dcrat | ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e

Analysis

max time kernel
148s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e.exe
Size

1.3MB
MD5

a51c192e120f9133e23e22ba9c174db1
SHA1

269162e864444242591229cca65a6886142641ce
SHA256

ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e
SHA512

44e75f7251848071fb88d9de30c303d83bef2f99b40582be550eeafff361d8b8cda1ec6f6e7f12c2c540694cede8b620f6be2878882346c155a29ce1e9e6bca3
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 42 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2512	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2684	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2820	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1648	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1008	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2560	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2864	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1044	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1144	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2248	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	524	2248	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0009000000016c23-11.dat	dcrat
behavioral1/memory/2124-13-0x0000000000280000-0x0000000000390000-memory.dmp	dcrat
behavioral1/memory/2828-52-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/2700-187-0x0000000001350000-0x0000000001460000-memory.dmp	dcrat
behavioral1/memory/3020-365-0x0000000000360000-0x0000000000470000-memory.dmp	dcrat
behavioral1/memory/1984-425-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 15 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2584	powershell.exe
1564	powershell.exe
3068	powershell.exe
676	powershell.exe
1980	powershell.exe
2228	powershell.exe
2732	powershell.exe
1660	powershell.exe
1732	powershell.exe
2352	powershell.exe
2064	powershell.exe
2128	powershell.exe
2264	powershell.exe
2564	powershell.exe
2056	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2124	DllCommonsvc.exe
2828	cmd.exe
2700	cmd.exe
3068	cmd.exe
2276	cmd.exe
3020	cmd.exe
1984	cmd.exe
3036	cmd.exe
1652	cmd.exe
2324	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2508	cmd.exe
2508	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 9 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\6203df4a6bafc7	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\fr-FR\ebf1f9fa8afd6d	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Branding\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Branding\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\debug\WIA\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 42 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2820	schtasks.exe
1008	schtasks.exe
1940	schtasks.exe
2360	schtasks.exe
2200	schtasks.exe
1144	schtasks.exe
524	schtasks.exe
2876	schtasks.exe
1960	schtasks.exe
3016	schtasks.exe
1104	schtasks.exe
1584	schtasks.exe
1044	schtasks.exe
1276	schtasks.exe
2656	schtasks.exe
2632	schtasks.exe
1648	schtasks.exe
1780	schtasks.exe
2540	schtasks.exe
2868	schtasks.exe
1640	schtasks.exe
2512	schtasks.exe
2684	schtasks.exe
1920	schtasks.exe
2560	schtasks.exe
3024	schtasks.exe
1364	schtasks.exe
2980	schtasks.exe
1048	schtasks.exe
2004	schtasks.exe
2856	schtasks.exe
2324	schtasks.exe
3048	schtasks.exe
1788	schtasks.exe
1164	schtasks.exe
264	schtasks.exe
316	schtasks.exe
1932	schtasks.exe
624	schtasks.exe
2864	schtasks.exe
2256	schtasks.exe
1984	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
2124	DllCommonsvc.exe
1564	powershell.exe
2128	powershell.exe
1660	powershell.exe
1732	powershell.exe
2228	powershell.exe
2264	powershell.exe
2584	powershell.exe
2564	powershell.exe
3068	powershell.exe
2064	powershell.exe
2056	powershell.exe
1980	powershell.exe
676	powershell.exe
2732	powershell.exe
2352	powershell.exe
2828	cmd.exe
2700	cmd.exe
3068	cmd.exe
2276	cmd.exe
3020	cmd.exe
1984	cmd.exe
3036	cmd.exe
1652	cmd.exe
2324	cmd.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2124	DllCommonsvc.exe
Token: SeDebugPrivilege	1564	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	2828	cmd.exe
Token: SeDebugPrivilege	1660	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2228	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	2584	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	2064	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1980	powershell.exe
Token: SeDebugPrivilege	676	powershell.exe
Token: SeDebugPrivilege	2732	powershell.exe
Token: SeDebugPrivilege	2352	powershell.exe
Token: SeDebugPrivilege	2700	cmd.exe
Token: SeDebugPrivilege	3068	cmd.exe
Token: SeDebugPrivilege	2276	cmd.exe
Token: SeDebugPrivilege	3020	cmd.exe
Token: SeDebugPrivilege	1984	cmd.exe
Token: SeDebugPrivilege	3036	cmd.exe
Token: SeDebugPrivilege	1652	cmd.exe
Token: SeDebugPrivilege	2324	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1832 wrote to memory of 832	1832	JaffaCakes118_ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e.exe	30
PID 1832 wrote to memory of 832	1832	JaffaCakes118_ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e.exe	30
PID 1832 wrote to memory of 832	1832	JaffaCakes118_ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e.exe	30
PID 1832 wrote to memory of 832	1832	JaffaCakes118_ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e.exe	30
PID 832 wrote to memory of 2508	832	WScript.exe	31
PID 832 wrote to memory of 2508	832	WScript.exe	31
PID 832 wrote to memory of 2508	832	WScript.exe	31
PID 832 wrote to memory of 2508	832	WScript.exe	31
PID 2508 wrote to memory of 2124	2508	cmd.exe	33
PID 2508 wrote to memory of 2124	2508	cmd.exe	33
PID 2508 wrote to memory of 2124	2508	cmd.exe	33
PID 2508 wrote to memory of 2124	2508	cmd.exe	33
PID 2124 wrote to memory of 676	2124	DllCommonsvc.exe	78
PID 2124 wrote to memory of 676	2124	DllCommonsvc.exe	78
PID 2124 wrote to memory of 676	2124	DllCommonsvc.exe	78
PID 2124 wrote to memory of 1732	2124	DllCommonsvc.exe	79
PID 2124 wrote to memory of 1732	2124	DllCommonsvc.exe	79
PID 2124 wrote to memory of 1732	2124	DllCommonsvc.exe	79
PID 2124 wrote to memory of 2732	2124	DllCommonsvc.exe	80
PID 2124 wrote to memory of 2732	2124	DllCommonsvc.exe	80
PID 2124 wrote to memory of 2732	2124	DllCommonsvc.exe	80
PID 2124 wrote to memory of 2228	2124	DllCommonsvc.exe	81
PID 2124 wrote to memory of 2228	2124	DllCommonsvc.exe	81
PID 2124 wrote to memory of 2228	2124	DllCommonsvc.exe	81
PID 2124 wrote to memory of 2264	2124	DllCommonsvc.exe	82
PID 2124 wrote to memory of 2264	2124	DllCommonsvc.exe	82
PID 2124 wrote to memory of 2264	2124	DllCommonsvc.exe	82
PID 2124 wrote to memory of 2128	2124	DllCommonsvc.exe	83
PID 2124 wrote to memory of 2128	2124	DllCommonsvc.exe	83
PID 2124 wrote to memory of 2128	2124	DllCommonsvc.exe	83
PID 2124 wrote to memory of 3068	2124	DllCommonsvc.exe	84
PID 2124 wrote to memory of 3068	2124	DllCommonsvc.exe	84
PID 2124 wrote to memory of 3068	2124	DllCommonsvc.exe	84
PID 2124 wrote to memory of 1564	2124	DllCommonsvc.exe	85
PID 2124 wrote to memory of 1564	2124	DllCommonsvc.exe	85
PID 2124 wrote to memory of 1564	2124	DllCommonsvc.exe	85
PID 2124 wrote to memory of 2064	2124	DllCommonsvc.exe	86
PID 2124 wrote to memory of 2064	2124	DllCommonsvc.exe	86
PID 2124 wrote to memory of 2064	2124	DllCommonsvc.exe	86
PID 2124 wrote to memory of 1660	2124	DllCommonsvc.exe	87
PID 2124 wrote to memory of 1660	2124	DllCommonsvc.exe	87
PID 2124 wrote to memory of 1660	2124	DllCommonsvc.exe	87
PID 2124 wrote to memory of 2056	2124	DllCommonsvc.exe	88
PID 2124 wrote to memory of 2056	2124	DllCommonsvc.exe	88
PID 2124 wrote to memory of 2056	2124	DllCommonsvc.exe	88
PID 2124 wrote to memory of 2564	2124	DllCommonsvc.exe	89
PID 2124 wrote to memory of 2564	2124	DllCommonsvc.exe	89
PID 2124 wrote to memory of 2564	2124	DllCommonsvc.exe	89
PID 2124 wrote to memory of 2584	2124	DllCommonsvc.exe	90
PID 2124 wrote to memory of 2584	2124	DllCommonsvc.exe	90
PID 2124 wrote to memory of 2584	2124	DllCommonsvc.exe	90
PID 2124 wrote to memory of 1980	2124	DllCommonsvc.exe	98
PID 2124 wrote to memory of 1980	2124	DllCommonsvc.exe	98
PID 2124 wrote to memory of 1980	2124	DllCommonsvc.exe	98
PID 2124 wrote to memory of 2352	2124	DllCommonsvc.exe	99
PID 2124 wrote to memory of 2352	2124	DllCommonsvc.exe	99
PID 2124 wrote to memory of 2352	2124	DllCommonsvc.exe	99
PID 2124 wrote to memory of 2828	2124	DllCommonsvc.exe	108
PID 2124 wrote to memory of 2828	2124	DllCommonsvc.exe	108
PID 2124 wrote to memory of 2828	2124	DllCommonsvc.exe	108
PID 2828 wrote to memory of 2680	2828	cmd.exe	109
PID 2828 wrote to memory of 2680	2828	cmd.exe	109
PID 2828 wrote to memory of 2680	2828	cmd.exe	109
PID 2680 wrote to memory of 2340	2680	cmd.exe	111

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ef7b04ea965999e3ffd2bce844e2b68a4d11dc0740d517e78195b1f23911f67e.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1832
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:832
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Branding\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2228
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1660
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\fr-FR\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1980
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\debug\WIA\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2352
    - - C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2828
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2340
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat"
        8⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:624
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat"
        10⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2868
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        12⤵
        
        PID:1736
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:936
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat"
        14⤵
        
        PID:624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2536
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat"
        16⤵
        
        PID:2604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1192
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
        18⤵
        
        PID:1048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:308
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat"
        20⤵
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2700
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Branding\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Windows\Branding\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 10 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 14 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.0\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Media Player\fr-FR\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Windows\debug\WIA\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\debug\WIA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 10 /tr "'C:\Windows\debug\WIA\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
728446bf743bf56664a58c54fdb13329

SHA1
9df8919d2b082f59f520574eac1c3a5e6c261bab

SHA256
370e30e52f44c560724ab3fa3ef267637b8d556846a2da853f4c716f7c8eb3f3

SHA512
c902db5113aa471fa90e240d08b9ff4c86f0933af2d456479ca9adc53133c69b64b1c1824b63a43640e4eca85e919ea806c78796c74a885880d619dcfded872c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0700a5b99cee273bcb0af99a3a5567ff

SHA1
14da450845242d87a3cbe6ff0a3dc2d0f1a241f4

SHA256
2df2c248bde29069d46b9fed63452bc812b5fd533f329582f9bec033acfe8e5e

SHA512
01b71003f0d9917ab19cde2632ccc09f1da312593884a0772542ec39712622daca985ffda88ba95ada6e7e02f154b09712d448e5c324df1d63adc048dedae22a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46f6dbbd506d764a97a3bb66fc362464

SHA1
42499c7321b89242b561b59ccaef7be6305f4630

SHA256
3d9e63bc9c24802ba3468c6e756bda7951992c6c6449bb83924b7dd91814cc63

SHA512
d6243ce01f986fecd3749300bb24876a9e2bf7f7ddfdd10768ef9a8993a5ae67f69a3630123094dfb199db29900a1465ae4e5bab51e660823e8f2a7393a7338e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
45751d24b7625041c0abffe3687d4855

SHA1
e365c253018a7c7e5c75d3c73c484a9a3cadd06b

SHA256
45b3cf6aa38d00bc61697b373f7d80f0671c60ba9d6f87909fc4fc091ea25d4b

SHA512
2421344746cc9b42606da863fdb0701b502e621c93e5629f267fb36854721e2bc749c008d1609891d21bff0619bf6e1b11f6eabdc350689a7b0bd007a0880160

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc981945044c7a8497468a455e925fac

SHA1
571c5bacb57b6bcaa89a8347aa2a08f518306604

SHA256
b14761ecf54ca93d6b09dc49fbf3f990d54799a33b0c0b4c0649ddeefc7cf2dd

SHA512
0931d31483da15ee2ff9e26dc5352273c850d8b3a6e43a226a470c0c743a3fe880c3cf1a283e8bf1f929d0fef4d1b0d18597a1310a88242af7f5ad2c62955850

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ba6d1ce7237fe2318977b6b495cca292

SHA1
9da53b5acccd82a2eb4f1d6a37c0c70ee08af15b

SHA256
69ef0274bebac5f871dc582ba12987312374d0f4c5114d9e6573149694930040

SHA512
8b695715e356faa380187d35afc8fbfeb5097fa6f22b86c45e02ff6e65ddcdd96a9b4e415dd8f2d2acffea7014187fa8ed744644a2d3c3875f1b50c1c8b4ed35

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6593d7f62a54811049efcd56e9f389e5

SHA1
4639f64225e767fcc001f3278739a039b030fadd

SHA256
24c0415a89c90ca86015587a25b56aa14450e6f61fc203afd1ff5af9853f2104

SHA512
212a274e14dc84f47f08470da1c250e9a359a65ec1d95187c29356330a5ca89c2c291f99145b3ada2e050e9af63e2efc3fbf36033b49e8c6ee91ed95684323d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
190B

MD5
f284f525d9d3e2cf5e9d1407123af5d6

SHA1
01489cb6a89c04696bea5b44a4a0cddfad9766ee

SHA256
b110a70f098f578496d5d8bafcd3b306501d695614444d32ed79ada8b051aca6

SHA512
501795ee2426d995f97d3ea811cae91a7df1533739f401f137527765bf86ce18a9f5786d9ccbfd93d7fbbe1356263966fb0476723683113d5175df0951857afd

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

Filesize
190B

MD5
73dc899e815edfa96546eef5bad97e30

SHA1
c8d42088174d484777f9b5f18d7117bdadbdb756

SHA256
a5ddb4cf66415649be627c67212ab07113d4fb8cec85c407c59dc57fe99d073d

SHA512
cf5314da525c3a65396d1bc5811d81070f2733fb4363a398221e1cfcf2616f520f69a5812d483c3d5cd0a39c9813510066e3a1e4c67982070880d46d72e9f6b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAdWWGXi7E.bat

Filesize
190B

MD5
f96f20b57dae4e73a285751fba4f0a62

SHA1
455846705d4f3bc57308a81e455f82e61a59a877

SHA256
c3df2a5d628b74776f0e07b635a0cb7a885cfd6d3e4502d6df61ca55ada272df

SHA512
d85d223bbeca975553594567da0122c89542848cf0769af118195b5021e383d336a5fcccb9e7b2d6d6b9f61a2495b825c4af6359bdb6a1f9db094696f7f6133b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2187.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EH4KCibIlQ.bat

Filesize
190B

MD5
ddef305a88ae581cc2f1ac7b92bdc502

SHA1
dfd3089b235df300baa0fc466fe3301848b3f8f8

SHA256
30337af97c7614ad7395cd8b790db249a55d91c11d55c3d1ebba76cfe97328e4

SHA512
35fb9b8f1d8fe2d3d77b02d6c4ae5f1d1bb7526f265874c7e8ac6066b5228c6f60161f274c34ad88ba91e5bc2d9c5d183d8556154a23a2733278785eb2729fe1

Download Submit
C:\Users\Admin\AppData\Local\Temp\OPOGTQits7.bat

Filesize
190B

MD5
1cfb23218fcf964798ec3dbebec88c90

SHA1
35f10b2204ebd9fa39ae6cd788f16e1d436c49b6

SHA256
2af8f6a862a57d4fd6dc35ac60f5da5ad9eb995e32b497a9e2a65811bf390976

SHA512
bb53afbf17382d6783c374543356b959d70bf0313e2bb999db1f29cb79a283d41bb58752b1a6bf49407032803484609eb1dfd9ffc0d9dc9468999dbcbdc8de72

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
190B

MD5
5fcaf3595c7d4ca2f5cdf59bd5e14daa

SHA1
e5c086b61057dbc8f0ea902d02596912187c5dc5

SHA256
61f6a60c93f1fc1badb351a41c8fd72d2a6930b8fff686979cde031169eb77ff

SHA512
c9cb3f0cb49fd97decd42cf88599b6c5e16cb4ebee9fae37b9bc40ee0dda707321dc661290de3045e8c525c9ca6cc6f4484f2b14763ebb730d77fbbde4530881

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar22A3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\XhdmdigGiX.bat

Filesize
190B

MD5
e6fe6f5da4b089d2c6170fe4197604ae

SHA1
03d7209efd971aaeb031482f03f7bda6ac797aba

SHA256
9d8fa6583f2fd94f100124d3a7a08571026182f8d99cb047cf30370d3b6ef906

SHA512
0257136932c59e45bc924c404566b529b1d6a34681c8ba2c64bfa55d6ad96065f8ce7672ea374b1f13965a1fe60e0035bc37b680c2357611a2fb70136b33a769

Download Submit
C:\Users\Admin\AppData\Local\Temp\cwtcXGf4Cf.bat

Filesize
190B

MD5
7fe99cd98fa379bde57379b0de6bc8b5

SHA1
7ae0732c0ffc3059f21d0ae4810d703dc03604fb

SHA256
8f710b2d33a81b9822745bf03574e258aef6cf756a653c353a5758ae6d45e39e

SHA512
63eef1df34720ac0cbaf989c3a426392c6101bfebe5a5971c1810093f3393e5f99e7cbb6aeeef1790889f9ac021d55cf1d38167bbac62520da225c67627efca1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
d5aae181dd4597cab798f1eef51f6dd2

SHA1
5e327a39a02a7dcecb64a3df63c3c1a2a64c3db0

SHA256
a07e0bb7e54a55815e52b8958280f38398f09731262d9088688662e1004901ff

SHA512
087671df8dba8ed2fab6080d63e59ddbff192cd78699ae8e5ac9a32eae531cf485ac02ee4cf77b9ff5bdeb2befc3becc62266b6743beefa5beb03e82e1fa49ba

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1564-73-0x0000000002960000-0x0000000002968000-memory.dmp

Filesize
32KB

Download
memory/1564-72-0x000000001B130000-0x000000001B412000-memory.dmp

Filesize
2.9MB

Download
memory/1652-545-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1984-425-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/2124-15-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2124-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2124-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2124-13-0x0000000000280000-0x0000000000390000-memory.dmp

Filesize
1.1MB

Download
memory/2124-17-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2700-187-0x0000000001350000-0x0000000001460000-memory.dmp

Filesize
1.1MB

Download
memory/2828-52-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/3020-365-0x0000000000360000-0x0000000000470000-memory.dmp

Filesize
1.1MB

Download
memory/3036-485-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download