dcrat | 71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c

Analysis

max time kernel
150s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c.exe
Size

1.3MB
MD5

c988e67084a5b693a453477f97047f9c
SHA1

035aa481a2d93a457b72519a79df45429c1caa33
SHA256

71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c
SHA512

63f6b26ad83cb37a6c65b304fff65c5c5184708f96a946f40598f71f1271a81c8d98ae224bf9f345ab42f9e36950eeda17237ca51ddbea2204254f9b13020808
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	808	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2932	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	288	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	552	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1856	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2272	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2272	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186f8-9.dat	dcrat
behavioral1/memory/1784-13-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/1148-67-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2788-166-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/2112-226-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/2092-286-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2612-584-0x00000000012B0000-0x00000000013C0000-memory.dmp	dcrat
behavioral1/memory/1492-644-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/548-704-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
788	powershell.exe
1988	powershell.exe
2356	powershell.exe
2224	powershell.exe
2220	powershell.exe
1544	powershell.exe
2236	powershell.exe
1668	powershell.exe
956	powershell.exe
1632	powershell.exe
892	powershell.exe
1624	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1784	DllCommonsvc.exe
1148	sppsvc.exe
2788	sppsvc.exe
2112	sppsvc.exe
2092	sppsvc.exe
2520	sppsvc.exe
2620	sppsvc.exe
1656	sppsvc.exe
2424	sppsvc.exe
2612	sppsvc.exe
1492	sppsvc.exe
548	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2844	cmd.exe
2844	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\75a57c1bdf437c	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsass.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ModemLogs\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\ModemLogs\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2000	schtasks.exe
1188	schtasks.exe
2660	schtasks.exe
496	schtasks.exe
2600	schtasks.exe
2928	schtasks.exe
2596	schtasks.exe
2624	schtasks.exe
2996	schtasks.exe
856	schtasks.exe
1548	schtasks.exe
1072	schtasks.exe
2112	schtasks.exe
1320	schtasks.exe
1396	schtasks.exe
2924	schtasks.exe
2880	schtasks.exe
2580	schtasks.exe
808	schtasks.exe
552	schtasks.exe
3032	schtasks.exe
1276	schtasks.exe
288	schtasks.exe
1856	schtasks.exe
1944	schtasks.exe
2932	schtasks.exe
1956	schtasks.exe
2828	schtasks.exe
2732	schtasks.exe
2420	schtasks.exe
1800	schtasks.exe
2548	schtasks.exe
1976	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 10 IoCs

pid	Process
2788	sppsvc.exe
2112	sppsvc.exe
2092	sppsvc.exe
2520	sppsvc.exe
2620	sppsvc.exe
1656	sppsvc.exe
2424	sppsvc.exe
2612	sppsvc.exe
1492	sppsvc.exe
548	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
1784	DllCommonsvc.exe
1784	DllCommonsvc.exe
1784	DllCommonsvc.exe
1784	DllCommonsvc.exe
1784	DllCommonsvc.exe
1784	DllCommonsvc.exe
1784	DllCommonsvc.exe
1988	powershell.exe
1632	powershell.exe
956	powershell.exe
2224	powershell.exe
2220	powershell.exe
788	powershell.exe
892	powershell.exe
1624	powershell.exe
1668	powershell.exe
1544	powershell.exe
2356	powershell.exe
2236	powershell.exe
1148	sppsvc.exe
2788	sppsvc.exe
2112	sppsvc.exe
2092	sppsvc.exe
2520	sppsvc.exe
2620	sppsvc.exe
1656	sppsvc.exe
2424	sppsvc.exe
2612	sppsvc.exe
1492	sppsvc.exe
548	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1784	DllCommonsvc.exe
Token: SeDebugPrivilege	1988	powershell.exe
Token: SeDebugPrivilege	1632	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	2224	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	2356	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	1148	sppsvc.exe
Token: SeDebugPrivilege	2788	sppsvc.exe
Token: SeDebugPrivilege	2112	sppsvc.exe
Token: SeDebugPrivilege	2092	sppsvc.exe
Token: SeDebugPrivilege	2520	sppsvc.exe
Token: SeDebugPrivilege	2620	sppsvc.exe
Token: SeDebugPrivilege	1656	sppsvc.exe
Token: SeDebugPrivilege	2424	sppsvc.exe
Token: SeDebugPrivilege	2612	sppsvc.exe
Token: SeDebugPrivilege	1492	sppsvc.exe
Token: SeDebugPrivilege	548	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2172 wrote to memory of 1480	2172	JaffaCakes118_71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c.exe	31
PID 2172 wrote to memory of 1480	2172	JaffaCakes118_71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c.exe	31
PID 2172 wrote to memory of 1480	2172	JaffaCakes118_71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c.exe	31
PID 2172 wrote to memory of 1480	2172	JaffaCakes118_71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c.exe	31
PID 1480 wrote to memory of 2844	1480	WScript.exe	32
PID 1480 wrote to memory of 2844	1480	WScript.exe	32
PID 1480 wrote to memory of 2844	1480	WScript.exe	32
PID 1480 wrote to memory of 2844	1480	WScript.exe	32
PID 2844 wrote to memory of 1784	2844	cmd.exe	34
PID 2844 wrote to memory of 1784	2844	cmd.exe	34
PID 2844 wrote to memory of 1784	2844	cmd.exe	34
PID 2844 wrote to memory of 1784	2844	cmd.exe	34
PID 1784 wrote to memory of 1988	1784	DllCommonsvc.exe	69
PID 1784 wrote to memory of 1988	1784	DllCommonsvc.exe	69
PID 1784 wrote to memory of 1988	1784	DllCommonsvc.exe	69
PID 1784 wrote to memory of 2356	1784	DllCommonsvc.exe	70
PID 1784 wrote to memory of 2356	1784	DllCommonsvc.exe	70
PID 1784 wrote to memory of 2356	1784	DllCommonsvc.exe	70
PID 1784 wrote to memory of 2224	1784	DllCommonsvc.exe	72
PID 1784 wrote to memory of 2224	1784	DllCommonsvc.exe	72
PID 1784 wrote to memory of 2224	1784	DllCommonsvc.exe	72
PID 1784 wrote to memory of 1632	1784	DllCommonsvc.exe	73
PID 1784 wrote to memory of 1632	1784	DllCommonsvc.exe	73
PID 1784 wrote to memory of 1632	1784	DllCommonsvc.exe	73
PID 1784 wrote to memory of 892	1784	DllCommonsvc.exe	74
PID 1784 wrote to memory of 892	1784	DllCommonsvc.exe	74
PID 1784 wrote to memory of 892	1784	DllCommonsvc.exe	74
PID 1784 wrote to memory of 956	1784	DllCommonsvc.exe	76
PID 1784 wrote to memory of 956	1784	DllCommonsvc.exe	76
PID 1784 wrote to memory of 956	1784	DllCommonsvc.exe	76
PID 1784 wrote to memory of 1624	1784	DllCommonsvc.exe	78
PID 1784 wrote to memory of 1624	1784	DllCommonsvc.exe	78
PID 1784 wrote to memory of 1624	1784	DllCommonsvc.exe	78
PID 1784 wrote to memory of 788	1784	DllCommonsvc.exe	79
PID 1784 wrote to memory of 788	1784	DllCommonsvc.exe	79
PID 1784 wrote to memory of 788	1784	DllCommonsvc.exe	79
PID 1784 wrote to memory of 1668	1784	DllCommonsvc.exe	80
PID 1784 wrote to memory of 1668	1784	DllCommonsvc.exe	80
PID 1784 wrote to memory of 1668	1784	DllCommonsvc.exe	80
PID 1784 wrote to memory of 2236	1784	DllCommonsvc.exe	81
PID 1784 wrote to memory of 2236	1784	DllCommonsvc.exe	81
PID 1784 wrote to memory of 2236	1784	DllCommonsvc.exe	81
PID 1784 wrote to memory of 1544	1784	DllCommonsvc.exe	82
PID 1784 wrote to memory of 1544	1784	DllCommonsvc.exe	82
PID 1784 wrote to memory of 1544	1784	DllCommonsvc.exe	82
PID 1784 wrote to memory of 2220	1784	DllCommonsvc.exe	83
PID 1784 wrote to memory of 2220	1784	DllCommonsvc.exe	83
PID 1784 wrote to memory of 2220	1784	DllCommonsvc.exe	83
PID 1784 wrote to memory of 1148	1784	DllCommonsvc.exe	93
PID 1784 wrote to memory of 1148	1784	DllCommonsvc.exe	93
PID 1784 wrote to memory of 1148	1784	DllCommonsvc.exe	93
PID 1784 wrote to memory of 1148	1784	DllCommonsvc.exe	93
PID 1784 wrote to memory of 1148	1784	DllCommonsvc.exe	93
PID 1148 wrote to memory of 2604	1148	sppsvc.exe	94
PID 1148 wrote to memory of 2604	1148	sppsvc.exe	94
PID 1148 wrote to memory of 2604	1148	sppsvc.exe	94
PID 2604 wrote to memory of 2444	2604	cmd.exe	96
PID 2604 wrote to memory of 2444	2604	cmd.exe	96
PID 2604 wrote to memory of 2444	2604	cmd.exe	96
PID 2604 wrote to memory of 2788	2604	cmd.exe	97
PID 2604 wrote to memory of 2788	2604	cmd.exe	97
PID 2604 wrote to memory of 2788	2604	cmd.exe	97
PID 2604 wrote to memory of 2788	2604	cmd.exe	97
PID 2604 wrote to memory of 2788	2604	cmd.exe	97

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71a2ba45bdf15219261d9024be70cab37b8b384a6eca41e5ce208fac3ad50f8c.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2172
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1480
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2356
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ModemLogs\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Videos\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1148
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2444
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat"
        8⤵
        
        PID:2932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2440
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2112
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        10⤵
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2668
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat"
        12⤵
        
        PID:2848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2892
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat"
        14⤵
        
        PID:1872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:756
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2620
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        16⤵
        
        PID:1796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1916
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat"
        18⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:928
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat"
        20⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1104
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        22⤵
        
        PID:2184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3052
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        24⤵
        
        PID:3008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1188
        
        C:\Windows\ModemLogs\sppsvc.exe
        
        "C:\Windows\ModemLogs\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\ModemLogs\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 14 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Program Files\Microsoft Office\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Users\Default\Videos\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Videos\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 10 /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 5 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 9 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\18fc4542-69f6-11ef-a46c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea6adf50dbf50993092b68b068541d71

SHA1
a0caf48f0d0e3873ca8e4f005f9ae81f17f696e6

SHA256
ae4464a493be34cb6c657b8c1d4f27d202115029b564c8d44dd9f6e2c8c2afbb

SHA512
c6c2b2dc5c265c5556e49fa7eefa5bd2de4e532bfc9b02a49ef1cff051e3ba82857c7479a5ef259e66d8d89efee926f889f92b5ea87bee37a8058894cae743a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
098ccb277cec7e48fd1cf9647eafabd1

SHA1
0693de85c902e7ce870663c62b71553f6b58ba15

SHA256
75258541724b378c66f7fbd150869e5e5fec688834a0a32276ba515f0d225631

SHA512
3229675e434fdcc46f8174d1ef328475e6be5bcf519c2aefe2c847ff8b14f13c328530c4279781e1cf610c3787498bcd49c434cc61e46255adcfe8b9081b4567

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fff89741276f8e83c1ae618ba31d5434

SHA1
a4f3c06ed8f9e4b30a93f292b4c95f2a5d843710

SHA256
70667c37cc79d384200157f1d6e80a42397a838c73e1b72e9606e9a34fdf4a54

SHA512
87eee9970ea9fbe02c412e00300fc37df6902a29d8297423a8f3d715c1c0fd1ed6d658d3e3ef4ce1a92b3f27025254217223ace50488f54c35c59b5433bde370

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3fd7bc50a5d9a42f9fe076f4b558c273

SHA1
692d95b396fd44e99b8752c2d4daefe33e18491c

SHA256
803e94caa9edb0aa91ec946860688dd457d6a5d92118228b5d74462fdd672e76

SHA512
74ae2a88ab4705f25351ea45f5b4fdf6e81293243a7d263409d352dcd146a6c60c1fc0d73ef832f3f48670ee9cf92280bc780811e9c12270e0d0a5fb8f6bc464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
397493f4add8598a34d0f966c405ef16

SHA1
989d7cf19d16efa1765aa24e22f26f559d6e1412

SHA256
8db6067dcde4505b52ba16c465fa2fbec07af7e53e83a410164717c130e11641

SHA512
418a414bf267f2aabe31b0d23165be8c19113f604242ea9585e9ddd5a7e53d1b1118868e11d1ef910661c4315b93ea4bf8586bd252b3cbd55d72a8ac9bb859d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71a075970e880f6813fa6df001097aad

SHA1
9521808fd70dc759d3fc84ced8d11bf0cbe7a429

SHA256
1b10d94550b4ec03342e7f56b3d351325893ec4ade3cb2c2820e8eb41ebf69db

SHA512
11ffcb6576146e5ded8d4f6c6b17c875df3645fb633564c2d0bb646ab2820b26d545955e5a60c1df4b1284030a8f564fae9872f319f4200c447d43b20cca50a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3d7cbe52f18053eff8364bd5292c4edc

SHA1
da2321224134efba446946d1f90eff85bcf8c745

SHA256
38637decbd8d880ec7e08a65face43eab67f720a9f06506925e15b98a813944e

SHA512
b12d433e8a19b46c9c2763972381b16a66938bdf1be4b31ffb28f7dba851e691c951c8e906e6513e88ebb46a04580ddba73a4862d70ea5a9b3ff5a65cba03cd4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6be529438da70a9230dfbb0fafb6df9c

SHA1
4d76c63a212edc077c80fb3f171276ed0c6e615e

SHA256
8c678db223ece750896b1f4cdc2c5daa97a7db9e0e462c245ecfc9d036a8b72f

SHA512
3a64e96425d625ae9943444955ee4302938100a0e955ea209e7aac5aecfe525140ba0310fbdf1bb009c51f8f35cf7757794bccf806f8c7c88be3263e716441b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2a42cc10c764ee3c8c8eb1ce793f51dd

SHA1
3624e9d972e06728730c1a68b9f3aa1faf200ca8

SHA256
d41d4a65b5558f19611c430cb886f6f33ed61aa75a5982d2298cae41707660b0

SHA512
0ad1a9d88e77e1208beeaae06e8373ac4f6a6ed06bf9710f5c093d859b57b33a50da88bc9f2b127c90e0c65fb3262d0795b52731cf61453604690fc69796b5a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec523d270f5c86d81409dc6181941722

SHA1
617214faa572d7b4028de96124df9581f9e99e0f

SHA256
a7d457cddefd4ebf480bd8cf882ea6f3c728d57b74de46c34fe7635a4f36d7a8

SHA512
e80706c69805c4a694fcf3b2b14dfd23a72feeefbba3641339f3b166b6447177d26e76508c75318ebad3cdcbbe2ed64dc6a1770b80a6b01661cc1ab7eb219ef9

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD4C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
196B

MD5
4bdb2afee0eba6161d1783c009a689e4

SHA1
b3803a87453b84bdecc72c71da0c73263c3883d3

SHA256
7257579bec1cadfd1b4efeb4d98ae28d0680dc2ca14994c78932dcd6c4b8572c

SHA512
f02b663c1d2a5f1234fd19a7aec873fdb0db76a7d58dfcd3423f7615bc6f6966e86ddfa48c324e0afb2f3ec1ee9ba10662b93d2b81757961a2e7899408340466

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
196B

MD5
4e8bd3cf1c2d7a1d96752283763879f7

SHA1
87f308933c64d4666386b6659af7435034e5fa40

SHA256
a62769ce63f7be2e25d3d8549d08de87732f7f7d3f45370bdf07a80b77231ca3

SHA512
2ebeff8267cbb921cd92e668203825ba226c9efd9628d208e99c7d9c0b9776f50df19d7867ae2a44866b3e9042aa089862938cd3bebb75685eb832b58f266398

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD5E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TiDn8Em9ri.bat

Filesize
196B

MD5
ff9da057d4a33f68db738cec595b1291

SHA1
54eea881ea8a16cda565a4eb2dbe5e88ab2b32ac

SHA256
ab8360783199650492a6495a2ebc2f8af53b983690906271d4bea10ac879e794

SHA512
7ff9dfb8b72fbff8f238a9bc9b6add64a6b7840940cd23464c915211fd960c14fa4445fcc86231b3c3de526da14d31f33a21f39ad2882d8b1105f42eb57f815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\UPAAmIRCFx.bat

Filesize
196B

MD5
c648d0ed94f8f6b535d8b452b087d921

SHA1
d2fdfca34b8d1662bbde30cbbcab314cd4817852

SHA256
111830ce036b7540a497045297d534e7fbaf25e45e7eb3286c58e0a4fbd919d5

SHA512
54875c132c28d8303f23bb89ffc683578ba3f41f3cba8313ffde33c0c431dfce09c8528f7e610521a6b61f4ec581b558dfee5a8d801e312ea542ca434155b472

Download Submit
C:\Users\Admin\AppData\Local\Temp\Wqkq749RcZ.bat

Filesize
196B

MD5
8321faa071475606191100041211869e

SHA1
4a54dafffc8e7db8e008ece4bc5fe815f98f7125

SHA256
cebc98241d345c7ea922ae4b6c7570921d7cd9c90986ae8e862b4f5d267ee026

SHA512
1af43b7b545758557b7ba9d0978bdb66b760d6ade8566f5a15ef611841e56f6c8ff93c942814b58f45a5306afad8be993eec162e646cd5e43b4ac01e8ec16eab

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
196B

MD5
58171b41ad2b2386db6dc10fd3ba6734

SHA1
c5241cda038d0469392049bdf26433be2761b0ad

SHA256
57aa853c06456dc3a98c75eacbd040b288fe82e7e801ccb0d5c482d8b7cdec30

SHA512
bc0443deb42018adb0e831e9517a3424cb14119a173138d82c49869e7e79b7d652651f5a3ae07f808d82782bd97e38343895abdfd774e837371fd02d8d311af4

Download Submit
C:\Users\Admin\AppData\Local\Temp\ktiZWDSHsI.bat

Filesize
196B

MD5
3d89635e5378b54d0e7f3c5d18391161

SHA1
c28bb8ea1c68ac8639a1816d2701ffd9f3572cbb

SHA256
2ba342a3570d0cab7a0d5134ec96a9c254f4fdd7614dcf31147e176a74434950

SHA512
26334c4176b1731e936e009310cab2a163d562fc898369b7474efc5d30e9782977fdb734471b6326659a5a4a5be17a93475316f0ed2505eef8f8d47f6f9bc5e2

Download Submit
C:\Users\Admin\AppData\Local\Temp\o0FbW2pZd9.bat

Filesize
196B

MD5
a28db151830734499f5d778d66574306

SHA1
ce9b30449fc5be5a40a68ff40f6e7b1458597cbd

SHA256
f640d4d1c640ed08a2438c2c4052ee78593d44fb79865187fb79515820976014

SHA512
aea77a31cae9beed298588c69d96cc607b77707e72191be5956a14f37e184a50abb4aa8b905577f5330bb84f31fdd73286e80d8679bcd179d1365a2e6dadb86a

Download Submit
C:\Users\Admin\AppData\Local\Temp\p8yPRkR6MR.bat

Filesize
196B

MD5
c2bcd26016c1f4336da38a86c337323e

SHA1
46e9f0fd88df7cfec9fe8a91bd2f08b35d689b62

SHA256
da94d99eb025edfed5d69b64e85991a8c4d6f83dd0d0248a21944effa2577f23

SHA512
71d860e504009195460603c18c9735e8a76b0ecbf2579b2b981615fd0d91163b21a60de0006c47b5519c7bf1fa42ee1ae40e2eac81816803e34c9289dbbf98d7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\I7FBI1SOKGIHK7MPX4X1.temp

Filesize
7KB

MD5
4ecf7270552c49cd47f04fa47bd09856

SHA1
21685a4ff61ab5a769eb1562d766f1653e342e56

SHA256
f1cc80e15141acfdc92ab80a910db8d72d43dc887a5b3cb02bb86748ba6b3f1f

SHA512
d050bab750f571b32959605959e47ac6ddb7fadb3f4164ec0fa61ba483141d513c3172a240f341654fb8fc3bd11ed8081dd96eec05963e09e9fa222ba1c93491

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/548-704-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1148-67-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/1492-644-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/1632-60-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/1656-465-0x0000000000370000-0x0000000000382000-memory.dmp

Filesize
72KB

Download
memory/1784-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/1784-16-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/1784-15-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/1784-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1784-13-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/1988-61-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2092-286-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2112-226-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2520-346-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2612-584-0x00000000012B0000-0x00000000013C0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-166-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download