dcrat | 997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7

Analysis

max time kernel
146s
max time network
142s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 03:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe
Size

1.3MB
MD5

74a561602ad435e4e531f35363dbe15a
SHA1

7b3bdc81ca994b3fb65262528ac020624ee768e9
SHA256

997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7
SHA512

cdefdbd76096bd95410c42868e3dea8b1ca71fe98909f8acaecd023594b12f73bd1602ad4decbbfb36da0b0ca69e9af52fb4cd5a4ed179603cb6208e4a278be5
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2452	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	800	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	320	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1284	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	952	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1448	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1480	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2392	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2708	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2708	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000018766-12.dat	dcrat
behavioral1/memory/3004-13-0x0000000000B60000-0x0000000000C70000-memory.dmp	dcrat
behavioral1/memory/2612-88-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/2764-233-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/284-293-0x0000000000B00000-0x0000000000C10000-memory.dmp	dcrat
behavioral1/memory/2968-412-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2676-473-0x0000000000F20000-0x0000000001030000-memory.dmp	dcrat
behavioral1/memory/2504-592-0x0000000001070000-0x0000000001180000-memory.dmp	dcrat
behavioral1/memory/1272-652-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2944	powershell.exe
1156	powershell.exe
2348	powershell.exe
2800	powershell.exe
2788	powershell.exe
2960	powershell.exe
2952	powershell.exe
2956	powershell.exe
2808	powershell.exe
2696	powershell.exe
2964	powershell.exe
2948	powershell.exe
2980	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
3004	DllCommonsvc.exe
2216	DllCommonsvc.exe
2612	conhost.exe
1420	conhost.exe
2764	conhost.exe
284	conhost.exe
2700	conhost.exe
2968	conhost.exe
2676	conhost.exe
2476	conhost.exe
2504	conhost.exe
1272	conhost.exe
904	conhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2492	cmd.exe
2492	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
36	raw.githubusercontent.com
5	raw.githubusercontent.com
19	raw.githubusercontent.com
22	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\Office14\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Microsoft Office\Office14\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\addins\services.exe	DllCommonsvc.exe
File created	C:\Windows\addins\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe
2412	schtasks.exe
952	schtasks.exe
1480	schtasks.exe
3008	schtasks.exe
2680	schtasks.exe
2924	schtasks.exe
2788	schtasks.exe
668	schtasks.exe
2596	schtasks.exe
2892	schtasks.exe
800	schtasks.exe
988	schtasks.exe
2832	schtasks.exe
2392	schtasks.exe
2768	schtasks.exe
2228	schtasks.exe
2916	schtasks.exe
2612	schtasks.exe
1284	schtasks.exe
1448	schtasks.exe
1076	schtasks.exe
2076	schtasks.exe
2736	schtasks.exe
2452	schtasks.exe
884	schtasks.exe
2660	schtasks.exe
2740	schtasks.exe
2292	schtasks.exe
2688	schtasks.exe
2876	schtasks.exe
2236	schtasks.exe
320	schtasks.exe

Suspicious behavior: EnumeratesProcesses 34 IoCs

pid	Process
3004	DllCommonsvc.exe
2980	powershell.exe
2952	powershell.exe
2944	powershell.exe
2696	powershell.exe
2956	powershell.exe
2960	powershell.exe
2948	powershell.exe
2808	powershell.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2216	DllCommonsvc.exe
2964	powershell.exe
2348	powershell.exe
2612	conhost.exe
2800	powershell.exe
1156	powershell.exe
2788	powershell.exe
1420	conhost.exe
2764	conhost.exe
284	conhost.exe
2700	conhost.exe
2968	conhost.exe
2676	conhost.exe
2476	conhost.exe
2504	conhost.exe
1272	conhost.exe
904	conhost.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	3004	DllCommonsvc.exe
Token: SeDebugPrivilege	2980	powershell.exe
Token: SeDebugPrivilege	2952	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	2696	powershell.exe
Token: SeDebugPrivilege	2960	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2948	powershell.exe
Token: SeDebugPrivilege	2808	powershell.exe
Token: SeDebugPrivilege	2216	DllCommonsvc.exe
Token: SeDebugPrivilege	2612	conhost.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	2348	powershell.exe
Token: SeDebugPrivilege	2800	powershell.exe
Token: SeDebugPrivilege	1156	powershell.exe
Token: SeDebugPrivilege	2788	powershell.exe
Token: SeDebugPrivilege	1420	conhost.exe
Token: SeDebugPrivilege	2764	conhost.exe
Token: SeDebugPrivilege	284	conhost.exe
Token: SeDebugPrivilege	2700	conhost.exe
Token: SeDebugPrivilege	2968	conhost.exe
Token: SeDebugPrivilege	2676	conhost.exe
Token: SeDebugPrivilege	2476	conhost.exe
Token: SeDebugPrivilege	2504	conhost.exe
Token: SeDebugPrivilege	1272	conhost.exe
Token: SeDebugPrivilege	904	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2072 wrote to memory of 2368	2072	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe	30
PID 2072 wrote to memory of 2368	2072	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe	30
PID 2072 wrote to memory of 2368	2072	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe	30
PID 2072 wrote to memory of 2368	2072	JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe	30
PID 2368 wrote to memory of 2492	2368	WScript.exe	31
PID 2368 wrote to memory of 2492	2368	WScript.exe	31
PID 2368 wrote to memory of 2492	2368	WScript.exe	31
PID 2368 wrote to memory of 2492	2368	WScript.exe	31
PID 2492 wrote to memory of 3004	2492	cmd.exe	33
PID 2492 wrote to memory of 3004	2492	cmd.exe	33
PID 2492 wrote to memory of 3004	2492	cmd.exe	33
PID 2492 wrote to memory of 3004	2492	cmd.exe	33
PID 3004 wrote to memory of 2948	3004	DllCommonsvc.exe	56
PID 3004 wrote to memory of 2948	3004	DllCommonsvc.exe	56
PID 3004 wrote to memory of 2948	3004	DllCommonsvc.exe	56
PID 3004 wrote to memory of 2980	3004	DllCommonsvc.exe	57
PID 3004 wrote to memory of 2980	3004	DllCommonsvc.exe	57
PID 3004 wrote to memory of 2980	3004	DllCommonsvc.exe	57
PID 3004 wrote to memory of 2960	3004	DllCommonsvc.exe	58
PID 3004 wrote to memory of 2960	3004	DllCommonsvc.exe	58
PID 3004 wrote to memory of 2960	3004	DllCommonsvc.exe	58
PID 3004 wrote to memory of 2956	3004	DllCommonsvc.exe	59
PID 3004 wrote to memory of 2956	3004	DllCommonsvc.exe	59
PID 3004 wrote to memory of 2956	3004	DllCommonsvc.exe	59
PID 3004 wrote to memory of 2952	3004	DllCommonsvc.exe	60
PID 3004 wrote to memory of 2952	3004	DllCommonsvc.exe	60
PID 3004 wrote to memory of 2952	3004	DllCommonsvc.exe	60
PID 3004 wrote to memory of 2944	3004	DllCommonsvc.exe	61
PID 3004 wrote to memory of 2944	3004	DllCommonsvc.exe	61
PID 3004 wrote to memory of 2944	3004	DllCommonsvc.exe	61
PID 3004 wrote to memory of 2808	3004	DllCommonsvc.exe	62
PID 3004 wrote to memory of 2808	3004	DllCommonsvc.exe	62
PID 3004 wrote to memory of 2808	3004	DllCommonsvc.exe	62
PID 3004 wrote to memory of 2696	3004	DllCommonsvc.exe	63
PID 3004 wrote to memory of 2696	3004	DllCommonsvc.exe	63
PID 3004 wrote to memory of 2696	3004	DllCommonsvc.exe	63
PID 3004 wrote to memory of 2216	3004	DllCommonsvc.exe	68
PID 3004 wrote to memory of 2216	3004	DllCommonsvc.exe	68
PID 3004 wrote to memory of 2216	3004	DllCommonsvc.exe	68
PID 2216 wrote to memory of 1156	2216	DllCommonsvc.exe	85
PID 2216 wrote to memory of 1156	2216	DllCommonsvc.exe	85
PID 2216 wrote to memory of 1156	2216	DllCommonsvc.exe	85
PID 2216 wrote to memory of 2348	2216	DllCommonsvc.exe	86
PID 2216 wrote to memory of 2348	2216	DllCommonsvc.exe	86
PID 2216 wrote to memory of 2348	2216	DllCommonsvc.exe	86
PID 2216 wrote to memory of 2964	2216	DllCommonsvc.exe	87
PID 2216 wrote to memory of 2964	2216	DllCommonsvc.exe	87
PID 2216 wrote to memory of 2964	2216	DllCommonsvc.exe	87
PID 2216 wrote to memory of 2788	2216	DllCommonsvc.exe	88
PID 2216 wrote to memory of 2788	2216	DllCommonsvc.exe	88
PID 2216 wrote to memory of 2788	2216	DllCommonsvc.exe	88
PID 2216 wrote to memory of 2800	2216	DllCommonsvc.exe	89
PID 2216 wrote to memory of 2800	2216	DllCommonsvc.exe	89
PID 2216 wrote to memory of 2800	2216	DllCommonsvc.exe	89
PID 2216 wrote to memory of 2612	2216	DllCommonsvc.exe	93
PID 2216 wrote to memory of 2612	2216	DllCommonsvc.exe	93
PID 2216 wrote to memory of 2612	2216	DllCommonsvc.exe	93
PID 2612 wrote to memory of 628	2612	conhost.exe	96
PID 2612 wrote to memory of 628	2612	conhost.exe	96
PID 2612 wrote to memory of 628	2612	conhost.exe	96
PID 628 wrote to memory of 2980	628	cmd.exe	98
PID 628 wrote to memory of 2980	628	cmd.exe	98
PID 628 wrote to memory of 2980	628	cmd.exe	98
PID 628 wrote to memory of 1420	628	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_997446305ec34390f31bcfa77ec6ad9de5aaacc7707474135c0dc7b5fcc3f0a7.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2072
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2492
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3004
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2948
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Microsoft Office\Office14\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\addins\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2808
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Templates\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
    - - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2216
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1156
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
      - C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2980
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat"
        9⤵
        
        PID:2740
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2292
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat"
        11⤵
        
        PID:2820
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1692
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:284
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat"
        13⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2456
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat"
        15⤵
        
        PID:2928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1616
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat"
        17⤵
        
        PID:772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:588
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        19⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1140
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat"
        21⤵
        
        PID:2464
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:628
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2504
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat"
        23⤵
        
        PID:1452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2736
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        25⤵
        
        PID:736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1652
        
        C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe
        
        "C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2452

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 10 /tr "'C:\Program Files\Microsoft Office\Office14\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Microsoft Office\Office14\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\Program Files\Microsoft Office\Office14\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Windows\addins\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:952

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Windows\addins\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Users\All Users\Templates\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\Users\All Users\Templates\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2392

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 9 /tr "'C:\Recovery\3a99bb82-4e15-11ef-8354-cae67966b5f6\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3d38ab93b0205621f10a0872134e168

SHA1
84960ce39a6a6128427964654a764124a99fe80a

SHA256
1521b2d39f451233ade0cbb925b8e293e64ec55a25287823f4d667b37ad1e516

SHA512
ecdc51b84b0e96400b4cd09f0fd45d89ec69059dcdf87a33f75de8fbcde05ad16c0298f06b0628027e75fb9b95889a1b93ca0092e07c09209ad172ecd8ad2686

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3ada1c684ddf00cf399a04bfbbee0a53

SHA1
84b9b7ceaeb6232391a8230ff0cda9414f40610d

SHA256
e36ad90e322464fbbf810a15fb5827f60751ac300de39c0d59a4f2228151a451

SHA512
21d11061e872bcb5cb354040d9a612eaabe1482925cc88aaec26a98b545a71eaf17a9930bd13694ea1d4396d6932512e12fda5227e75231f73b8b0ddcb55b14a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
429e608a7c75394763ab1a51262af9e6

SHA1
acdf202f7b329af695480d620dbae7c5924a3ed6

SHA256
2e7ffbd01f889c8cbca922895d0e3a320983a60f197d3431a9bfdb36ce6e21b0

SHA512
b7fc19f2a79f3385c95c391e6a6a8a0dd985f2f06c55e10c73b4a1e8b9a224fe5370985e1deeae5e49b0f9ed7b8e52ef38e1fd0ea93310a87c4fb7238474a45c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df200cbd4dab29363011c59cec39f4aa

SHA1
266c5ac6e517eead1d817e9d8c394e51da2800c3

SHA256
1a7a32416d63c8dc34b8a8a1a9e18b7b783859060c237a037012e9b282314219

SHA512
f3f9ba629b805c2bc62538066811ba18909e98fd113ace4414eb8560d3e3e357c7c679dbaa6d146cfad8ea128d46357bd957b75ad14876c849669f4330e84d65

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
60367fdf8e484fc63285e4d73ad02798

SHA1
1bbaa4a72a828ed68a34e80a87eab2782070caec

SHA256
7212738e661560049556b453cabc3b013dcab55beb661cf854fd89bacb40fe99

SHA512
f693d0bb032149e0588a54bdda681a1e812be5a0539d7f21c1742dada63f8356d8319200485877fbd858680736a65bb046483765159534dcef143d4781f0543f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dc7984722efe1bc70396e5632960a4af

SHA1
c6116f82beb3942cb941a2f131654462ab3ee26b

SHA256
0faa94b2cc9429fee464ecb7e38eb00c06946e20d17d350e708edb828abd6d7a

SHA512
61ef537af780d4c52ac24838b5a1fe854efec0d0737e2c037151e17f3b26df44ee094c3cfd165ac69cb620aff7ec5d457eba5e54c4a89e46a1b9e81466e7641a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2efcea831129558c0938b9ca5f33ac10

SHA1
b6c8810ed4ddd126e2a7372c8e6b70f7f57b433d

SHA256
b6ec210691e49671357d96f2d48a71d43a88e94ea5f59a8f64f25fee8956497e

SHA512
5bfb7f39c8ccb84040802d5b3ef64c9e5815244c340f0364da1ab9b56cb989548a2aa47be9bc8f3cbb819e3d3e5b474a46fef6ef12ef933c8bd342ad51ca4ded

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b24d9c137df495b074e7b9fc80886e1

SHA1
5470b72d5fda0f0a64ad82cad6cf0224308f4d3b

SHA256
44b251adf774efdf622bfed3f505589ea4bb90cdd00a19cd74c4f9041e8560a7

SHA512
105a444588efb3d2a0c463a7bb3a4d8d09e1037e9ef37bd1f4ff6b6784feb8619f10edb0699491e9670fb9b02c2806c05869a10da91a7ab222157034a5bfa98b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1d635b59895f08a04a2f90920c9045e3

SHA1
e971466196afd9574cf3ffd963270992b23dd108

SHA256
ac52802852d08430536bcf358b12cbca7b740c1cd4c4d04d99656c1a62e6e087

SHA512
5af16f470776ae1c60467f67e29792d3255f899b1de3b13a5418c531f99f09f79cea3554217a8e9908f1905b19f73116f4711269c08b6f508035075ebdd1a0cb

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
225B

MD5
2c2bdbadd5ff56d4a490662c3663738c

SHA1
1719314fa5b7dfe1ddcd87a4c262b6957cbb8819

SHA256
1ab74bc994b067e704d7dfeb1bfded4988fe05c76e8903369e0fb02830b84c05

SHA512
a499f21f5f77ea683482dd4fd93781b200a7e185193e16cde99f727358914281696e826bd5901340cdab830206fcaf4ebfb8af3007ff4971906d69c926fd4815

Download Submit
C:\Users\Admin\AppData\Local\Temp\8OW3hmLaVA.bat

Filesize
225B

MD5
ab74cc14bccb6c3b7d2993d2cfb94aab

SHA1
8386c3050e3dbb5b0f252d2bcc86f2f91a3ef7ca

SHA256
ba7025362ac01098d0f7f3faf1b902e38d4d5a61e475b8bdb001851cd74f273b

SHA512
4d2c49d4b9de1b4a3cce97466fe516cbd50284bc37f329c9a281bb7cc1011911618aa0189addb57d7bc84d4ce4b5556c93648591c9aa0d6ed3c08383281e9496

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD6A2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\HAJBVlyJNQ.bat

Filesize
225B

MD5
f3df0fb6a6991e6c541ff6c2a9e24640

SHA1
4c5f544d5831465bd72164dd10f9fc3e9cab8e37

SHA256
f9c988b4f2c27e3de39973eebbc00c728e846756caab983ae082fd0a113900ef

SHA512
0ad7416ceca0b62449366ac62262b58a87e72b42a6e3374f112329f678dc8179a91210d8f4d23204aa103ee0453b5ae91fb9ac895fbd672b5830b4541f29d8d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Nl6pt1R060.bat

Filesize
225B

MD5
33a485fffb6d6a97f0512e8abf580ee0

SHA1
fc18cf4e5ceda40170ba2a0488ded0479cd7f86b

SHA256
c133b676f5cfd37021f43256cd9f819b21eacc0cc3f8f20ead68b53c6cee6b17

SHA512
ca2c476e1315391abb3747b30b77e8b2d64a084227566eee214eae8afe3f67ec69315f838f4bfa13be9089ce085789012ab5e40f159ec2c67fc02ebedf336f62

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD6C4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
225B

MD5
d69389a2752ac0992c6e34e2aba8e8ff

SHA1
672b580788e01f4a74b1892dd00c8b1ceed24116

SHA256
4ff6963e5f6fdde2ca25bf8997fc3323132af161c6568c67cef2405255bfdf46

SHA512
c91bde249235790dbd7cf788dddd434e4d0901611638b2d7ef7c5622f8b879df5d039517cc30fbde7d8bea550885cd51b8f632d74f69cefa9a35642ebae428b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\aWJwCUxpp4.bat

Filesize
225B

MD5
fe199cbc6c364f0bb9f5ae293d432e09

SHA1
799ebacd11a78674d92c5296655a8facb2d660d7

SHA256
6e58a80690a2f3c95c63411a63122ebfb67426435fe91c42a02e276aef132b2d

SHA512
5f8a3e2bb57de1eded12f2378fcfe095ba85044f44fd67a4f9c842885ae8fcc94efe6089a7fc49d289048d6242b61603fad29a3af22639cc1012d78e2ff34850

Download Submit
C:\Users\Admin\AppData\Local\Temp\ixgWq8OOYW.bat

Filesize
225B

MD5
b9343dd7496fa754c4671318c95a76e3

SHA1
3f4b42d90b10d373cbf1d38ee3e59ed295c8ae9d

SHA256
94a3f07c3d0a9ed8a73d3bc465592b65cd860c522059c70b57bcfa5cf46b7759

SHA512
535dc9e2935fb5da4ae287e6dd47924dd04120f4e633707c772a1495293cbcb00159d131bc1dd50e4d1773b07cea3236d331d573a0aeedde02e913a2a055a417

Download Submit
C:\Users\Admin\AppData\Local\Temp\kbrh69MYEy.bat

Filesize
225B

MD5
944513a8d80f1727363c186d725ebc2b

SHA1
e68814ce13008adb305fd6bd51903757cbc6ca85

SHA256
7f1e5ed6019b7818895a736b38d8ab7a63f3d43af7c58f01487f7950041a7d02

SHA512
23d1fa7fd22672ede21abbac81733e0b4f8cc3bcc1c964a9e211e32f63361d4bd00f788164994c47920d09866afeb6658a7baf5d6325c26ff5e1264b90c63930

Download Submit
C:\Users\Admin\AppData\Local\Temp\ounU5LkXKE.bat

Filesize
225B

MD5
7ff51cdd86248594f8f5f3320fbfe481

SHA1
14b8fd8ae3665ce1bbcc0586d24362d7274fd07a

SHA256
4096132665d7f6b7f438577ac0026c9f73baaf1817483d0dc722eeb320a0dbe7

SHA512
3136eb51d59c84a93603bf40546f934c1d0f1d536bbba22f7db426e15113288a813b5d1b94af379fc42eb27657d6c7a338b3b12d731e38512e0580b1aa008cdf

Download Submit
C:\Users\Admin\AppData\Local\Temp\vlZZCFJNsh.bat

Filesize
225B

MD5
3238153ac8a993832d0db252a0f7ba5a

SHA1
7bd1dd661f888dbdd87220b08fd8946ec99f6ba8

SHA256
1cc5918b1404f83d06bc3c2813a91b178415906c0bf7c6371a9ed2c903ae7c0d

SHA512
d152a7a676b0b5ca26300161c487936e5e79a1e1bd26009e1b9068436fa0c91eb4713fc1605447b44ff8d65aa7c61c55b3487da138c1a7151498bf2b0b366430

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
cdbc07383d50cdbdb8c7bd7fe5fc7c05

SHA1
e07b726cec70908182f1b727f89d6fd4115f7d2b

SHA256
40eeb728fba27249ac911fdc1e753c79aa6875cda404f2bc9901d9fb9c09e784

SHA512
a04ad32250ffd671a83861505240e0afc3ffdc77ee7db8afbc72170ec17eacc411cba746b92eec83f5092c959cc714dbf35a4b8d77ba0a19afd6842353a64d11

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/284-293-0x0000000000B00000-0x0000000000C10000-memory.dmp

Filesize
1.1MB

Download
memory/1272-652-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/1420-173-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2504-592-0x0000000001070000-0x0000000001180000-memory.dmp

Filesize
1.1MB

Download
memory/2612-88-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/2676-473-0x0000000000F20000-0x0000000001030000-memory.dmp

Filesize
1.1MB

Download
memory/2764-233-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2964-95-0x000000001B6C0000-0x000000001B9A2000-memory.dmp

Filesize
2.9MB

Download
memory/2964-96-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/2968-413-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2968-412-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2980-38-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/2980-43-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/3004-17-0x0000000000190000-0x000000000019C000-memory.dmp

Filesize
48KB

Download
memory/3004-16-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/3004-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/3004-14-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/3004-13-0x0000000000B60000-0x0000000000C70000-memory.dmp

Filesize
1.1MB

Download