dcrat | e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27

Analysis

max time kernel
149s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 04:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27.exe
Size

1.3MB
MD5

172e7d2f4dccad058568a63458b9128e
SHA1

742944eea7de58c2f57e752fe7e243bd82f294ab
SHA256

e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27
SHA512

8df14c00b0c4117a40ca1e2de9b2c5ef36ab9d816b998c52230aeb766407aae9ae538eedfaf36d3693bcdd18dc23d1460d1d9d1df4fa5656d2f242ceaccad226
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1724	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2876	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1704	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2308	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2964	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2256	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	876	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2916	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2916	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d21-12.dat	dcrat
behavioral1/memory/2724-13-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/2020-104-0x0000000000C50000-0x0000000000D60000-memory.dmp	dcrat
behavioral1/memory/2640-174-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/2716-234-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/2548-295-0x0000000001310000-0x0000000001420000-memory.dmp	dcrat
behavioral1/memory/2412-473-0x00000000001A0000-0x00000000002B0000-memory.dmp	dcrat
behavioral1/memory/1572-533-0x0000000000BB0000-0x0000000000CC0000-memory.dmp	dcrat
behavioral1/memory/1940-653-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/2936-713-0x0000000000330000-0x0000000000440000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1696	powershell.exe
992	powershell.exe
2036	powershell.exe
688	powershell.exe
2260	powershell.exe
1684	powershell.exe
328	powershell.exe
2444	powershell.exe
2120	powershell.exe
780	powershell.exe
868	powershell.exe
1580	powershell.exe
1664	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2724	DllCommonsvc.exe
2020	services.exe
2640	services.exe
2716	services.exe
2548	services.exe
1936	services.exe
836	services.exe
2412	services.exe
1572	services.exe
1784	services.exe
1940	services.exe
2936	services.exe

Loads dropped DLL 2 IoCs

pid	Process
1888	cmd.exe
1888	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
28	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
21	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Uninstall Information\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Uninstall Information\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\a76d7bf15d8370	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\Chrome\Application\cc11b995f2a76d	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Reports\6ccacd8608530f	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\Idle.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2232	schtasks.exe
1724	schtasks.exe
2284	schtasks.exe
1424	schtasks.exe
1932	schtasks.exe
2876	schtasks.exe
1704	schtasks.exe
852	schtasks.exe
544	schtasks.exe
2256	schtasks.exe
2676	schtasks.exe
2192	schtasks.exe
2688	schtasks.exe
352	schtasks.exe
588	schtasks.exe
3012	schtasks.exe
2308	schtasks.exe
2964	schtasks.exe
2644	schtasks.exe
2756	schtasks.exe
2968	schtasks.exe
2680	schtasks.exe
2012	schtasks.exe
2504	schtasks.exe
876	schtasks.exe
1320	schtasks.exe
820	schtasks.exe
2268	schtasks.exe
2740	schtasks.exe
2104	schtasks.exe
3016	schtasks.exe
2636	schtasks.exe
2872	schtasks.exe
1568	schtasks.exe
1036	schtasks.exe
1944	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2724	DllCommonsvc.exe
2444	powershell.exe
780	powershell.exe
1664	powershell.exe
2120	powershell.exe
1580	powershell.exe
868	powershell.exe
2036	powershell.exe
328	powershell.exe
992	powershell.exe
2260	powershell.exe
688	powershell.exe
1696	powershell.exe
1684	powershell.exe
2020	services.exe
2640	services.exe
2716	services.exe
2548	services.exe
1936	services.exe
836	services.exe
2412	services.exe
1572	services.exe
1784	services.exe
1940	services.exe
2936	services.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2724	DllCommonsvc.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	2120	powershell.exe
Token: SeDebugPrivilege	1580	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2036	powershell.exe
Token: SeDebugPrivilege	328	powershell.exe
Token: SeDebugPrivilege	992	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	688	powershell.exe
Token: SeDebugPrivilege	2020	services.exe
Token: SeDebugPrivilege	1696	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2640	services.exe
Token: SeDebugPrivilege	2716	services.exe
Token: SeDebugPrivilege	2548	services.exe
Token: SeDebugPrivilege	1936	services.exe
Token: SeDebugPrivilege	836	services.exe
Token: SeDebugPrivilege	2412	services.exe
Token: SeDebugPrivilege	1572	services.exe
Token: SeDebugPrivilege	1784	services.exe
Token: SeDebugPrivilege	1940	services.exe
Token: SeDebugPrivilege	2936	services.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2352 wrote to memory of 2396	2352	JaffaCakes118_e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27.exe	30
PID 2352 wrote to memory of 2396	2352	JaffaCakes118_e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27.exe	30
PID 2352 wrote to memory of 2396	2352	JaffaCakes118_e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27.exe	30
PID 2352 wrote to memory of 2396	2352	JaffaCakes118_e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27.exe	30
PID 2396 wrote to memory of 1888	2396	WScript.exe	31
PID 2396 wrote to memory of 1888	2396	WScript.exe	31
PID 2396 wrote to memory of 1888	2396	WScript.exe	31
PID 2396 wrote to memory of 1888	2396	WScript.exe	31
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 1888 wrote to memory of 2724	1888	cmd.exe	33
PID 2724 wrote to memory of 1684	2724	DllCommonsvc.exe	71
PID 2724 wrote to memory of 1684	2724	DllCommonsvc.exe	71
PID 2724 wrote to memory of 1684	2724	DllCommonsvc.exe	71
PID 2724 wrote to memory of 1664	2724	DllCommonsvc.exe	72
PID 2724 wrote to memory of 1664	2724	DllCommonsvc.exe	72
PID 2724 wrote to memory of 1664	2724	DllCommonsvc.exe	72
PID 2724 wrote to memory of 1696	2724	DllCommonsvc.exe	73
PID 2724 wrote to memory of 1696	2724	DllCommonsvc.exe	73
PID 2724 wrote to memory of 1696	2724	DllCommonsvc.exe	73
PID 2724 wrote to memory of 992	2724	DllCommonsvc.exe	74
PID 2724 wrote to memory of 992	2724	DllCommonsvc.exe	74
PID 2724 wrote to memory of 992	2724	DllCommonsvc.exe	74
PID 2724 wrote to memory of 1580	2724	DllCommonsvc.exe	76
PID 2724 wrote to memory of 1580	2724	DllCommonsvc.exe	76
PID 2724 wrote to memory of 1580	2724	DllCommonsvc.exe	76
PID 2724 wrote to memory of 328	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 328	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 328	2724	DllCommonsvc.exe	78
PID 2724 wrote to memory of 868	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 868	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 868	2724	DllCommonsvc.exe	80
PID 2724 wrote to memory of 780	2724	DllCommonsvc.exe	82
PID 2724 wrote to memory of 780	2724	DllCommonsvc.exe	82
PID 2724 wrote to memory of 780	2724	DllCommonsvc.exe	82
PID 2724 wrote to memory of 2120	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 2120	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 2120	2724	DllCommonsvc.exe	83
PID 2724 wrote to memory of 2260	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 2260	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 2260	2724	DllCommonsvc.exe	85
PID 2724 wrote to memory of 688	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 688	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 688	2724	DllCommonsvc.exe	86
PID 2724 wrote to memory of 2036	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 2036	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 2036	2724	DllCommonsvc.exe	87
PID 2724 wrote to memory of 2444	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 2444	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 2444	2724	DllCommonsvc.exe	88
PID 2724 wrote to memory of 2020	2724	DllCommonsvc.exe	97
PID 2724 wrote to memory of 2020	2724	DllCommonsvc.exe	97
PID 2724 wrote to memory of 2020	2724	DllCommonsvc.exe	97
PID 2020 wrote to memory of 2940	2020	services.exe	98
PID 2020 wrote to memory of 2940	2020	services.exe	98
PID 2020 wrote to memory of 2940	2020	services.exe	98
PID 2940 wrote to memory of 2624	2940	cmd.exe	100
PID 2940 wrote to memory of 2624	2940	cmd.exe	100
PID 2940 wrote to memory of 2624	2940	cmd.exe	100
PID 2940 wrote to memory of 2640	2940	cmd.exe	102
PID 2940 wrote to memory of 2640	2940	cmd.exe	102
PID 2940 wrote to memory of 2640	2940	cmd.exe	102
PID 2640 wrote to memory of 1532	2640	services.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e40e457db4efc88dd09e1667bcc595ec25a80677aad6b68fb5ad191a24c3ef27.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2352
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1888
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1696
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\Chrome\Application\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:992
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Temp\Crashpad\reports\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:328
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Uninstall Information\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Pictures\Sample Pictures\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2036
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2940
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2624
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
        8⤵
        
        PID:1532
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2340
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat"
        10⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2404
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat"
        12⤵
        
        PID:1572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2308
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        14⤵
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2640
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat"
        16⤵
        
        PID:632
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2164
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat"
        18⤵
        
        PID:2808
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2416
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat"
        20⤵
        
        PID:1888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:852
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat"
        22⤵
        
        PID:1956
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1580
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat"
        24⤵
        
        PID:2960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1776
        
        C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe
        
        "C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 6 /tr "'C:\Program Files\Google\Chrome\Application\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files\Google\Chrome\Application\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\Program Files\Google\Chrome\Application\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1724

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\Windows\Temp\Crashpad\reports\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 11 /tr "'C:\Windows\PLA\Reports\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 6 /tr "'C:\Windows\PLA\Reports\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 14 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\ja\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2256

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Pictures\Sample Pictures\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1320

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Windows Portable Devices\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
92ee1bbeb3be3e60fcf1da0d34a1b09f

SHA1
4c905076cb44fb40399ef3b7eac7a7ac63c260f0

SHA256
edf159c24619df8353e99695981158a95205a4aad7940707b9a658893453c473

SHA512
8e2e66c95923c3cda0a355909d7dae9e9a0ec6a6cb734b304b6e41e9da00153980603791b15d7cc577e520d9c9e598af7f43b13c9f6b49133def7daf5e8a4484

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3a7587ed89b4f6b9140a07a564388668

SHA1
94ac162ceb09965dc14d377b699b12cc69762e2c

SHA256
a8c4db329d1f559c41bd3ecfc24591ef51e50aa83794695c8547392d9fbce725

SHA512
0f2df65a22a3d2200b915c03571a5eb6a8b7f77fe35bc6833a575e0e5cf5294de73770c91b0f069a58ccbb3086d880bdd061260188ff5ce214af1262db8c745d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47ccdac2bb20d1db439dd0644795c39b

SHA1
8e93668d6ffcb95dbb6018c37c3523726c994de6

SHA256
6b2254f187258912bb80f2ef9dba941cbb80b4cf675f2d6dc9978a109cf2c632

SHA512
fc962d46d192e2964d1eb5ff5b80ece352cef2f874fe2a7e31a3fff786f5eb5b34616e3cc5ac812e54c63fabe63a018b811f6b8f0a9777948dcd12f34d160643

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fc08fd566f6bb8ca8844f45075ad8b06

SHA1
4494f2becbab620dc8d049e970516f55ea389ac1

SHA256
6302fd57d3fc0ac08830fd8770abc4317e51f694a60ac3825e0758672999b4dd

SHA512
9a45f005dbe0f096f3abe4f4f593395f8b26a03f35b0d450d9f2e969a2fa05012d17eafc03f4e1424d21d6b59cf11439604a761689e0084a6377cfaa8cfc5df1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1c92c8ad0fad95017d6f0b9f5f008417

SHA1
81e416cb3ccbd017ced01871e8e85d2790cb7641

SHA256
1927f402621a9f217389087e5df0e0852e8652b86767a9feb4254ea6a5cb6bb6

SHA512
b9a4a6ac63efdf6b1c56c2a33e8fa2c72f3b34fff12f9ebfaabb6cda01949f0a1f33a43a278fad8248490e354541c9d2d89b2e0232c213a093b17e882145a240

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b776506235822c35d20ce63bee5f35e9

SHA1
7caec5bffbce005c521e01e6b1459539a04feed7

SHA256
db885a49da27e63336b87f5fde644779bce3c92f6d96c1163316bb836ccc1582

SHA512
22419a1e439d62ae91d43d0ef8914b24a46b510a894239e21ceb3db413882ddedabb0c4b372800ddd6683d8cc1510fb863faf3268daa05121b98784c809c36d8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
526bf146ab9bb2b1e405569783c8cfb9

SHA1
2f773a4655e2db5e5ebad4ffcffb73f23d908c19

SHA256
f3b5f923fc06313648dcdc4abb587a6d6f0db53816f6d92fc2fd2ac14dc4047c

SHA512
33cb78f14aa32864557a6ad87200b4b4fbab42b31f78eef9cb457677e7d1b0a3417e012a5587b1952fa14870a176874638a6de4f887c787aba864fe9a2c5b8a5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
231524e21b23cef283b3c58549eab4a8

SHA1
9ebbc6b0e575b19f03e973bba8cbcc53c6bf9df6

SHA256
70a9748e27cb30ad7cff7765743f492bfd8d29f853308626d908317d84213006

SHA512
6e21303a3827358d7359accda4cfebff8a7ada039c31a50671208544ed6bcfea1a3a773d13bd9a2385bd4037e95498c3867f1533a86d5b7fd160d17f2e1fe2f5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad3719ae49d94bb690a4e56653822e82

SHA1
91d6884d3121601cfff42f9d604bb416fea65032

SHA256
2e5d843e6b2b25c3b75569048fc551eb4de5a2cd0f4803b5ca6741442dad4f36

SHA512
5366ba91600f9a9336a11b35442aea7a2c720eac61dd5e831e7e9a15414719ac5d22fa46fe56605cd085a8d674f42f42e0286cef3cbdf344b4f4ee7b118bbaf0

Download Submit
C:\Users\Admin\AppData\Local\Temp\0quqFCQQe7.bat

Filesize
240B

MD5
e037c186a5e9e53383d8266c94d6cae1

SHA1
757ef85c7cb764d706bb141dd24c19aed1562391

SHA256
1136caf2ffcd1067e55ad8a0ac2cd44d4459d87a173a910cb6c0680b57c0109b

SHA512
0f7a1555fc799da5ffb6a5eb0e4bb6853e611f5cd829eadf7ebc420e9fd1dc1095d9739d9ca08cd548feefb001963426b9f6be9c11abd96ecc75241ebe6bf4f7

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabBA1D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat

Filesize
240B

MD5
c2ac167f3c1ad5ac69ee096d5443e830

SHA1
bb21da82f947ae8b382412bed57d373674cadaaf

SHA256
155664e5645a7749be6e2d0468121ee30b445636a1675e9de8d8f1ca6b172446

SHA512
5543b3d418bc62985c9287dc7d3db5a2bc33f629446d21f5ff8bec302af787c4c7e0d7ce7875e87a18b700bec7c0a1858b7b34db2e54b35412016d5d555c5b57

Download Submit
C:\Users\Admin\AppData\Local\Temp\Lg3y2yDdyq.bat

Filesize
240B

MD5
beae268eeb4c6137a2d674dab8de342b

SHA1
56b74a114b8a29e9d6b40034b214663b5b56c9c5

SHA256
ba4156e3bc7640a817aebf3b194430554cb98d066ef6591d8c303899ea5f48d6

SHA512
49587c73401a14f5f26b9b9c2e1c16f8bc22da1c812771a6c398684b84c9095422389ade367b48a1ff3ca40af9640f1c411ecf76345f0dfe965fd47912fb2da3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarBA40.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZfR0hqQ1j6.bat

Filesize
240B

MD5
a7fd5081e30485699d6df1c3a569d4d7

SHA1
c5eed0437853f38b8aa7c39346d236411f886d8d

SHA256
aba36038f8056c31f69747cf18e9bc05f6b4cd9c86ba9b0dc9fbd3eec2ec874a

SHA512
ee0cf834d02f3456fcbc8ea6330f4bb7e86a19420cd3c78d0ea9b567a674084a4b0a20565450a76cbd824cc06625946bdb1ab40ec72f7211cafee56d7e412d07

Download Submit
C:\Users\Admin\AppData\Local\Temp\nAABNdhKLs.bat

Filesize
240B

MD5
316c5e0dd2dd9448a9d0a7f04cfcb391

SHA1
6f083abf142131c3a146aa7515ebbb49f158865f

SHA256
6f5f758f5b61841df6be69a1ff112034555e995fa8722f071624b19331208aec

SHA512
42d3f9499bd865a02a91c5bb5bca6e4639b72094bd4aee59967a402c3c2e5d96d92c0c6bc796b6a104258165a4c41efd9035274e896c6288af65caf5bcf8c337

Download Submit
C:\Users\Admin\AppData\Local\Temp\sQQ1IAg9p0.bat

Filesize
240B

MD5
4116d45b0036ec714bdab307e6f49959

SHA1
c4f3f9bc5ad2f12faa88512106125f8f2b7e1474

SHA256
072265cdd7e04fbc43c3045deb4243e7ae3e29f94e884addaa22174d7f04deda

SHA512
1b8f499d606a76a23ea72475600cebda8ce7c747d379914b686cf6f9ad28dd554c823731a237cd19f1e7581ee0c251798ae4c5b571db317e1c42c5f75cb8ea81

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
240B

MD5
bfea21ce2b898dbe37bde8ff5a2c0bb1

SHA1
9836d249e4b2b575af8982bc2c14914b80ab7ebb

SHA256
764993213f9655eaf8deb80e44cd3f7d8a9010a464823b7a8399586c47941d23

SHA512
474b398e5b4ce7ae3d7ec5f93980bc8eff3a8134d1d181cd534199eec30120444c1ed86ce1ebe7aa096ab41360acac68a28bdf4ee0ff5b33296d7600badd85b3

Download Submit
C:\Users\Admin\AppData\Local\Temp\wpigNgqS7W.bat

Filesize
240B

MD5
a0a021983c9d757da5af653bee79a3ae

SHA1
25f6f08c4786e23d32ac03a5e7bf7473d45539da

SHA256
6b7870cb0e36dcdb6bc54b52af010c840596df3b58de1c3f0ff68482ebb76674

SHA512
f3fad89d968bc7fe834e5eeb97c5efee6e25fdaf691441b1c0588ae433096d5f9633f5e64c234842cd33348f21e6583797515238ebd1df429d8d4294f26bf669

Download Submit
C:\Users\Admin\AppData\Local\Temp\yTz6y56Ktd.bat

Filesize
240B

MD5
418cfac8774b982c15ee8e7c0af1bda6

SHA1
d22f4ad5448d22f5bdbde6b9370ec2835d284d7d

SHA256
4ed7a902ffb1093c709591b24e686d6d61ad47066428d31c0f17adc0edeaa54b

SHA512
990c074c2b90ed8f16ed56c7c5eb6988be942cade02af4c4b9ad87a31a11d00ba14c9498e4a0fc85a68a965f8cdbc884aeb899fcf0199deb54487b7c1d7376ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\yaFjl1awzE.bat

Filesize
240B

MD5
fb8b555dd7c69f6b65961c789c3b2f8b

SHA1
e97befd4c9bbc6a731cba4ac35bb255887fecd67

SHA256
a14ba54a2f396ed282cc531c623e8f457e9b46c86ecfb8872f238748497f1cab

SHA512
a5f69d16ab432b76511559ec7702bf87fedb5e08f295a2114e9eb7c5b6067f465e25e3f4254526fbc693e3ed39a44752eb01b0e69a79a17c56e72c7937a1ef09

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
7b7c659df30e2f9e80b9b0a8b8f85e40

SHA1
18bc5c6991981adc2d7769843bcc7b156ce9b17a

SHA256
d0c98f8128f8f1b2619e8f3a149be616f110cbc4f8910b322d8d6ec2695212a6

SHA512
dd3240077114e274f68ce364c54971d5e9f74bb8b6839645810a1d73cc06f973c10ed77528a6e6b8e795cf25ee84bf4d05424b3a91b8872182c277d806865bb5

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1572-533-0x0000000000BB0000-0x0000000000CC0000-memory.dmp

Filesize
1.1MB

Download
memory/1572-534-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/1664-60-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1940-653-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/2020-115-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2020-104-0x0000000000C50000-0x0000000000D60000-memory.dmp

Filesize
1.1MB

Download
memory/2412-473-0x00000000001A0000-0x00000000002B0000-memory.dmp

Filesize
1.1MB

Download
memory/2444-86-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2548-295-0x0000000001310000-0x0000000001420000-memory.dmp

Filesize
1.1MB

Download
memory/2640-174-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2716-234-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/2716-235-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/2724-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2724-16-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2724-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2724-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2724-13-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/2936-713-0x0000000000330000-0x0000000000440000-memory.dmp

Filesize
1.1MB

Download
memory/2936-714-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download