dcrat | 71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 03:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063.exe
Size

1.3MB
MD5

24061a7fdf2231c62cf6a649a9c57d3a
SHA1

1b0be534578193b973554902585f087f9724abde
SHA256

71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063
SHA512

ee6f5bf1476c25d1768b1eb1ee6ca86a01fd8fa93e2e1e48ac1aa8bd964655a616cb3180b5f8cf79e469d30998901e66647b26f00c2ec04921c840d8fe0548b7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	564	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2412	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2844	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1084	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	436	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2604	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2604	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000017472-9.dat	dcrat
behavioral1/memory/2588-13-0x0000000001200000-0x0000000001310000-memory.dmp	dcrat
behavioral1/memory/2580-92-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/2912-162-0x0000000000F40000-0x0000000001050000-memory.dmp	dcrat
behavioral1/memory/2200-222-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1996-282-0x0000000000C40000-0x0000000000D50000-memory.dmp	dcrat
behavioral1/memory/2956-343-0x0000000000D40000-0x0000000000E50000-memory.dmp	dcrat
behavioral1/memory/2748-403-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/2920-522-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/2692-582-0x0000000001030000-0x0000000001140000-memory.dmp	dcrat
behavioral1/memory/908-643-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1512-703-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/748-763-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2940	powershell.exe
3052	powershell.exe
1536	powershell.exe
1520	powershell.exe
1740	powershell.exe
1640	powershell.exe
1672	powershell.exe
1532	powershell.exe
1792	powershell.exe
1968	powershell.exe
1960	powershell.exe
2164	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2588	DllCommonsvc.exe
2580	DllCommonsvc.exe
2912	DllCommonsvc.exe
2200	DllCommonsvc.exe
1996	DllCommonsvc.exe
2956	DllCommonsvc.exe
2748	DllCommonsvc.exe
1480	DllCommonsvc.exe
2920	DllCommonsvc.exe
2692	DllCommonsvc.exe
908	DllCommonsvc.exe
1512	DllCommonsvc.exe
748	DllCommonsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2908	cmd.exe
2908	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
43	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 7 IoCs

description	ioc	Process
File created	C:\Program Files\MSBuild\System.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\ja-JP\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\winlogon.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Journal\es-ES\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\winsxs\x86_microsoft-windows-rasplap-mui.resources_31bf3856ad364e35_6.1.7600.16385_fr-fr_32ba0a4837721116\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\cmd.exe	DllCommonsvc.exe
File created	C:\Windows\Speech\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\OSPPSVC.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe
2052	schtasks.exe
2904	schtasks.exe
2944	schtasks.exe
1488	schtasks.exe
2528	schtasks.exe
564	schtasks.exe
332	schtasks.exe
948	schtasks.exe
2896	schtasks.exe
1980	schtasks.exe
2104	schtasks.exe
3004	schtasks.exe
1028	schtasks.exe
2460	schtasks.exe
1164	schtasks.exe
992	schtasks.exe
2844	schtasks.exe
2140	schtasks.exe
752	schtasks.exe
1076	schtasks.exe
2412	schtasks.exe
1084	schtasks.exe
436	schtasks.exe
1528	schtasks.exe
2592	schtasks.exe
1904	schtasks.exe
2348	schtasks.exe
3020	schtasks.exe
696	schtasks.exe
988	schtasks.exe
2148	schtasks.exe
2192	schtasks.exe

Suspicious behavior: EnumeratesProcesses 29 IoCs

pid	Process
2588	DllCommonsvc.exe
2588	DllCommonsvc.exe
2588	DllCommonsvc.exe
2588	DllCommonsvc.exe
2588	DllCommonsvc.exe
1520	powershell.exe
2940	powershell.exe
1792	powershell.exe
1960	powershell.exe
1532	powershell.exe
2164	powershell.exe
1640	powershell.exe
1536	powershell.exe
1968	powershell.exe
1672	powershell.exe
1740	powershell.exe
3052	powershell.exe
2580	DllCommonsvc.exe
2912	DllCommonsvc.exe
2200	DllCommonsvc.exe
1996	DllCommonsvc.exe
2956	DllCommonsvc.exe
2748	DllCommonsvc.exe
1480	DllCommonsvc.exe
2920	DllCommonsvc.exe
2692	DllCommonsvc.exe
908	DllCommonsvc.exe
1512	DllCommonsvc.exe
748	DllCommonsvc.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2588	DllCommonsvc.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	2940	powershell.exe
Token: SeDebugPrivilege	1792	powershell.exe
Token: SeDebugPrivilege	1960	powershell.exe
Token: SeDebugPrivilege	1532	powershell.exe
Token: SeDebugPrivilege	2164	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1968	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeDebugPrivilege	2580	DllCommonsvc.exe
Token: SeDebugPrivilege	2912	DllCommonsvc.exe
Token: SeDebugPrivilege	2200	DllCommonsvc.exe
Token: SeDebugPrivilege	1996	DllCommonsvc.exe
Token: SeDebugPrivilege	2956	DllCommonsvc.exe
Token: SeDebugPrivilege	2748	DllCommonsvc.exe
Token: SeDebugPrivilege	1480	DllCommonsvc.exe
Token: SeDebugPrivilege	2920	DllCommonsvc.exe
Token: SeDebugPrivilege	2692	DllCommonsvc.exe
Token: SeDebugPrivilege	908	DllCommonsvc.exe
Token: SeDebugPrivilege	1512	DllCommonsvc.exe
Token: SeDebugPrivilege	748	DllCommonsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2760	2364	JaffaCakes118_71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063.exe	30
PID 2364 wrote to memory of 2760	2364	JaffaCakes118_71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063.exe	30
PID 2364 wrote to memory of 2760	2364	JaffaCakes118_71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063.exe	30
PID 2364 wrote to memory of 2760	2364	JaffaCakes118_71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063.exe	30
PID 2760 wrote to memory of 2908	2760	WScript.exe	31
PID 2760 wrote to memory of 2908	2760	WScript.exe	31
PID 2760 wrote to memory of 2908	2760	WScript.exe	31
PID 2760 wrote to memory of 2908	2760	WScript.exe	31
PID 2908 wrote to memory of 2588	2908	cmd.exe	33
PID 2908 wrote to memory of 2588	2908	cmd.exe	33
PID 2908 wrote to memory of 2588	2908	cmd.exe	33
PID 2908 wrote to memory of 2588	2908	cmd.exe	33
PID 2588 wrote to memory of 2940	2588	DllCommonsvc.exe	68
PID 2588 wrote to memory of 2940	2588	DllCommonsvc.exe	68
PID 2588 wrote to memory of 2940	2588	DllCommonsvc.exe	68
PID 2588 wrote to memory of 1740	2588	DllCommonsvc.exe	69
PID 2588 wrote to memory of 1740	2588	DllCommonsvc.exe	69
PID 2588 wrote to memory of 1740	2588	DllCommonsvc.exe	69
PID 2588 wrote to memory of 1672	2588	DllCommonsvc.exe	71
PID 2588 wrote to memory of 1672	2588	DllCommonsvc.exe	71
PID 2588 wrote to memory of 1672	2588	DllCommonsvc.exe	71
PID 2588 wrote to memory of 1640	2588	DllCommonsvc.exe	72
PID 2588 wrote to memory of 1640	2588	DllCommonsvc.exe	72
PID 2588 wrote to memory of 1640	2588	DllCommonsvc.exe	72
PID 2588 wrote to memory of 1532	2588	DllCommonsvc.exe	73
PID 2588 wrote to memory of 1532	2588	DllCommonsvc.exe	73
PID 2588 wrote to memory of 1532	2588	DllCommonsvc.exe	73
PID 2588 wrote to memory of 1520	2588	DllCommonsvc.exe	74
PID 2588 wrote to memory of 1520	2588	DllCommonsvc.exe	74
PID 2588 wrote to memory of 1520	2588	DllCommonsvc.exe	74
PID 2588 wrote to memory of 3052	2588	DllCommonsvc.exe	75
PID 2588 wrote to memory of 3052	2588	DllCommonsvc.exe	75
PID 2588 wrote to memory of 3052	2588	DllCommonsvc.exe	75
PID 2588 wrote to memory of 1792	2588	DllCommonsvc.exe	77
PID 2588 wrote to memory of 1792	2588	DllCommonsvc.exe	77
PID 2588 wrote to memory of 1792	2588	DllCommonsvc.exe	77
PID 2588 wrote to memory of 1968	2588	DllCommonsvc.exe	79
PID 2588 wrote to memory of 1968	2588	DllCommonsvc.exe	79
PID 2588 wrote to memory of 1968	2588	DllCommonsvc.exe	79
PID 2588 wrote to memory of 1960	2588	DllCommonsvc.exe	81
PID 2588 wrote to memory of 1960	2588	DllCommonsvc.exe	81
PID 2588 wrote to memory of 1960	2588	DllCommonsvc.exe	81
PID 2588 wrote to memory of 2164	2588	DllCommonsvc.exe	82
PID 2588 wrote to memory of 2164	2588	DllCommonsvc.exe	82
PID 2588 wrote to memory of 2164	2588	DllCommonsvc.exe	82
PID 2588 wrote to memory of 1536	2588	DllCommonsvc.exe	84
PID 2588 wrote to memory of 1536	2588	DllCommonsvc.exe	84
PID 2588 wrote to memory of 1536	2588	DllCommonsvc.exe	84
PID 2588 wrote to memory of 2580	2588	DllCommonsvc.exe	92
PID 2588 wrote to memory of 2580	2588	DllCommonsvc.exe	92
PID 2588 wrote to memory of 2580	2588	DllCommonsvc.exe	92
PID 2580 wrote to memory of 1684	2580	DllCommonsvc.exe	93
PID 2580 wrote to memory of 1684	2580	DllCommonsvc.exe	93
PID 2580 wrote to memory of 1684	2580	DllCommonsvc.exe	93
PID 1684 wrote to memory of 1320	1684	cmd.exe	95
PID 1684 wrote to memory of 1320	1684	cmd.exe	95
PID 1684 wrote to memory of 1320	1684	cmd.exe	95
PID 1684 wrote to memory of 2912	1684	cmd.exe	96
PID 1684 wrote to memory of 2912	1684	cmd.exe	96
PID 1684 wrote to memory of 2912	1684	cmd.exe	96
PID 2912 wrote to memory of 2752	2912	DllCommonsvc.exe	97
PID 2912 wrote to memory of 2752	2912	DllCommonsvc.exe	97
PID 2912 wrote to memory of 2752	2912	DllCommonsvc.exe	97
PID 2752 wrote to memory of 2240	2752	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_71e5925378e8859d7e81807a065a2a3288b36c5bda4193d3cbcbd49e05058063.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2908
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1532
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3052
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Speech\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1960
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2164
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2580
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1320
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2240
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        10⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2136
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat"
        12⤵
        
        PID:396
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1288
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat"
        14⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1576
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat"
        16⤵
        
        PID:2756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2224
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat"
        18⤵
        
        PID:1848
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2356
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat"
        20⤵
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2896
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat"
        22⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1268
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat"
        24⤵
        
        PID:868
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:880
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat"
        26⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2012
        
        C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe
        
        "C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat"
        28⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:1132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Journal\es-ES\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2412

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\MSBuild\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1084

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Windows\Migration\WTR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Windows\Speech\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Windows\Speech\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Windows\Speech\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Common Files\System\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Program Files\Common Files\System\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f4058c4758fc50f6439e353e981202c

SHA1
05fb20a5f6350c755bfbe43ce2a30a184d5a3dc3

SHA256
3e75e62073a779e815dc01ce6f3bda214b989fe307b2f8b9ae29813d84704575

SHA512
c50d5ccb5fe7a86246ffdd7a391dca1ecfdad3c0498236441a853e9e778479c3970afba750f7e349b2e0a00ef3c38df989d88bb02ae391cb54a32133bb941605

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67671d8c37f2eb79e2ae0319d55dc77a

SHA1
5d879dd7aa578897bdbd429c7e1af0ecdb607a32

SHA256
15e64c8c4bd961dc26f5867d5a0f8f229f86c6c20b74a6c7fd72fac6c334ef4e

SHA512
d9f502f2e370c646a0eb5d3f3545a399b302587de27b88c5a8c98c581960960dcc9525cdf22cb13667a9568670b43fe8f2994cbccad3583d96013ebef229b0e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f2e8c5199b98b8f3c319faabe9e27a93

SHA1
4d118ac8c91d7dc5a1fad63ac65c7343834c24dc

SHA256
7985caa0ca93b2cf56ea67da776d8d4c6899918123131851eeab1dbb092de9bd

SHA512
83f32c36a0d7c50066abaf5a08f8c5335687008cf85e7ea7da452c823e46262a81fad9600314c94199a7fc6ef2e7ac0d8c22a1da15ee000b7647305d406c432c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
969fc905866daf28a727438eeea463eb

SHA1
067b3d143c2cb17d01162fedf88a2c5faab35fee

SHA256
f5b70398e317dc080736c111208a61e2ee4b2e389dbbbf5aa027910b428aefe2

SHA512
70e09f6a8552682fcfec13dc1a37178855baa92ad3d2ae4a21bbd6cb3838562db097848e14c7011323384e35fa1862e7033391b01979a0daeefc5f548b96129d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
464e96143ccae982508bd84ca98ecd85

SHA1
b96cb6718f838cbf1a51c070079e7a0aa5e91795

SHA256
65ecfc749d1377cc1f821efaa73fe9aa233cde491e0d5f1c734881583edeab24

SHA512
68ea21caef2be21b84b5e0edfd0ae8d1a8dc2a4a16897d43dd5127db46e36b543f7591011bd0f906b480a95b1e5eca9ae092e52f3beb72b457e840f1da2c4501

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
687ebd3911eb071fd8a2702ee5e9f163

SHA1
4d6d3fbb0399ea76126c629e345518f0576965b4

SHA256
b271f3d51d758295298f39948fb56b3f7fc46a71fcc5d681bc3d9b3bd1823382

SHA512
7e8d65b5fae820c3a63c71cb391eb4d4151357bdbfec28ce13aa1a1cd6327281b7151b000f83c5f2157e0832b061c6c9e0834d78dfc0e7a90415b329b65e7749

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4e3a838cb8023ffe203b5cf0c17f401d

SHA1
ece06b52bdcdc1225a0163266468a6299ad95f5e

SHA256
e960525d78567ca1fd876f4df1e98712619521427c4d5054e6908c8eb0b60759

SHA512
750a104659329670ffbc35b1730b920e5732fa6daeb7694d3a175d05307a7c44303f9e7f2b973ae87a2b469b054a6e0d85e00e8d350e370b4a2af0db5cac48fc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6e22a5bc9697da27937439ff55e7a7ce

SHA1
ccc56fb486d6dd52fb14aa30a553a1f7fca8f541

SHA256
da63c3f2be1d2d7db0a3771466e168c4ed46fecf1876edc8d6d1ab03631051fb

SHA512
d638af747931e71d68cf7dc6c3b03ff50d76a9b474b4919d5fc58016974c20256e6a4f3438efde6121113a6d40fc3481b6c234381376ca41cea774c85b6f2d57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
583f44db6b143fb67bc41798d023a12f

SHA1
87475cfa4460cb3f91de3ff5a0c2c84a83f9f9dc

SHA256
d414e40f80950d805feecada249d5496fd68c216d40f6ecff963ea8ca5125b2f

SHA512
fa80e615541506738c7e7c0bd526a78b674cb808e1357fba14d308d16bf009a108bff9afd25c5b47ee630eeba0e037cc64ebbfafeaa88a6ffc0b268a3fa2353a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a5dec5f067baba4b34b1dae5c5b727b

SHA1
6ff97c56643aeab7980da0bb0e320efdea3166b4

SHA256
bc9e3dfacc2e21a2be4ff7ce5078bce368e1f0af3229e8391002f8e92b9e2be7

SHA512
a2718888c6b78d3733ad450b4d1f38e5779d4f13b14524079ae3c8e32582504b366efca3c092496a8d5385fdf442aae843ab1a5d2707eef8143cb7e4c52b470b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9b05fc70c2e631fe558b638d5a08e586

SHA1
7e1cd55b68fff9aba669077cbd04510ba0f05df2

SHA256
acf17bd109e6a849efb3db94e088e8fecde21c3ab09512e290b25b2c5ea2e313

SHA512
ff8cc98b8cbdeff386138705b6fb62eaef2166eaca2fa903b24789aa939e3d306f861d1ac6057c6bfe55f444b64c048ad62e64303119de6b227d02a9bc66903a

Download Submit
C:\Users\Admin\AppData\Local\Temp\0IgHXqOu0A.bat

Filesize
230B

MD5
5b1d1e4b54904a45fba257404c08ce50

SHA1
23425b8107b5346de78626d198bbf9b2853803f4

SHA256
80f94c965d87730d9b19177331b666e2905f4f2acbcd864bd4d68ef35bb9beab

SHA512
e05f84bcb47eb993384a2f06b625a4ba07bc915b5943acabeab0f2822a36e0d6ffdc7f758864a1e15af672a5b207de02d6cbe40c635b2f3956f5a9104933e92c

Download Submit
C:\Users\Admin\AppData\Local\Temp\9gHfnS8a2p.bat

Filesize
230B

MD5
9aaf5c4acdd2b252c056d3d6d14cfaed

SHA1
55d2959afaf352032b6c7a12810b58893a2d7aae

SHA256
2e1778d7c9cd4aca81de7faa62c2f128e73b6bb4c195a5ebe52892ba52a2d0d7

SHA512
044889299c08dcb969976f611457db8dc53a28571366e454769149e86db2a329f2d0e78dc65f1e09c2b7423b28d0a35077b30a135ba8b6281fa1bd07f3bc1bb0

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

Filesize
230B

MD5
3fb0e065bc608967d63c54032f183880

SHA1
703524b3a5dc5a69043e6600a383bae935edcdd5

SHA256
fd0782d394bd13fb8d823cdbc93e489b4d51df75dcd64f002b709b2efffeca02

SHA512
213a463580c0c29a19aa49839d1ff98299ed1da50ffae9748a72ce1b3f2559340180ef784a1ad31dca87f8243f44b691b1b400ba755314be91aad8a44958f02b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BfyeXCadxk.bat

Filesize
230B

MD5
95e3abe0c5afceee4b04907584990d51

SHA1
c80cad2c76e06622cb21f4b102b172546d7885a0

SHA256
eaadfd468b3efceb0864c6a76a85cf056938dab865f8afe06379d6a5b313f45a

SHA512
f90822efa21d2d90a8f678e27b0b6a759a82245c0bfabf522fd921e8068110be533e942bc8d6c5ba1afbcffcf3b633a709c343efc578328e52ab78b7dba83526

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab42EC.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cu9aubHCzw.bat

Filesize
230B

MD5
a49b08fad0990d4dbf95c4c2045469d2

SHA1
ea33121e521978e4393ecddf098183252aae3d67

SHA256
5af048553d231468a9203487fdfc350ad7def055625adc828807ddd918670cf6

SHA512
23c4c40f9e011f038d0964790c9402f80696561d45d58ddbb0022be40c8a4c984c67ee4e02ed9d588ffe39d538b0deb879cee72ae90f13e5d19dfd6962ec5bef

Download Submit
C:\Users\Admin\AppData\Local\Temp\Db0hEHdXHW.bat

Filesize
230B

MD5
4e9129cc2d71995e0e5147efd7735c39

SHA1
10669e8b8759fdd07c6360c38a0abb563dc73c3c

SHA256
09af4051491d16c1343ddd4eccdf1dbc2210ac00ea7a82451b4db6d7647c3e05

SHA512
bb7d57129133dada0f614dfe8f4aaabf2d4cbb4a217cab0afd7da917a8e36d42ec6600d7707a62b3b2bd1589e4a58c2b9aca72094aee24e7da7ae34e894ddcc3

Download Submit
C:\Users\Admin\AppData\Local\Temp\H7kUlUtrsw.bat

Filesize
230B

MD5
b5b51fb060107c911cf5882c164a720c

SHA1
b3cd48e0607841728451477f5f6675642f4ef950

SHA256
3db85a4fd3a79231679798c36d35d41a9961231f2d258c054ce1479cd230b154

SHA512
ec130af74731ee00dbc73670ff0657b2e3b0557302f032df42739e04c8680c7a17d2e4f8ea85420cc43e2632b29b59be47266b85f068898ffc6efb5db52f8a16

Download Submit
C:\Users\Admin\AppData\Local\Temp\HmDgHlPzdV.bat

Filesize
230B

MD5
598c47155c2716c57d7ff8d5e8489244

SHA1
5d1f24c69ffdb1c82e036108dc19e3e97efe1766

SHA256
b603c78b6ce3c278be34b4234895f494f0f6b0aef37d856da81ced6d36d57771

SHA512
d6f7d84758beab31e5b8d4fa57985216e260029e0983e214d496173fbbff2ac2e20e647d79bc2483875c80c9f9b68a417f59281cdc944543900e6f94925ddf67

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar431D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YpSpsobUXT.bat

Filesize
230B

MD5
c6a538006a22ebdd3745819cda6defe2

SHA1
21a3d714a7ffd0a5f33395a0db75447ae6e71ac9

SHA256
0823a79dd3b3075a9ef207119ed7fd248481790d05cc40a625c6f9b65d70d749

SHA512
597dbc9522bb4c82f313436257bb5af2893457ff3944334533b7fedae23c965fc1e6f591a6256d5d498cc0ef04051c753ac97ede3b7d30d959711f8e6185c1ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\ddqzBJK7Zu.bat

Filesize
230B

MD5
feb94572ec394fe73ab060f2556f2057

SHA1
36bfe99e33817dce7d9c9cdb24aa4a813d94b0a2

SHA256
3f6a6cddb35339acc82723c92a8e8ad46ef6df4ad96f97b49aef559a7427bb4c

SHA512
f2a29e57b07ad6c215fa545ab1c772b6c462c2440058d0707b5b0f715ddc888b2ee5d8939a6c18b02b75c18627fbb0a6274cf7b01c69fc637a1a962f25d0b7ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
230B

MD5
41b03687b9b8b7a925d2a2818f042954

SHA1
d874d436d058856c1bd02d5352a0216595d2945a

SHA256
903e500b03cefb58634b2efdf12609edbaed5ee9321574696e771f662e35af9f

SHA512
72c4730f89a844d77eaec25a311cc0f47c5ab24767956f8bb1cb5929e9d17132b3db4d81e7595e35d894ad7f547109771b139ae9db29e3602c89c3eecc26c6d1

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUc4JDtx8N.bat

Filesize
230B

MD5
37229e1a50d25021825cc26c93ca21aa

SHA1
cef89baba79992a2a00cda3ed2d47b049199f111

SHA256
93ab69b2acd9e6e650a84c1badd83ec0e0932d7bf51f536aa27be840a731c861

SHA512
22f1dff314d78f602e48111d2055706a881663992c67e94c23e3fa7fdb1fccac5b721e6e08dced5697786d97f7c08c10920c27080aed8e83e6210c5c7ddfa660

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7e3fcd062a173b9a46f0d111fd34490b

SHA1
3263bfc38769cc5b458e5e0bfd6cfe09aa71de1e

SHA256
498331bddb06f5a8b5cc3d0abc01f3ae0f125bb1c9c84ac392784b94d5d9f2d6

SHA512
e6f7bdd2e8f6eb086b2bd348b3f5ad844030215336870ae11016feea645f270b10dd8641d28a0bc220d3334962e910877b11cdfbdb0065426d339ee4c5b9c5fe

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/748-763-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/908-643-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/1512-703-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/1520-57-0x0000000001C10000-0x0000000001C18000-memory.dmp

Filesize
32KB

Download
memory/1520-56-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1996-282-0x0000000000C40000-0x0000000000D50000-memory.dmp

Filesize
1.1MB

Download
memory/1996-283-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2200-222-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2580-92-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download
memory/2588-17-0x0000000000480000-0x000000000048C000-memory.dmp

Filesize
48KB

Download
memory/2588-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2588-15-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2588-13-0x0000000001200000-0x0000000001310000-memory.dmp

Filesize
1.1MB

Download
memory/2588-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2692-583-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2692-582-0x0000000001030000-0x0000000001140000-memory.dmp

Filesize
1.1MB

Download
memory/2748-403-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/2912-162-0x0000000000F40000-0x0000000001050000-memory.dmp

Filesize
1.1MB

Download
memory/2920-522-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/2956-343-0x0000000000D40000-0x0000000000E50000-memory.dmp

Filesize
1.1MB

Download