dcrat | 70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55.exe
Size

1.3MB
MD5

139097bd07926ce986a4286c579dcc4f
SHA1

4f40c59f12145ea414f7ce9b68dd6ac08dac5523
SHA256

70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55
SHA512

d93f193def55d2ffd8ccdb734bdc6d06e1528830d73a66d68c8e2b924fddac3ca3d62fb220dbd02cbadfd67b64a4d7b4fe315fab8a39bd5d52b9adb1f7410b53
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2112	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1984	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	332	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1312	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	784	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	404	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2916	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000192f0-9.dat	dcrat
behavioral1/memory/2904-13-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/1560-107-0x0000000000F70000-0x0000000001080000-memory.dmp	dcrat
behavioral1/memory/280-166-0x0000000000080000-0x0000000000190000-memory.dmp	dcrat
behavioral1/memory/1812-226-0x0000000000BE0000-0x0000000000CF0000-memory.dmp	dcrat
behavioral1/memory/2056-286-0x0000000000EF0000-0x0000000001000000-memory.dmp	dcrat
behavioral1/memory/1236-346-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2436-466-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/1236-585-0x00000000010F0000-0x0000000001200000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1320	powershell.exe
1724	powershell.exe
2284	powershell.exe
2292	powershell.exe
304	powershell.exe
1876	powershell.exe
2588	powershell.exe
2264	powershell.exe
1692	powershell.exe
1828	powershell.exe
1832	powershell.exe
1032	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2904	DllCommonsvc.exe
1560	cmd.exe
280	cmd.exe
1812	cmd.exe
2056	cmd.exe
1236	cmd.exe
2684	cmd.exe
2436	cmd.exe
1676	cmd.exe
1236	cmd.exe
2696	cmd.exe
3004	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2784	cmd.exe
2784	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
37	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\c5b4cb5e9653cc	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\cmd.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Reference Assemblies\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\OSPPSVC.exe	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\csrss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2872	schtasks.exe
3008	schtasks.exe
1336	schtasks.exe
332	schtasks.exe
1792	schtasks.exe
2968	schtasks.exe
1364	schtasks.exe
2660	schtasks.exe
2732	schtasks.exe
404	schtasks.exe
1720	schtasks.exe
1536	schtasks.exe
1356	schtasks.exe
784	schtasks.exe
2232	schtasks.exe
1996	schtasks.exe
980	schtasks.exe
1920	schtasks.exe
2196	schtasks.exe
1432	schtasks.exe
2716	schtasks.exe
1312	schtasks.exe
2352	schtasks.exe
1984	schtasks.exe
1048	schtasks.exe
696	schtasks.exe
1948	schtasks.exe
2112	schtasks.exe
2040	schtasks.exe
2072	schtasks.exe
1764	schtasks.exe
1652	schtasks.exe
2832	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
2904	DllCommonsvc.exe
1828	powershell.exe
2588	powershell.exe
2284	powershell.exe
1692	powershell.exe
304	powershell.exe
1032	powershell.exe
1832	powershell.exe
2292	powershell.exe
1320	powershell.exe
2264	powershell.exe
1724	powershell.exe
1876	powershell.exe
1560	cmd.exe
280	cmd.exe
1812	cmd.exe
2056	cmd.exe
1236	cmd.exe
2684	cmd.exe
2436	cmd.exe
1676	cmd.exe
1236	cmd.exe
2696	cmd.exe
3004	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2904	DllCommonsvc.exe
Token: SeDebugPrivilege	1828	powershell.exe
Token: SeDebugPrivilege	2588	powershell.exe
Token: SeDebugPrivilege	2284	powershell.exe
Token: SeDebugPrivilege	1692	powershell.exe
Token: SeDebugPrivilege	304	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	1832	powershell.exe
Token: SeDebugPrivilege	2292	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	2264	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1560	cmd.exe
Token: SeDebugPrivilege	280	cmd.exe
Token: SeDebugPrivilege	1812	cmd.exe
Token: SeDebugPrivilege	2056	cmd.exe
Token: SeDebugPrivilege	1236	cmd.exe
Token: SeDebugPrivilege	2684	cmd.exe
Token: SeDebugPrivilege	2436	cmd.exe
Token: SeDebugPrivilege	1676	cmd.exe
Token: SeDebugPrivilege	1236	cmd.exe
Token: SeDebugPrivilege	2696	cmd.exe
Token: SeDebugPrivilege	3004	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2612 wrote to memory of 3024	2612	JaffaCakes118_70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55.exe	30
PID 2612 wrote to memory of 3024	2612	JaffaCakes118_70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55.exe	30
PID 2612 wrote to memory of 3024	2612	JaffaCakes118_70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55.exe	30
PID 2612 wrote to memory of 3024	2612	JaffaCakes118_70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55.exe	30
PID 3024 wrote to memory of 2784	3024	WScript.exe	31
PID 3024 wrote to memory of 2784	3024	WScript.exe	31
PID 3024 wrote to memory of 2784	3024	WScript.exe	31
PID 3024 wrote to memory of 2784	3024	WScript.exe	31
PID 2784 wrote to memory of 2904	2784	cmd.exe	33
PID 2784 wrote to memory of 2904	2784	cmd.exe	33
PID 2784 wrote to memory of 2904	2784	cmd.exe	33
PID 2784 wrote to memory of 2904	2784	cmd.exe	33
PID 2904 wrote to memory of 1876	2904	DllCommonsvc.exe	68
PID 2904 wrote to memory of 1876	2904	DllCommonsvc.exe	68
PID 2904 wrote to memory of 1876	2904	DllCommonsvc.exe	68
PID 2904 wrote to memory of 2588	2904	DllCommonsvc.exe	69
PID 2904 wrote to memory of 2588	2904	DllCommonsvc.exe	69
PID 2904 wrote to memory of 2588	2904	DllCommonsvc.exe	69
PID 2904 wrote to memory of 2264	2904	DllCommonsvc.exe	70
PID 2904 wrote to memory of 2264	2904	DllCommonsvc.exe	70
PID 2904 wrote to memory of 2264	2904	DllCommonsvc.exe	70
PID 2904 wrote to memory of 1320	2904	DllCommonsvc.exe	71
PID 2904 wrote to memory of 1320	2904	DllCommonsvc.exe	71
PID 2904 wrote to memory of 1320	2904	DllCommonsvc.exe	71
PID 2904 wrote to memory of 1724	2904	DllCommonsvc.exe	72
PID 2904 wrote to memory of 1724	2904	DllCommonsvc.exe	72
PID 2904 wrote to memory of 1724	2904	DllCommonsvc.exe	72
PID 2904 wrote to memory of 1692	2904	DllCommonsvc.exe	73
PID 2904 wrote to memory of 1692	2904	DllCommonsvc.exe	73
PID 2904 wrote to memory of 1692	2904	DllCommonsvc.exe	73
PID 2904 wrote to memory of 1828	2904	DllCommonsvc.exe	74
PID 2904 wrote to memory of 1828	2904	DllCommonsvc.exe	74
PID 2904 wrote to memory of 1828	2904	DllCommonsvc.exe	74
PID 2904 wrote to memory of 2284	2904	DllCommonsvc.exe	75
PID 2904 wrote to memory of 2284	2904	DllCommonsvc.exe	75
PID 2904 wrote to memory of 2284	2904	DllCommonsvc.exe	75
PID 2904 wrote to memory of 1832	2904	DllCommonsvc.exe	76
PID 2904 wrote to memory of 1832	2904	DllCommonsvc.exe	76
PID 2904 wrote to memory of 1832	2904	DllCommonsvc.exe	76
PID 2904 wrote to memory of 2292	2904	DllCommonsvc.exe	77
PID 2904 wrote to memory of 2292	2904	DllCommonsvc.exe	77
PID 2904 wrote to memory of 2292	2904	DllCommonsvc.exe	77
PID 2904 wrote to memory of 304	2904	DllCommonsvc.exe	78
PID 2904 wrote to memory of 304	2904	DllCommonsvc.exe	78
PID 2904 wrote to memory of 304	2904	DllCommonsvc.exe	78
PID 2904 wrote to memory of 1032	2904	DllCommonsvc.exe	79
PID 2904 wrote to memory of 1032	2904	DllCommonsvc.exe	79
PID 2904 wrote to memory of 1032	2904	DllCommonsvc.exe	79
PID 2904 wrote to memory of 1560	2904	DllCommonsvc.exe	92
PID 2904 wrote to memory of 1560	2904	DllCommonsvc.exe	92
PID 2904 wrote to memory of 1560	2904	DllCommonsvc.exe	92
PID 1560 wrote to memory of 2948	1560	cmd.exe	94
PID 1560 wrote to memory of 2948	1560	cmd.exe	94
PID 1560 wrote to memory of 2948	1560	cmd.exe	94
PID 2948 wrote to memory of 2660	2948	cmd.exe	96
PID 2948 wrote to memory of 2660	2948	cmd.exe	96
PID 2948 wrote to memory of 2660	2948	cmd.exe	96
PID 2948 wrote to memory of 280	2948	cmd.exe	97
PID 2948 wrote to memory of 280	2948	cmd.exe	97
PID 2948 wrote to memory of 280	2948	cmd.exe	97
PID 280 wrote to memory of 636	280	cmd.exe	98
PID 280 wrote to memory of 636	280	cmd.exe	98
PID 280 wrote to memory of 636	280	cmd.exe	98
PID 636 wrote to memory of 1160	636	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_70de5431c131e3d926b2f9274a1ee978b9c9ebed83b881a6aa7ce09f5235bd55.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2612
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2784
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2264
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1828
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\My Documents\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:304
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2660
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1160
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DGa94wSM8j.bat"
        10⤵
        
        PID:2236
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2640
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat"
        12⤵
        
        PID:2708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:332
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat"
        14⤵
        
        PID:348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2480
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2684
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
        16⤵
        
        PID:1880
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1312
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat"
        18⤵
        
        PID:2688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2012
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat"
        20⤵
        
        PID:2040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2112
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat"
        22⤵
        
        PID:1972
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1496
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat"
        24⤵
        
        PID:1520
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1364
        
        C:\Program Files\Reference Assemblies\cmd.exe
        
        "C:\Program Files\Reference Assemblies\cmd.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        26⤵
        
        PID:2716
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Program Files\Reference Assemblies\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2112

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1356

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1312

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 9 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\My Documents\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\My Documents\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\v1.0\Runtime\x86\resources\1033\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0da127c70b9fc574bd0d48c76e889f4b

SHA1
dbb845c36dc32174a3503ef2ca3c33c2ffd5c820

SHA256
68a37d8e2765a09d9789d66b6c6ec41e60493985c7aa9393ede5ee104ed34d10

SHA512
4ce7e376da0b151c974c8b4b4b8e6b66d2b772669f9be3ecad1cabb5265303423b63219713f7a300e70cf6852f9292830f2019212e71f859dde35f00c7ad135d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62a03e560a3d3e78f2b695f09c1ce77f

SHA1
46116dc25581812dd9706a62ac28f024f9505896

SHA256
4a32fc403ab7383d818917850e0ae470972e1adde42c97706a00384512313437

SHA512
8c4d3018c8e723d657d60aa09554c02dcc58e95df4c7339004ece5092d2c0ecaf006edcf53243b1d3352c76ab36450e1c02e1c82d93705224d8367d797e6e550

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbd711970772138d988a14dba04038c4

SHA1
30b5f4d9e6f0d048916f7404ad0d1e474a0e318f

SHA256
4877da8e92c2a8ecf260bdf5d8099fc560397c729ebce3d8d8e6f2e85a8e0b2e

SHA512
c884014c159c3525810dfd141a5da52eb85a2b544758c9cda59aa00e9b7dc447c1db57935d409abfe24f7ada30b887187f282a876a6e2742124dac2a29690f6e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
550d64fa5614dda29f2be716efae71dc

SHA1
80afdd47c487649a901426b095e5eb4c8e380499

SHA256
aba65db3afe9117d8eba7af9e8d99ef95273ebcbbe64f0144962a1855fbd02c8

SHA512
b1b2330eaa0fbe26e4d30115afca69ecbd25e77858b841dffa4194b1c092729dcdb1c68ab74c895782c54193e79f37cc756c99a575f95b2574f2aeb168feb9de

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cdf71738ac8aaf16271fb2b2b56d54e3

SHA1
d88706caf2571888f8a3c0b218ef836ec4d9571f

SHA256
4dee8b56da9750586b4321e1a870ca332117e20a616b9d535c81faa21313e777

SHA512
4a5f4c7ad6112b25d2fa32f0ee1905b09e433bdd6803d023e6116887ce20f0ccda15512321b2926f8d6cf47d85099b86dc507faa9e477e42e678851c7c56a885

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4439534cbcdcf71b1877760b14cd36b

SHA1
420c00a8c8b9df7b78be06ca7da93b35d29df3c2

SHA256
553c11237b49bd85425178f0368eb9f56f4e157956dcb9659cc44f444673ed59

SHA512
0cf00556936ac1b56ce68644bf239186c8ddc5cc320732a57420418adacd529c0757b64ccbcc722c697cb222b21a002872522761c323361cc1e534097dd6994a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cba966a595a9677bc5ff8c5d2bb991e7

SHA1
88aa77769658dd7962becf9499ef799b50f8a91f

SHA256
b6ff0329d171f893584da5138089a71f161f7b151b3f882a7e247864f994f987

SHA512
405aa7447a114b1160d474f30ae57ceb564e0841a916912bb1f1c2893c31d70098cd6bc31aa6350446296c6dca9fffef7230a9c90ced0fb398b62f2f60e7941b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c667c4ba1aa2790e3ab04519bb4790b

SHA1
dba39eda55b1bedc963fd8f1fa3bc84a175d351a

SHA256
56b8740607c3b29a3fb81f475a0bb82c7eb68d49eb575cf47057f738baaed44e

SHA512
ed7021a034bddff77bd9410edf99df3d24b0951a70d23e016515e3e464cb227d5c68db744987222f8e61a2864a33b88a83c2079b496468a7b84c9d7c38b55585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a97f35007342156ac5b04ed39b639bb0

SHA1
b372ebbfb16e9383c663a0c6ab83c900ec63a83d

SHA256
c44e5d41d6963be1f195b528d5586aec3c9d81b68df891046ca7910c6bde0424

SHA512
6078ede33a97aa5ce37856f94176b5acd77c84e2c59b87fd54e93b74963aea67b2edaf60b2e373f5c89ddaae8b10cf45325a5dde2d8cc7c7fe675a6ba84a8281

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6f70187d4c6d95ce700a07e5e0c5fc1d

SHA1
6d6d4a7a6caabf0a38e59ee03315c85b560c16f2

SHA256
e7de34594b4ee54f05fff2f6d3cd99f11c5b0448fe67c17e8398603b00e4f375

SHA512
bc6368914efe6bb2ac1c03379b5b35307d9705daa7738f90014c24acde71a981030f03dab6f3f89f5a15fe3916071a6dce68d753557ed0501fea510dc1b67dc8

Download Submit
C:\Users\Admin\AppData\Local\Temp\4Q74CISUeM.bat

Filesize
210B

MD5
704102dd5b46fff60f0428a028627a2d

SHA1
db1b8d969c0f020e3850d0a6c08bc4e129f83cec

SHA256
5b0b044f8daac36c584cf44ceaae3b473d52c1e90d755c816156d8064d07bb33

SHA512
63b98b76d01563183393cbf0b69a05b317ce99a7b20e48c241d9434082f4e4dc81b2100cf5c2ac80409e6270736eecce71983fe233a6bf82c003b31792cccded

Download Submit
C:\Users\Admin\AppData\Local\Temp\4vYRXbn8bW.bat

Filesize
210B

MD5
c333c6c7c8963fecd2fd832f085d345a

SHA1
4b9b10d2d8c9272271e2d8e15d937f7509ef2cc3

SHA256
93fc398c99e5e1b28b42e8e830f2b2ff8a67fbfd128674e3af74210825ef66ee

SHA512
22445ea40d9a57be8dcbe3fc27636e95a92e387a4655daa8f4b8dc77a5afddaa2bedecaa37557fc73f20845e5dfad61cf654dc50d9999b00154dc7f05d5f3d01

Download Submit
C:\Users\Admin\AppData\Local\Temp\ANE2RWndQ4.bat

Filesize
210B

MD5
50fa9d5268377b50493b37d7d7e368df

SHA1
c736ef8c33099f6e802dac0e26e04818a034ecc7

SHA256
4668ffe9ff54fbef9ea7b88ec2bbfe111f1fdd3dfae18bdb08d06a6fb0d8a0c6

SHA512
4428904cbf3b67a4369ca547311cd6bdafc0b53d21fa0b1f4b9ae092cb8510ad86085a0cb14ba986428febcbf41c77a8ff935fff45a34521539378621a1131b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATZuYpZxcK.bat

Filesize
210B

MD5
e18281b4c551472d8ad2fdff186b4336

SHA1
4b0c5b876c8b0384b26e6411e8c8d9810e29680a

SHA256
1519afe4273b175c7f2b6ec140686e503e87e72e705aac6a56441603e84098ff

SHA512
495d4a9cf1ba5f7bf6f93b7da8a9616a2033a9c794387ae471881778f3157c3276eba1bd7a78ef1280e6015f73930d3973323a49cdb2b736242947c7af41fd4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCDEB.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DGa94wSM8j.bat

Filesize
210B

MD5
383bd86c3fbb53a73f5af55236d0ef1e

SHA1
277c9a7292d247afa1c0f5481a0c44799db78693

SHA256
16139ce911520113106141999a8340ffb71945d0303b9c2ec3d0480135ab11c2

SHA512
b50f1bb9a22363a7e94b39166ccf05c4f78bfa47535b93a4b925492ccc9da2d584b4251fac322e9cf685f02cc101c39970a57a5246df49acec18f189b48a91af

Download Submit
C:\Users\Admin\AppData\Local\Temp\OyPKZ08zKl.bat

Filesize
210B

MD5
a8b35b7bf4b9ee7481e198a594ee5c46

SHA1
875d367141a712f79b76090b2efda937b5199aa1

SHA256
ed7a96e397030c33cf4f4a922b368c8e622a85e634d322fa6961ba917715a145

SHA512
3178d5faa1683fdda1c7b6e09e3f3db70034d032194fa213a2d2206680b3cc644ba6184fbc70f8b6ca27773e3dbbf08aa0e933fc434aa4f6b6f21fbf6289f699

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCE2D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\gSW9k5bhgR.bat

Filesize
210B

MD5
cd36aa47cf6882129465edaa80b60ed0

SHA1
212d6fe7fc8226a3e500718b6cf71a9ad88d36e4

SHA256
90dd66185651f7edca0a5f22f73e7f55022aa1af37898d8b6053325b175b19d4

SHA512
9b10d668839a7e28418885913828b7760c717dabfc9bdf3cc07b992b12c756f23cbe3aee2bc4b96d244a64954db2470e05ba6cc1cb3aa5acb8fe7b12971c9631

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

Filesize
210B

MD5
c608d569a73f69d3422e8e7b61abf542

SHA1
1dc5ee45e04ba61c8d11cfc1204dd7cee8914ceb

SHA256
3b50574ac5bc84dcace663674e9db4a110a1b9b6b79c80289bd5302bf27e47c6

SHA512
7ed7c674a55e5d27fc4aa37c857d73d2b871e6371dbdfea2bd7103d00b925bf50a883540eb406e9d72d69421c9c06529a7d34142f1fd301c0528cd12942b0092

Download Submit
C:\Users\Admin\AppData\Local\Temp\j5PKlq1uIo.bat

Filesize
210B

MD5
c66cf837f8a36c5af4cfb8d99349e42b

SHA1
0a749c3f9f90ee0bf219e35db17753d2bbe4e1a1

SHA256
c920eb0fa9973b9f1aa49e7a1fb09ac65cc049c1bc2e0353a8cc769dd1789d5a

SHA512
eff0ede1e7b2f4abf0ba600dbd3688ac0c0351089ec9aef451f3d6930e3248e2dfdc884eb2286e4fd60f5640ce71b2e9ed8884ce1e5637f94d665563dd4921bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\qwBPskakqG.bat

Filesize
210B

MD5
49d642e7c37c7965a03878aa38e4fca4

SHA1
54d56bf41a24b336574b5a2b8ffbd9b573c6d9aa

SHA256
991fc17348351206113d9b4757dd663212d16dc1c543ef29de860e7021f3558a

SHA512
af20d9c40516e112bee5ca43160e1262916c3234b5f895893b8dbad94d88bfe94fb44d7a1e02cfb2f011e36f631b356f462949724c07864b3c8ab3f30ce3c311

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
210B

MD5
050199d1845d17aca2f627cc5197e328

SHA1
8d6256755ef27491494ea983fcd8369d02b969f4

SHA256
dbfa7beffd7c60f73e2ee6a90fcdd820e6541fd723ba936a877a0301a376712e

SHA512
41d08b35b3dbd14a7474ac08b87b336840e0c1ec4f1246cc6a2e236ee844fd41677ea9614e0b03721700a472b85ba0c04b05dade321ba9914e20cd15c92c63f1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
59763159b1a7956d32fedb15f1b03916

SHA1
9b6fee32e4966b5090703f168cbfb004be5ee763

SHA256
96f1079b7a78fec86b5b16276ea406851a64507aad61362966bbd56c797fa0c8

SHA512
5606a3ca3448aa233db5d5b2eeee9022992fef6789807c0607ae549bf16df5b0957007073054b46e67639dc371d96f90c3266353376727e5ddf510c4368b6241

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/280-166-0x0000000000080000-0x0000000000190000-memory.dmp

Filesize
1.1MB

Download
memory/1236-346-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/1236-347-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/1236-585-0x00000000010F0000-0x0000000001200000-memory.dmp

Filesize
1.1MB

Download
memory/1560-107-0x0000000000F70000-0x0000000001080000-memory.dmp

Filesize
1.1MB

Download
memory/1812-226-0x0000000000BE0000-0x0000000000CF0000-memory.dmp

Filesize
1.1MB

Download
memory/1828-61-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/2056-286-0x0000000000EF0000-0x0000000001000000-memory.dmp

Filesize
1.1MB

Download
memory/2436-466-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2588-71-0x0000000001E80000-0x0000000001E88000-memory.dmp

Filesize
32KB

Download
memory/2904-17-0x0000000000A20000-0x0000000000A2C000-memory.dmp

Filesize
48KB

Download
memory/2904-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2904-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2904-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2904-13-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/3004-704-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download