dcrat | 4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef

Analysis

max time kernel
149s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef.exe
Size

1.3MB
MD5

d876aff0b01d9dfad949aa030032c959
SHA1

414c6eecb52179fa542f7e6898e7a9202a2641bc
SHA256

4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef
SHA512

a0b11727ee6528a20757ea879cc2e99aa2cb40485900a46c532ad7e0f4918be84faaa3a7691ba21118009c0b7a2581077fea3400da5ac71e47104ebff44444f7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2828	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	760	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1892	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1868	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1404	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2468	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1544	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1188	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1708	2720	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2720	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d58-10.dat	dcrat
behavioral1/memory/2760-13-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/2540-112-0x00000000009C0000-0x0000000000AD0000-memory.dmp	dcrat
behavioral1/memory/3012-171-0x00000000012E0000-0x00000000013F0000-memory.dmp	dcrat
behavioral1/memory/3000-231-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2428-291-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2624-352-0x0000000000F50000-0x0000000001060000-memory.dmp	dcrat
behavioral1/memory/2760-471-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/1480-531-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/1096-591-0x0000000001040000-0x0000000001150000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1756	powershell.exe
2364	powershell.exe
832	powershell.exe
656	powershell.exe
1940	powershell.exe
1360	powershell.exe
1656	powershell.exe
556	powershell.exe
2572	powershell.exe
2068	powershell.exe
2240	powershell.exe
648	powershell.exe
952	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2760	DllCommonsvc.exe
2540	dllhost.exe
3012	dllhost.exe
3000	dllhost.exe
2428	dllhost.exe
2624	dllhost.exe
2716	dllhost.exe
2760	dllhost.exe
1480	dllhost.exe
1096	dllhost.exe
2848	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2308	cmd.exe
2308	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
26	raw.githubusercontent.com
33	raw.githubusercontent.com
12	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\fr-FR\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\LiveKernelReports\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\dllhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\LiveKernelReports\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1352	schtasks.exe
1832	schtasks.exe
2920	schtasks.exe
2244	schtasks.exe
3044	schtasks.exe
1240	schtasks.exe
2012	schtasks.exe
1544	schtasks.exe
2964	schtasks.exe
1796	schtasks.exe
1404	schtasks.exe
2468	schtasks.exe
2652	schtasks.exe
2620	schtasks.exe
760	schtasks.exe
1736	schtasks.exe
1992	schtasks.exe
2456	schtasks.exe
3032	schtasks.exe
1676	schtasks.exe
2632	schtasks.exe
1892	schtasks.exe
1908	schtasks.exe
1704	schtasks.exe
3052	schtasks.exe
272	schtasks.exe
1868	schtasks.exe
2212	schtasks.exe
2344	schtasks.exe
1764	schtasks.exe
1196	schtasks.exe
1708	schtasks.exe
2828	schtasks.exe
2676	schtasks.exe
292	schtasks.exe
1188	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
2760	DllCommonsvc.exe
656	powershell.exe
648	powershell.exe
2068	powershell.exe
1360	powershell.exe
832	powershell.exe
1656	powershell.exe
952	powershell.exe
2364	powershell.exe
556	powershell.exe
2572	powershell.exe
1940	powershell.exe
2240	powershell.exe
1756	powershell.exe
2540	dllhost.exe
3012	dllhost.exe
3000	dllhost.exe
2428	dllhost.exe
2624	dllhost.exe
2716	dllhost.exe
2760	dllhost.exe
1480	dllhost.exe
1096	dllhost.exe
2848	dllhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	DllCommonsvc.exe
Token: SeDebugPrivilege	656	powershell.exe
Token: SeDebugPrivilege	648	powershell.exe
Token: SeDebugPrivilege	2068	powershell.exe
Token: SeDebugPrivilege	1360	powershell.exe
Token: SeDebugPrivilege	832	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	952	powershell.exe
Token: SeDebugPrivilege	2364	powershell.exe
Token: SeDebugPrivilege	556	powershell.exe
Token: SeDebugPrivilege	2572	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2240	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	2540	dllhost.exe
Token: SeDebugPrivilege	3012	dllhost.exe
Token: SeDebugPrivilege	3000	dllhost.exe
Token: SeDebugPrivilege	2428	dllhost.exe
Token: SeDebugPrivilege	2624	dllhost.exe
Token: SeDebugPrivilege	2716	dllhost.exe
Token: SeDebugPrivilege	2760	dllhost.exe
Token: SeDebugPrivilege	1480	dllhost.exe
Token: SeDebugPrivilege	1096	dllhost.exe
Token: SeDebugPrivilege	2848	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1480 wrote to memory of 2380	1480	JaffaCakes118_4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef.exe	30
PID 1480 wrote to memory of 2380	1480	JaffaCakes118_4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef.exe	30
PID 1480 wrote to memory of 2380	1480	JaffaCakes118_4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef.exe	30
PID 1480 wrote to memory of 2380	1480	JaffaCakes118_4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef.exe	30
PID 2380 wrote to memory of 2308	2380	WScript.exe	32
PID 2380 wrote to memory of 2308	2380	WScript.exe	32
PID 2380 wrote to memory of 2308	2380	WScript.exe	32
PID 2380 wrote to memory of 2308	2380	WScript.exe	32
PID 2308 wrote to memory of 2760	2308	cmd.exe	34
PID 2308 wrote to memory of 2760	2308	cmd.exe	34
PID 2308 wrote to memory of 2760	2308	cmd.exe	34
PID 2308 wrote to memory of 2760	2308	cmd.exe	34
PID 2760 wrote to memory of 832	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 832	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 832	2760	DllCommonsvc.exe	72
PID 2760 wrote to memory of 2240	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 2240	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 2240	2760	DllCommonsvc.exe	73
PID 2760 wrote to memory of 656	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 656	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 656	2760	DllCommonsvc.exe	74
PID 2760 wrote to memory of 1360	2760	DllCommonsvc.exe	75
PID 2760 wrote to memory of 1360	2760	DllCommonsvc.exe	75
PID 2760 wrote to memory of 1360	2760	DllCommonsvc.exe	75
PID 2760 wrote to memory of 1940	2760	DllCommonsvc.exe	76
PID 2760 wrote to memory of 1940	2760	DllCommonsvc.exe	76
PID 2760 wrote to memory of 1940	2760	DllCommonsvc.exe	76
PID 2760 wrote to memory of 1756	2760	DllCommonsvc.exe	77
PID 2760 wrote to memory of 1756	2760	DllCommonsvc.exe	77
PID 2760 wrote to memory of 1756	2760	DllCommonsvc.exe	77
PID 2760 wrote to memory of 648	2760	DllCommonsvc.exe	78
PID 2760 wrote to memory of 648	2760	DllCommonsvc.exe	78
PID 2760 wrote to memory of 648	2760	DllCommonsvc.exe	78
PID 2760 wrote to memory of 1656	2760	DllCommonsvc.exe	79
PID 2760 wrote to memory of 1656	2760	DllCommonsvc.exe	79
PID 2760 wrote to memory of 1656	2760	DllCommonsvc.exe	79
PID 2760 wrote to memory of 556	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 556	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 556	2760	DllCommonsvc.exe	80
PID 2760 wrote to memory of 2572	2760	DllCommonsvc.exe	81
PID 2760 wrote to memory of 2572	2760	DllCommonsvc.exe	81
PID 2760 wrote to memory of 2572	2760	DllCommonsvc.exe	81
PID 2760 wrote to memory of 2068	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 2068	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 2068	2760	DllCommonsvc.exe	82
PID 2760 wrote to memory of 952	2760	DllCommonsvc.exe	83
PID 2760 wrote to memory of 952	2760	DllCommonsvc.exe	83
PID 2760 wrote to memory of 952	2760	DllCommonsvc.exe	83
PID 2760 wrote to memory of 2364	2760	DllCommonsvc.exe	85
PID 2760 wrote to memory of 2364	2760	DllCommonsvc.exe	85
PID 2760 wrote to memory of 2364	2760	DllCommonsvc.exe	85
PID 2760 wrote to memory of 2544	2760	DllCommonsvc.exe	98
PID 2760 wrote to memory of 2544	2760	DllCommonsvc.exe	98
PID 2760 wrote to memory of 2544	2760	DllCommonsvc.exe	98
PID 2544 wrote to memory of 2664	2544	cmd.exe	100
PID 2544 wrote to memory of 2664	2544	cmd.exe	100
PID 2544 wrote to memory of 2664	2544	cmd.exe	100
PID 2544 wrote to memory of 2540	2544	cmd.exe	101
PID 2544 wrote to memory of 2540	2544	cmd.exe	101
PID 2544 wrote to memory of 2540	2544	cmd.exe	101
PID 2540 wrote to memory of 2624	2540	dllhost.exe	102
PID 2540 wrote to memory of 2624	2540	dllhost.exe	102
PID 2540 wrote to memory of 2624	2540	dllhost.exe	102
PID 2624 wrote to memory of 1120	2624	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4ead0cfa1b09fbc17cb40c9bc0ba213411bedb60de68ef8473e1f2b59c9816ef.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1480
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2380
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2308
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:832
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\fr-FR\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2572
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:952
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0D7kBG2ryb.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2664
      - C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2624
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1120
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat"
        9⤵
        
        PID:1892
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2116
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat"
        11⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2412
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        13⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:292
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        15⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2680
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat"
        17⤵
        
        PID:2344
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3000
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
        19⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2496
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat"
        21⤵
        
        PID:1884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1748
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat"
        23⤵
        
        PID:2896
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2324
        
        C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe
        
        "C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Windows Defender\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{90140000-006E-0409-0000-0000000FF1CE}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Users\Default User\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Photo Viewer\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Java\jdk1.7.0_80\jre\lib\applet\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
565afe2a87922d959d3c5931e5aec5f7

SHA1
70403f7a03b6459982675e1d909a4758b0a36b30

SHA256
d804ddd1ead34dae7f1c451f8d0510f5a9dd0bee3e54a82cba7fc0f1465c5382

SHA512
868f56384f2962478215ec8d0321e529e94f709f8ac1687f0dfdf37e454c70a97553f64a844660a97d2c741440c3435797f27afc0df10827be12a46ea02372ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
73bd3f674e9f1d16eda32a31cc88d7e0

SHA1
4521de720824c560c4e8a3c1dff1fe0249b83a00

SHA256
10574bc43e9d2e21bb979144c4b99cf35de8a1a84c57ed16a7ff1c379b8974cd

SHA512
d0056f7f1255ff13914a044a73c34c93c6545999c9bf7bc48cf698be4fba7c3a974ac53d556d7bacb43880eade5a08787c86357ac0e14052a460428dc0dd41bb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f4afe392e5e7631085357bdc405310ab

SHA1
427bead5a77e55f3dc3aee0552561ce2a0238f8b

SHA256
2019285ea48126e4caa8063f35df18bdff6ffb061cc3688611f12bd8c15a9e45

SHA512
331364ff115312de978e96a73715403db38f1be4c3e722ceff058881895f7afe742fd9e127b9dd75981a4140820ee7deba654387f28ac15c6515c93c8975bfe8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2048d1a96306181a7a7493037ef5943f

SHA1
7719cfc65150597a9df5a7fe96cd108038884d88

SHA256
d6a6505fc23380aa51d7775747cfb434a4629eefe6cf7c48ff03ca51fef9c501

SHA512
194e74f0b498112995b051b3a0f751e98da1ca1bcced0ee6225b2b6a6dde7c3e8778e3222e813a211d112a5d97fa354d345b9e36d76d210627534804cc7ae102

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3699be5862e3b56bac6666b890a57f3

SHA1
86c186e289325b28b3004af137bde33fa0eb8d1b

SHA256
767ecb169183d198b24a2bc5f20851653e363ec0c29ddf41c6430cbf82432b04

SHA512
7c0eedac422f8f63c4b656b09f576512b002f520baf2e2ee3b5271514da768f153881675a4e6742419f4def75b1052f2eec0dae0e608990417703e1c186e3e29

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
440027b467ec21cd5fadcbefa8cb1bab

SHA1
90f9d3164d116cf946280f0a1648856a2b21617b

SHA256
e453f4f25f5c57bf67afe9c9fb7091239c1322085e1657d71c0029baae798232

SHA512
c35859b51eb1811a3b54a3e9e8e22da32896cdf01c454bb22b52d196eae28176cc198ae0ea322d8173fffecce3e02c69f5c7eb5c4ba9e9e1b8c34537f2ce8d39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
651415068deeb939d27ff8acaaea177f

SHA1
c55f1bb717a74643e40ff933fa1aae9b5a754a6e

SHA256
fcd89ba944fceecc25af8ba1ed046bafb901f98eebd5c49b11e70225facbfc82

SHA512
5843183c542f3d9f7dd5b5ea7bae6fb07b2648bb61aecfd8d33eb6b805ce4ff69aa5f675cdc2856bfc6b838192ea7f235978a684f387f15fce57025e1d67775f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8ab5f90ce84cad3cf00b13814b9c8802

SHA1
9bb16982abbf15e114f29e1e16b4bfd3bc612684

SHA256
531769581c3820b701f504a929fd9f77964aadaf8ecd5840808a884ade6fdc70

SHA512
e91ff961ba59f9faa2faf6d4a20b2e264173c6da77677f1804e468439bd0e2404c9f01b6f0617b5ad8f1930a03e31e7a1ad19572bc5d2e69e43c8c43dbd22734

Download Submit
C:\Users\Admin\AppData\Local\Temp\0D7kBG2ryb.bat

Filesize
244B

MD5
286bcd915a749b1c77006119b0ddc9bd

SHA1
3d40eca9970a91acc5b9473a01da0bec8efb4157

SHA256
be8e149a1f74da4336285a4f48f313b37a910f9d91364359493422ca08de3cf5

SHA512
1583c2be375a9e1871a4e35e38c72755c4bdea0549e44cd45ec5ba9b2258e8d079b806ff27e940c2f511002cb42888b70b5bd9f99a238ce9b30a90b5eb9f719d

Download Submit
C:\Users\Admin\AppData\Local\Temp\61cJPf1Vjg.bat

Filesize
244B

MD5
0465224b55f243bc49cec9ed01ce8783

SHA1
0f293a0a1898481c30de66b83e3f36181d10cecf

SHA256
0756f3de3db08b9cd3427065345abb44d00df14e6afc34910d03c27d6ae7d0c5

SHA512
8515c0c565433cc56fa6d5d4b9efae03a5748260cb556363abf08586db5a57ef1586b580afc605980c4b65ecd961e4ded73a796253df074cc1f325c7a209d8f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
244B

MD5
273b32a09f624ee5fb8a9f762ecb67f3

SHA1
2b72520dad7b4c0c5d7cfd56aa63ae639560289a

SHA256
9f132ca0cf362e8d9bd64360aed1cf5755602e0aa3a3009327c0dce190bbb4f3

SHA512
2d6c5efa010d089cb14091fa6b7644b3b84a703c14472b7e0b8dc91f7c0abf84aa81943aee27a6c607f0241da572f253d032aac29a6b4bfbebb3247f528691a5

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab17D6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MzhLoGhvPq.bat

Filesize
244B

MD5
299d8cfe5c4717833acfd5d4b956e61e

SHA1
39212354dac26f5657f8cdb1be10e889ccba20b8

SHA256
43cbb4b94f59225d20a1f61a2491bf29dc8c947761521875d646a532d5b04179

SHA512
058dbc0673de8c29c23610bbb3fc252fbd8556cd81a377fe240c1c8c7fb0bedd2413b5cdd282450019c603ce4ec4c1bc890d14ef8a8d505dd8b76195697c971c

Download Submit
C:\Users\Admin\AppData\Local\Temp\P9uKrkSNlp.bat

Filesize
244B

MD5
3033cc7787e86be4a89e0f37c653fc5c

SHA1
0c28240cf15954b7b3158cbbcf60d48cf93dcf4d

SHA256
019dd3be5e1e0e786f47682c5f0641cd303706657ebd17bc90c6612648fcf4a4

SHA512
1fab47e119cdf66cb643d3737941e776cb1c530dd8ee1b7151c1a4a601edfc8d3b7b1e94bd403911ae78a37ecf192a0153db77858c416330a6bac8b7e35f9a81

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar17F9.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
244B

MD5
7b0a67751a684f948579eb84fb67eaf1

SHA1
e48c1229357e6884f3f85e194b513be6299e837c

SHA256
8940727756760e6aa6756f1fa879a02a412aaf59d9f31bad3785d5cbc9e2da53

SHA512
33ef30e38940a558437d50837ec3e4d14ffae9d39eacdb315d18828c5ee782a08bafe9c82968a67d54880d0ab64e89e008228fbd1a9e0107977e21f5833fd1a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\b9aNmsEibB.bat

Filesize
244B

MD5
d5a1c5510104a877f2dfb15e1cbccb45

SHA1
f885cb11bef8762ea259241b0931e8066274e1bb

SHA256
5d7bed68b47351236a5ee1ce8cf585ea39b61d0c468c043d2703f51120062d5a

SHA512
df5d4b7137d4afa2a89e60de42e4b42faa86574379465968749e4c4fe2a037eafc715ca6c05f26600dfb3e449a411f92bd4cb8f8462bc148060130cdbfe821e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

Filesize
244B

MD5
91b9ae1b28dc3f263dd936a6cabf336d

SHA1
500d2a823b9c36e2e4695505ffd4f9a0e482ffcc

SHA256
0ca605b97397b8b704d04e206c9d94e3253fd8205d74c73fb44dd5f5ce0f9ae7

SHA512
f2a4743a99131a5edcef591d888312a7dd3332215f73d249e7da8f4b6acedadd5268df69de1f606d5dc54ab7b8fb69ad226e472ce50571b85191888e7620aa53

Download Submit
C:\Users\Admin\AppData\Local\Temp\kp2dTY47HA.bat

Filesize
244B

MD5
56d13663d9e8c49f76edd663f82b0bd7

SHA1
f6107b79253b115e1275c8ad919462ab7225d966

SHA256
4967b874644b83687e81e719c690dd40c21a3a8b7634972f926a56efca44dfec

SHA512
fb75cf894f86e48979b823dedc57065aa66353e4d8b03ff3ab0206ed500724ed69ec3a7d5a921575428bb50008ee49c889c0839c74b6eba245976e54afeb8db6

Download Submit
C:\Users\Admin\AppData\Local\Temp\v9lJjcBPjH.bat

Filesize
244B

MD5
a436497f65a30d6f89cd577f093387e3

SHA1
fe1a10b979cd331bbb35c8fa28838e5857c7547d

SHA256
66b2b43ee044bedfa5b35c2ef281050383d9038e9c2ebe8a4ae9c63abe76d415

SHA512
c7e03955ce8481a09fd1b7ff177114e23e66f20b4df5c41dd222d9005a5e76cb4f1590b8f41f43f442f7bc036a443e6fe1bb379e5fb947a8ae29a50639e10e6b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4f92309159c20d2cc1fcb4ba32a4433d

SHA1
688776ff072c8a1706e22b673f61bfdb876c6526

SHA256
1faa722bd989c84966758fabc7e136633d1cd7472d0267706682878a78199196

SHA512
8c7da48bd1494d8324e5dcf8e96617da8415f85ee0402cf1ce4680786ae6e13c665c5a53403fdf2f915a478f5d2539dd1d6a1dd12a8778b616ec0a7b6069143a

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/656-68-0x0000000001D60000-0x0000000001D68000-memory.dmp

Filesize
32KB

Download
memory/832-65-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1096-591-0x0000000001040000-0x0000000001150000-memory.dmp

Filesize
1.1MB

Download
memory/1480-531-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2428-292-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2428-291-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2540-112-0x00000000009C0000-0x0000000000AD0000-memory.dmp

Filesize
1.1MB

Download
memory/2624-352-0x0000000000F50000-0x0000000001060000-memory.dmp

Filesize
1.1MB

Download
memory/2760-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2760-13-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/2760-471-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/2760-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2760-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2760-17-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/3000-231-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/3012-171-0x00000000012E0000-0x00000000013F0000-memory.dmp

Filesize
1.1MB

Download