dcrat | 3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 01:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3.exe
Size

1.3MB
MD5

25615b21221a4b853d8352f1a25cabc2
SHA1

313a306fe89d3a01d486d09ec60b4752976d4833
SHA256

3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3
SHA512

cb7cdac5f31afe619441d24b129d0a0919c0e202baab1246cc2ec1644177f65b28fcb06b45c1ab844b32ad1b433cd8eee825246434fe45ac23482797c554df9e
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2852	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2748	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3064	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1728	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1952	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3028	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	2820	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2820	schtasks.exe	35

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00060000000186d9-11.dat	dcrat
behavioral1/memory/2860-13-0x0000000000300000-0x0000000000410000-memory.dmp	dcrat
behavioral1/memory/2440-108-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/1016-286-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/764-642-0x00000000011A0000-0x00000000012B0000-memory.dmp	dcrat
behavioral1/memory/2844-702-0x0000000000190000-0x00000000002A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1452	powershell.exe
1508	powershell.exe
1500	powershell.exe
276	powershell.exe
2264	powershell.exe
1816	powershell.exe
1388	powershell.exe
236	powershell.exe
2580	powershell.exe
2280	powershell.exe
1716	powershell.exe
1568	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2860	DllCommonsvc.exe
2440	spoolsv.exe
1044	spoolsv.exe
1824	spoolsv.exe
1016	spoolsv.exe
2008	spoolsv.exe
2020	spoolsv.exe
1508	spoolsv.exe
3004	spoolsv.exe
2936	spoolsv.exe
764	spoolsv.exe
2844	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
880	cmd.exe
880	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
16	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Performance\WinSAT\DataStore\System.exe	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Windows\Help\Windows\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Help\Windows\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Web\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Web\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Performance\WinSAT\DataStore\System.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2668	schtasks.exe
2748	schtasks.exe
2728	schtasks.exe
2688	schtasks.exe
3012	schtasks.exe
3028	schtasks.exe
2792	schtasks.exe
2028	schtasks.exe
2908	schtasks.exe
1636	schtasks.exe
3040	schtasks.exe
2684	schtasks.exe
1728	schtasks.exe
3060	schtasks.exe
2160	schtasks.exe
1176	schtasks.exe
2708	schtasks.exe
2852	schtasks.exe
2940	schtasks.exe
2984	schtasks.exe
2008	schtasks.exe
1984	schtasks.exe
2164	schtasks.exe
448	schtasks.exe
1444	schtasks.exe
596	schtasks.exe
3064	schtasks.exe
1952	schtasks.exe
2432	schtasks.exe
1120	schtasks.exe
2544	schtasks.exe
1988	schtasks.exe
1792	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2860	DllCommonsvc.exe
2860	DllCommonsvc.exe
2860	DllCommonsvc.exe
2580	powershell.exe
1452	powershell.exe
1500	powershell.exe
2280	powershell.exe
1568	powershell.exe
1388	powershell.exe
1816	powershell.exe
2264	powershell.exe
236	powershell.exe
1716	powershell.exe
1508	powershell.exe
276	powershell.exe
2440	spoolsv.exe
1044	spoolsv.exe
1824	spoolsv.exe
1016	spoolsv.exe
2008	spoolsv.exe
2020	spoolsv.exe
1508	spoolsv.exe
3004	spoolsv.exe
2936	spoolsv.exe
764	spoolsv.exe
2844	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2860	DllCommonsvc.exe
Token: SeDebugPrivilege	2580	powershell.exe
Token: SeDebugPrivilege	1452	powershell.exe
Token: SeDebugPrivilege	1500	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1568	powershell.exe
Token: SeDebugPrivilege	1388	powershell.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	236	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	276	powershell.exe
Token: SeDebugPrivilege	2440	spoolsv.exe
Token: SeDebugPrivilege	1044	spoolsv.exe
Token: SeDebugPrivilege	1824	spoolsv.exe
Token: SeDebugPrivilege	1016	spoolsv.exe
Token: SeDebugPrivilege	2008	spoolsv.exe
Token: SeDebugPrivilege	2020	spoolsv.exe
Token: SeDebugPrivilege	1508	spoolsv.exe
Token: SeDebugPrivilege	3004	spoolsv.exe
Token: SeDebugPrivilege	2936	spoolsv.exe
Token: SeDebugPrivilege	764	spoolsv.exe
Token: SeDebugPrivilege	2844	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2284 wrote to memory of 740	2284	JaffaCakes118_3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3.exe	30
PID 2284 wrote to memory of 740	2284	JaffaCakes118_3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3.exe	30
PID 2284 wrote to memory of 740	2284	JaffaCakes118_3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3.exe	30
PID 2284 wrote to memory of 740	2284	JaffaCakes118_3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3.exe	30
PID 740 wrote to memory of 880	740	WScript.exe	32
PID 740 wrote to memory of 880	740	WScript.exe	32
PID 740 wrote to memory of 880	740	WScript.exe	32
PID 740 wrote to memory of 880	740	WScript.exe	32
PID 880 wrote to memory of 2860	880	cmd.exe	34
PID 880 wrote to memory of 2860	880	cmd.exe	34
PID 880 wrote to memory of 2860	880	cmd.exe	34
PID 880 wrote to memory of 2860	880	cmd.exe	34
PID 2860 wrote to memory of 236	2860	DllCommonsvc.exe	69
PID 2860 wrote to memory of 236	2860	DllCommonsvc.exe	69
PID 2860 wrote to memory of 236	2860	DllCommonsvc.exe	69
PID 2860 wrote to memory of 1508	2860	DllCommonsvc.exe	70
PID 2860 wrote to memory of 1508	2860	DllCommonsvc.exe	70
PID 2860 wrote to memory of 1508	2860	DllCommonsvc.exe	70
PID 2860 wrote to memory of 1388	2860	DllCommonsvc.exe	71
PID 2860 wrote to memory of 1388	2860	DllCommonsvc.exe	71
PID 2860 wrote to memory of 1388	2860	DllCommonsvc.exe	71
PID 2860 wrote to memory of 1500	2860	DllCommonsvc.exe	72
PID 2860 wrote to memory of 1500	2860	DllCommonsvc.exe	72
PID 2860 wrote to memory of 1500	2860	DllCommonsvc.exe	72
PID 2860 wrote to memory of 1568	2860	DllCommonsvc.exe	73
PID 2860 wrote to memory of 1568	2860	DllCommonsvc.exe	73
PID 2860 wrote to memory of 1568	2860	DllCommonsvc.exe	73
PID 2860 wrote to memory of 276	2860	DllCommonsvc.exe	74
PID 2860 wrote to memory of 276	2860	DllCommonsvc.exe	74
PID 2860 wrote to memory of 276	2860	DllCommonsvc.exe	74
PID 2860 wrote to memory of 2264	2860	DllCommonsvc.exe	75
PID 2860 wrote to memory of 2264	2860	DllCommonsvc.exe	75
PID 2860 wrote to memory of 2264	2860	DllCommonsvc.exe	75
PID 2860 wrote to memory of 2580	2860	DllCommonsvc.exe	77
PID 2860 wrote to memory of 2580	2860	DllCommonsvc.exe	77
PID 2860 wrote to memory of 2580	2860	DllCommonsvc.exe	77
PID 2860 wrote to memory of 1452	2860	DllCommonsvc.exe	78
PID 2860 wrote to memory of 1452	2860	DllCommonsvc.exe	78
PID 2860 wrote to memory of 1452	2860	DllCommonsvc.exe	78
PID 2860 wrote to memory of 1816	2860	DllCommonsvc.exe	80
PID 2860 wrote to memory of 1816	2860	DllCommonsvc.exe	80
PID 2860 wrote to memory of 1816	2860	DllCommonsvc.exe	80
PID 2860 wrote to memory of 1716	2860	DllCommonsvc.exe	81
PID 2860 wrote to memory of 1716	2860	DllCommonsvc.exe	81
PID 2860 wrote to memory of 1716	2860	DllCommonsvc.exe	81
PID 2860 wrote to memory of 2280	2860	DllCommonsvc.exe	83
PID 2860 wrote to memory of 2280	2860	DllCommonsvc.exe	83
PID 2860 wrote to memory of 2280	2860	DllCommonsvc.exe	83
PID 2860 wrote to memory of 1504	2860	DllCommonsvc.exe	93
PID 2860 wrote to memory of 1504	2860	DllCommonsvc.exe	93
PID 2860 wrote to memory of 1504	2860	DllCommonsvc.exe	93
PID 1504 wrote to memory of 2380	1504	cmd.exe	95
PID 1504 wrote to memory of 2380	1504	cmd.exe	95
PID 1504 wrote to memory of 2380	1504	cmd.exe	95
PID 1504 wrote to memory of 2440	1504	cmd.exe	96
PID 1504 wrote to memory of 2440	1504	cmd.exe	96
PID 1504 wrote to memory of 2440	1504	cmd.exe	96
PID 2440 wrote to memory of 1892	2440	spoolsv.exe	97
PID 2440 wrote to memory of 1892	2440	spoolsv.exe	97
PID 2440 wrote to memory of 1892	2440	spoolsv.exe	97
PID 1892 wrote to memory of 3024	1892	cmd.exe	99
PID 1892 wrote to memory of 3024	1892	cmd.exe	99
PID 1892 wrote to memory of 3024	1892	cmd.exe	99
PID 1892 wrote to memory of 1044	1892	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3234d3a460e83d91445fecb02710a9bcfe3365019ccb66ec68ee45f94537bed3.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2284
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:740
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:880
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Performance\WinSAT\DataStore\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\9.0\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1568
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Links\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1452
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xRMN4hRwKB.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1504
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2380
      - C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:3024
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        9⤵
        
        PID:1716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2728
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat"
        11⤵
        
        PID:1708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:3020
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat"
        13⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1068
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat"
        15⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2920
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        17⤵
        
        PID:1100
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:760
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat"
        19⤵
        
        PID:2380
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1480
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        21⤵
        
        PID:2264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2424
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat"
        23⤵
        
        PID:1960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2396
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat"
        25⤵
        
        PID:2768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1988
        
        C:\Users\Admin\Links\spoolsv.exe
        
        "C:\Users\Admin\Links\spoolsv.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Windows\Performance\WinSAT\DataStore\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Users\All Users\Adobe\Acrobat\9.0\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\Links\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Links\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Links\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Windows\Help\Windows\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Windows\Web\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Web\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\Web\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ea61f7f28f600f3e56e188e5b75b10f1

SHA1
9eacd64c3c1514c761bf52569d300acdd7092a31

SHA256
32f1ffacce90de86c619bfbc82b9f104576e1783fdbd6e30231acd4b2140a926

SHA512
5a900c9356cb899b3ef7e93beca905e46b08d6f00501822e60ececba562c4494bb7925c84b23a41745804059e2a531ba7278b34aa97a3bf9f1b9b0260b7c1402

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e8131c5270ed7a837d5054b2efd8e76d

SHA1
79d17238f2a869479bc914c3f41bd1a62c538d90

SHA256
b45eebb5259685ad5219731026cbba8589d20b2e8352b39f4ff4775d85c644af

SHA512
9181eb37fab7d6cd544c96040433f815a2c7bcf5ab14f3c129df2a67e157b39d8caa8f71be5cdd0574e0b8b2ac425fc19a4673d2cfa1e967d345ad9de411467d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3ee6f8d59d7f0eec73526d970f44eb9

SHA1
d67b73f4b1be5a640cb1271b01eb657206f63072

SHA256
dfc4da8978ec72f0cd2408cbe2babc43df7eac777ed0d725abb2c79bf7700d00

SHA512
7c2e1dfecec1efd1885d3b75605b15d7d95eb929b94e36bd0be05131e64b082766d27af57dd278e98d5beaf279c675c2eb59d687af196b3b740984c86dfdb6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fb0723e0e4c7fd64616e513e7ab02310

SHA1
62b8de0032623ae1e939c81f7d5676dd99ff6947

SHA256
cec5f64a9da4a4a23a32588d8914128916495c448930b7e89f0477135355cb9e

SHA512
cc9034da63e9ac334278d4cf4f86d5ecfb4f77b67581571c35dca0b53737f6eb0c5dd06796b8cd55c560514435a718aff2ad74b3ae505741af040246d6a77ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4b0c255d8cf13a52d02457e1504f1c0e

SHA1
418e294ebeba3118cf384dabc496d76f3644d312

SHA256
2385d11d881b3d9f09c1d10e5a69185e523410495161f097ac55d72d7495a360

SHA512
bbf4e7439f4957f998447df4202ef9ab6352f64fdd50a002326323e5d24a2ec67a9dac7bb03b3cd610235a30c74fea459d1b9c2f77101ca4b4544d15f7145f1a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3404264888b03dd77439bb37f045a40d

SHA1
803e7c75b64bc066eaaf90faae081e522ca30d48

SHA256
637fef631460f11c699fb8f4eef6eaae8eb886bd1874d3f7f775445ab81b1b36

SHA512
4d274527a39b10b263015135064430a2473890a30297b43975f0905e9bccf2b508e42a873ecdb09ada98da04ce6304a45cbbad043ab36edb55591c10de115029

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ec0e3e1903fe692665cf7c56bf1b568

SHA1
d56d8e354c4e63dd0c2458767eb36aa4e34d1f7b

SHA256
a9cc24d4836c94a8b3bff85c3aac3bacbff86232db056c28c48de0d0744eb1f3

SHA512
62f2c657c336b19e85d67a838726e4fd56399fa0364901192b41282ac6a670f82d1a28f851f3d9c38955e6e906030c0b9ac74b03e96260b3a52b4764cc3156af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0e187f8caff3eef7ba1e9f085a0a9291

SHA1
98a3290e0f6bb7d49ab5c49ebf4744db03562be6

SHA256
590c773a5a1afa7200809660dff977b8c780b7f02703a7279666fbae0cf6f693

SHA512
6b0d53666e59e760e8e5b6a01b43b14919b694ddeb87adb61bc3eaa4f3839a40f863df30a5a0f7d78aab3d25392745af3b76ed6cf3055bd127acfbd5a8242fb2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3cdac35ae67d249676a67ca1715107d

SHA1
794018f51f99ac14da9e313b5606705623d48df6

SHA256
84c4f7542366e2de843b9769d2535a0297f5cae1c80a2d3c58dcd51385c4d599

SHA512
083a01e5cf73a758fe22814c08d4e87fdb936b87432a6a84bcf59ffd8afa9f8f68a2cca9cee93f715a1dd9a4e5479ec4774a899e3c1255ca21605fd377893b5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1CD6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GUMorhJGzB.bat

Filesize
197B

MD5
4c167fa06f201b29c9f89f707ada20b1

SHA1
0f6bd4bbda8532533f679554e96caf9f14e64500

SHA256
e75aebc458f58923da35ea43997c64bf880437ae4eaf3b6abc99f96a8b2f3690

SHA512
4bce3425691e43fe5864131d9a90ffdc4abad6ffafc7a2e076d286b64c672d12dc6b65fc4f3a8d19446615f3d3a62ef90d3a3cfb2c419ab3b0033c7d6513ed7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TGRMrapfWg.bat

Filesize
197B

MD5
52d01c97350e1e446ec5f093fa688c87

SHA1
90e4f5c3b125bfe6c796e6d4cd4bf4fcea66a801

SHA256
46c3f1bf271911577669f72f622e657507cda335df87e811ce05677a4ae9f519

SHA512
81d89b0f05a400c3e0df61feb450769eddac358ec4a48bedbaa7826967f2dea12288d73f789801fd471cb824b832a738ef678ccee2a479c833002bd9d7d8e32f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1D07.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\b7oBPqXqtO.bat

Filesize
197B

MD5
0bbad9152320e64d6402cc956ad98852

SHA1
8cb788047cbe71d3ec5a9fb56dbcdef15505ca5d

SHA256
c861f499c399a6b3d9e6d4eab66d8f44057469e03313185ed973d2249f05f76d

SHA512
f82e553eaf2c151ceabdb136dd3d06711beda858cd76965880664758a41e20f6639e8f6bafc496eb8f7a7a31af050107da665fe068d77cf7d4e205c8b921d8e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
197B

MD5
16110ef00cfe52eacadf3f746a932e27

SHA1
3d7656fb50eb8d052b09e2827c506cc5a1331dcd

SHA256
56a272b965c4fa5c2cb492507135a30a2741ed7907dfbef2eb34008693e37f8d

SHA512
39b912d010937b97a8486c93e68d848e51e2769f54da507f8829c423f304ab5899abaa1a47330fa5e21b424e0c0cc67ec0a1012b826af555c45f2122ba50814b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hlBWXN5z7R.bat

Filesize
197B

MD5
deab7c1fe03f1465db94ecf179a018b5

SHA1
1ab7672d8970fd4fda8fed5684cb8546b190e0eb

SHA256
1f66e5c7d1be82c3ca504d9e91cdedb9e9e4041edb328f5e8fd46b73dea84577

SHA512
5308c9ef8f35cdb178326eaa8b6e6a5a50dbec57beb506a75b0b5f5bf89089c8cf7ccdf8389dca3fa3d600b5f2cb99d9024deed301b05d04742f9ba7077678da

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5VZ5DKdOS.bat

Filesize
197B

MD5
39e4875bd40d0e8e73d825ba4495f3e6

SHA1
ea8ff99b350c6daef72b09e6c2915aa0f86b580b

SHA256
6c91bf67a067bc90202977a8b96256a5cb91a3c0bbabf590a5dfa6331e64146e

SHA512
deeb654dff1f8ea2c3146455762735fe3744ae9a703a552024d70376cfd9c120b3616bd03c222a3ee19bb5abc5df09eb7037f0cef0d40195475fef7df5af222b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
197B

MD5
d7ce8a8d29db852780ed7be488baa5e0

SHA1
4a08e2b28c4430b44c2dbec0ae26d17b7e81b520

SHA256
d59ffa9b48830848565d5721fdb5a748e6124dd839cb700764342dfffe665c15

SHA512
91aad9f9f44c2cd78597c0f38427e3e9e6484ef0837eb43d047e2cd17370261e88a42e18d4da9885ee31fcdacfdc4ab8defd6deed8056c7b58da14f1a9a26305

Download Submit
C:\Users\Admin\AppData\Local\Temp\mMyBvdYgq2.bat

Filesize
197B

MD5
32cb398e779799da14bd38d0c5614c5d

SHA1
cc793b27758b977d37a9150d20a9b10149cc2b77

SHA256
757c70c360d8efa11028e65035469262b2e192105de418f4f83e897b4cc4a8d4

SHA512
16737ce20bab637c762b387a0ad198dbf8678f3be6b95985b15d98aad791cf71fcd9e1619c5a02a0327be85a453a620188734563c72aaf6299423aaa5f4967ce

Download Submit
C:\Users\Admin\AppData\Local\Temp\srJhtCwLGi.bat

Filesize
197B

MD5
9373d3aaa56a4e6597a568a23a42c27e

SHA1
cf6d0b267b87aba36fe9c0eac20810af69e27293

SHA256
7fc4d9eeb927fdc2d6fda98cb052b2c11255fb71fd2c0ec125162a38bf380e05

SHA512
8a2ff8617010f192d1b558f9051fc3869d41018120cd320fe59fd204cd90eb45c14c8cfc8505ae01950ecb2c9e912eae7fae91294c0763b9ab6b4a1cb518f34d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
197B

MD5
694114fe2db980b5e22802d18ab46251

SHA1
fb5de851292ba88f030e6dfef37e91ee45d888f8

SHA256
1bb5683a93028a2710fbd709ae4371ea1a5378956299627fd622d7fb23e612e5

SHA512
3cd869aed7d4c4e9fc3caa877379ee5d5d04798428e8e9c3f237e024396928bff181478aafefa6e2b3448898fd46bc2d72717bef653f898b4fc2dca684807b62

Download Submit
C:\Users\Admin\AppData\Local\Temp\xRMN4hRwKB.bat

Filesize
197B

MD5
ee00b801a1f30e3377d76d68cab72507

SHA1
3bfbed863e667a22e3a9022b373b0719d795f6d3

SHA256
5cec718fbc0d4413dad312449981cd13563e1a2bd25cb8199de2724fe8b51b51

SHA512
6447cde12f14ba5b799d71bec8d8fff62d4ebd22b23da8aebb4329283392d7621d48d366729fcc8ecbd3fdf6f2d9889bfc224e7f8951104ed818017130119f59

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bd1e689985d77558289bda90271b6a3c

SHA1
be4ffdb75865c783d5f6ededa0678b3b2f114403

SHA256
2f6753957585b214803978b2da996097126d544e480a8fdae9e53ee066b254fb

SHA512
f6f0b16f4ef390da6cd29c7f67ab8f73d3a5a5c4406bccec9c7c392df0feb83cfb6f2a8eae4aa3346a3c3526efdb65957b6ee10b83ddff22996fead94d105cd6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/764-642-0x00000000011A0000-0x00000000012B0000-memory.dmp

Filesize
1.1MB

Download
memory/1016-286-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/1044-167-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/1388-61-0x000000001B570000-0x000000001B852000-memory.dmp

Filesize
2.9MB

Download
memory/2020-405-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2440-108-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2580-75-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/2844-702-0x0000000000190000-0x00000000002A0000-memory.dmp

Filesize
1.1MB

Download
memory/2860-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2860-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2860-13-0x0000000000300000-0x0000000000410000-memory.dmp

Filesize
1.1MB

Download
memory/2860-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2860-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download