041

SHA256
07db534f243593a62f0762de09e293143ead58dc1e87c0a1776ee8d503923e5d

SHA512
4c1b89c5e86850b8e79e3991767086895093b19ec9493ab02ca6d13b3ccf6540ea462a0e873b329e0e45aaff8cf4d933f3200daa9b5bfd299cf9b6f4696a45e3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2bf71bfb1a2a4310af73250a710fb53b

SHA1
e4be1f46c4490421952ee563ee1b10cb65fef763

SHA256
f0335b4545c219da97cee156b01c7e9f2bb02ff694e7223b97c28adf14317761

SHA512
1fdd2347d9d02bdd9b1241b1a346e68831b87eaef0860d586ed4e4b8023ddee988c509e9c78e0411de181391d2cb8c3a29096e3003e22435933e3ef0f9293b2f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
efd8ded15cb0d214ba1749361353bf34

SHA1
ce4905e736e31c90d3163ca3f8881caea0f55560

SHA256
a50217c52fefb88bc98a03cf63081c497b914509df698d679658c51b7021cea8

SHA512
1d44a95c10ca37147935a5236fdcd65fe77b46659cd5cd06342e9fbb7143879cb171be2d70b7d313792bf3e07d7f0b079cdcef047b4d8d80538224ebaf8aff6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7aJ3FmDw0K.bat

Filesize
193B

MD5
6f3c8c6e00909fd977a407279ff19774

SHA1
e04a207c0bd9c6d6440ffe9ca26318decdbf6cfa

SHA256
1d4151a4dff662b88441696c79568fc7a10f7c6c537e53acb30762099e416c92

SHA512
c78556a1b1802d3d6452161087626e2ee4acbc9cca81125e134637cd530dfa04fdbee0f98b891366d5c1917709f2f95abc898dd2c83bc8f0e5a31d3e1d94fc76

Download Submit
C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat

Filesize
193B

MD5
5b9082918bf9df7857d310dbb947ae5c

SHA1
11025d4c0bb18462d4f76e31c63a05f4f62468c6

SHA256
2276b482349090e37827071ae47122ae58616d45b50c3ecdb70e1cbc9620bcb9

SHA512
3901340fbe0342a0789aed171e3330983591efd8f19e235a7d6c616770b2bd514f9ffc9b8a789f6e92678d578c3412067ee2ddf4c48f73f0995e96f7f210bde9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CIMKRyAEqW.bat

Filesize
193B

MD5
8952b9c37fd665d4c52ebeb82b294a33

SHA1
225efd14b9c0d3421ae8816cc2a3a99d3177c430

SHA256
1bfb80c2e2c2e2d7dcbf9fe5dd4a842e27172d06c7c90e144e5697c4895cf869

SHA512
696fc519d6c34f657b7bfd3d8bc150d1f3057b099930c89cf90a2045a900ad01b0e88636cf5bf72e623f9bd3e15e5f130704cffffeebb61f97e217b3ae47f268

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD664.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EVfp7xrD4G.bat

Filesize
193B

MD5
e061ff37913a5df30611d19d9b7ca071

SHA1
5e8e1fa42ce834e0611f180c9dc81474120c256f

SHA256
e123eee2c710065a9c0f2eae7d8a706563bf2f2fc945ea856509ba8028557d13

SHA512
435cc5c8b7a85b0bb48882dc3206a21bba85dfee84249ff9fb6613c7a84f529b79cb5b76a4cc88f356a63c0e0c6ce1de8398a5a6701889447c629f57d5a5d8e1

Download Submit
C:\Users\Admin\AppData\Local\Temp\JDh6J9oWuS.bat

Filesize
193B

MD5
db89fc02ef4dd351bbfb2c3e33463485

SHA1
d10f8f1d8f4dacc4341ae1ce10aabd144a8e462f

SHA256
df5e84c53ced7821847c2d3b2b553553a434b279c4440eac815cd80c56f7c5eb

SHA512
44318c0aeccc2f767df1dac468aa568173aa560f66bb71d872ecfa7649c59b38f7bde09fa16d274c2e8d8e653b9ab37bcab734e1e816080e15228978e9692429

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
193B

MD5
b67b602c3c99d3936028ff2fa58a44de

SHA1
b09ffa341d03e69f0c13975cf9fc579a1be81246

SHA256
30e8f377ecca3232e5842650b4219dbb22cef4cac36f7cbf2d645aee9f2c7a5c

SHA512
37c6df6f733e5c6d6e553620ec03646f5327da4bc22d3e06ec427f23b42397f1fa9c1fc43fa7c929ca03b2ab9925a373084d7c06b1de582b565080d11dbce61f

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD676.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tcsv1v0qfT.bat

Filesize
193B

MD5
90a890dd91de05636870fbcb8a550f54

SHA1
90fc1cfb00ad58e5a416675ff6ade575d086ae85

SHA256
ffe1e9f349411e5c4b9bb18fd942a652da7226f7a5bfd941d197969298172176

SHA512
c277768ff301dfd17ebfe9ff041410dc3fb867a118fada9b85ba7832aaada1e7184760318e5a7a039b391409e77c3d652e8845f69d1e4b3c1065b04ebbc35b26

Download Submit
C:\Users\Admin\AppData\Local\Temp\ay5NT8uJA6.bat

Filesize
193B

MD5
5b47b7a689201bef4c1032f704deac54

SHA1
8dfeb348b53c5dd151325698df62f66bfdd1f19d

SHA256
6b21f5f2efe4920da39f20321b28db5920584f9fbb0bd1841225f1677ca4940e

SHA512
05ed9cde54310e73b40aef484bc4d03b3bc3d0e611890352624c91a006cc36512b214173f67002fe98d071ae45ad37a80be771ed500477f8e21af52d739f51e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
193B

MD5
b9c1753695d7488cf7e3df8eb888ef4b

SHA1
9fad145281165d385e5843cbbbee916fd9cf8061

SHA256
dac7f4aac1b259accc81a19577a9cd0ae78411ce56db8838a6e6439d15ead96a

SHA512
4dee73d0569cb299f0480ab5a6b7cf4cf7b3d2447221c8694ebe97c4c9f912cb727097d91dce1e24a22626990d17b1b5c39f928632865d1cf584e0afa5ee52c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
193B

MD5
3f8e66657719e319b382939eda127177

SHA1
78369780a0cdae37ef69e05dadca8288b96944a9

SHA256
928f26fc8f2362f0dbecb41eadd7f0135dbd1bdb582b0d89c4ce1e4d26dc5ad5

SHA512
ca9d80d8bcb560f36fa0e0a0dfb5269e382ee4b11183443a5d03f507b00a908b97195bf867cc7e0b437af626b2de3faa6e7afa12e6c30532f5fc0a70725b8ec8

Download Submit
C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat

Filesize
193B

MD5
41e2f878487b8f2ba2428f378f745855

SHA1
b3850eb784a4bf46ce2d89d390172b5f7711517b

SHA256
b0f45c7aa847f5bfdc2b64bac5dfbcf864decfb075d26e07411569448cca9a68

SHA512
c94d15e8a8b5851a5bdc27a34547a4b46456765d2818f9932dd3a7793fa1857570b6059997e1d373c9c05acd107626007ddfa611126a5d142861e490dc8b378e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
3c42792ecec1fd971e4cfb57866072a7

SHA1
a68baa5cf3712822518fa93f1db4ed9ec3fc080a

SHA256
86d062954f6a9d8f022dfa829c95dbcf9bc40677e17ad694204e9001b3ecda40

SHA512
571e47257dcb50f113942dbb02f73adc7a6473a4eb425c17bdc7cd4d51dd297eedf65cf2bfb0490c0e0c842d0a4bd942c5bed24093a78b68a529c8cb2efbf2ac

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/840-764-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/1052-86-0x000000001B5A0000-0x000000001B882000-memory.dmp

Filesize
2.9MB

Download
memory/1128-285-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1128-284-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2064-405-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2260-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2260-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2260-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2260-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2260-13-0x0000000000ED0000-0x0000000000FE0000-memory.dmp

Filesize
1.1MB

Download
memory/2472-46-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2488-644-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2712-345-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/2836-525-0x00000000011B0000-0x00000000012C0000-memory.dmp

Filesize
1.1MB

Download
memory/2848-465-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2888-704-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/3036-88-0x0000000001E10000-0x0000000001E18000-memory.dmp

Filesize
32KB

Download