dcrat | 32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5

Analysis

max time kernel
144s
max time network
140s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5.exe
Size

1.3MB
MD5

069a103bf71b77cb73dd8dfe5e9ccdee
SHA1

e6ed204fc9c89719a6e42f15027ffdc2bfb3aaf7
SHA256

32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5
SHA512

0c35919029f35d017dd3139d05492dfc520ac5fbb4754583db747cfa39a1a445ad50dc66611fdaf01269d8771444d5b37f51a816cfbaaf96a7ab5f53951eb9f1
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	864	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1660	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1640	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	292	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	816	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	992	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	468	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1304	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1488	2832	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1752	2832	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000019278-9.dat	dcrat
behavioral1/memory/2676-13-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/324-48-0x00000000012C0000-0x00000000013D0000-memory.dmp	dcrat
behavioral1/memory/2676-293-0x00000000003E0000-0x00000000004F0000-memory.dmp	dcrat
behavioral1/memory/1584-353-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/2160-413-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2348-473-0x00000000009B0000-0x0000000000AC0000-memory.dmp	dcrat
behavioral1/memory/996-533-0x0000000001090000-0x00000000011A0000-memory.dmp	dcrat
behavioral1/memory/1936-594-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/3032-772-0x0000000001260000-0x0000000001370000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2128	powershell.exe
2484	powershell.exe
1536	powershell.exe
2096	powershell.exe
1804	powershell.exe
1856	powershell.exe
2216	powershell.exe
1540	powershell.exe
2080	powershell.exe
612	powershell.exe
888	powershell.exe
1524	powershell.exe
1528	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2676	DllCommonsvc.exe
324	csrss.exe
2424	csrss.exe
3036	csrss.exe
2676	csrss.exe
1584	csrss.exe
2160	csrss.exe
2348	csrss.exe
996	csrss.exe
1936	csrss.exe
892	csrss.exe
2828	csrss.exe
3032	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2392	cmd.exe
2392	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
25	raw.githubusercontent.com
28	raw.githubusercontent.com
9	raw.githubusercontent.com
18	raw.githubusercontent.com
12	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\56085415360792	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\WMIADAP.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\75a57c1bdf437c	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\setup.exe\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\setup.exe\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\Help\Windows\fr-FR\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Help\Windows\fr-FR\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Panther\setup.exe\taskhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe
2596	schtasks.exe
1980	schtasks.exe
2200	schtasks.exe
2988	schtasks.exe
816	schtasks.exe
992	schtasks.exe
596	schtasks.exe
468	schtasks.exe
864	schtasks.exe
2788	schtasks.exe
1036	schtasks.exe
2340	schtasks.exe
2516	schtasks.exe
292	schtasks.exe
2716	schtasks.exe
2192	schtasks.exe
1928	schtasks.exe
1604	schtasks.exe
2784	schtasks.exe
1712	schtasks.exe
1564	schtasks.exe
1304	schtasks.exe
1676	schtasks.exe
1660	schtasks.exe
1640	schtasks.exe
2620	schtasks.exe
2556	schtasks.exe
3016	schtasks.exe
2592	schtasks.exe
1568	schtasks.exe
3000	schtasks.exe
2156	schtasks.exe
1488	schtasks.exe
1752	schtasks.exe
1672	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
2676	DllCommonsvc.exe
612	powershell.exe
2096	powershell.exe
888	powershell.exe
2216	powershell.exe
2128	powershell.exe
1528	powershell.exe
1804	powershell.exe
2484	powershell.exe
1540	powershell.exe
324	csrss.exe
1536	powershell.exe
1856	powershell.exe
2080	powershell.exe
1524	powershell.exe
2424	csrss.exe
3036	csrss.exe
2676	csrss.exe
1584	csrss.exe
2160	csrss.exe
2348	csrss.exe
996	csrss.exe
1936	csrss.exe
892	csrss.exe
2828	csrss.exe
3032	csrss.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2676	DllCommonsvc.exe
Token: SeDebugPrivilege	324	csrss.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	2096	powershell.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2128	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2484	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	1536	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	2080	powershell.exe
Token: SeDebugPrivilege	1524	powershell.exe
Token: SeDebugPrivilege	2424	csrss.exe
Token: SeDebugPrivilege	3036	csrss.exe
Token: SeDebugPrivilege	2676	csrss.exe
Token: SeDebugPrivilege	1584	csrss.exe
Token: SeDebugPrivilege	2160	csrss.exe
Token: SeDebugPrivilege	2348	csrss.exe
Token: SeDebugPrivilege	996	csrss.exe
Token: SeDebugPrivilege	1936	csrss.exe
Token: SeDebugPrivilege	892	csrss.exe
Token: SeDebugPrivilege	2828	csrss.exe
Token: SeDebugPrivilege	3032	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2616 wrote to memory of 1276	2616	JaffaCakes118_32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5.exe	31
PID 2616 wrote to memory of 1276	2616	JaffaCakes118_32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5.exe	31
PID 2616 wrote to memory of 1276	2616	JaffaCakes118_32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5.exe	31
PID 2616 wrote to memory of 1276	2616	JaffaCakes118_32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5.exe	31
PID 1276 wrote to memory of 2392	1276	WScript.exe	32
PID 1276 wrote to memory of 2392	1276	WScript.exe	32
PID 1276 wrote to memory of 2392	1276	WScript.exe	32
PID 1276 wrote to memory of 2392	1276	WScript.exe	32
PID 2392 wrote to memory of 2676	2392	cmd.exe	34
PID 2392 wrote to memory of 2676	2392	cmd.exe	34
PID 2392 wrote to memory of 2676	2392	cmd.exe	34
PID 2392 wrote to memory of 2676	2392	cmd.exe	34
PID 2676 wrote to memory of 2128	2676	DllCommonsvc.exe	72
PID 2676 wrote to memory of 2128	2676	DllCommonsvc.exe	72
PID 2676 wrote to memory of 2128	2676	DllCommonsvc.exe	72
PID 2676 wrote to memory of 612	2676	DllCommonsvc.exe	73
PID 2676 wrote to memory of 612	2676	DllCommonsvc.exe	73
PID 2676 wrote to memory of 612	2676	DllCommonsvc.exe	73
PID 2676 wrote to memory of 2484	2676	DllCommonsvc.exe	74
PID 2676 wrote to memory of 2484	2676	DllCommonsvc.exe	74
PID 2676 wrote to memory of 2484	2676	DllCommonsvc.exe	74
PID 2676 wrote to memory of 1536	2676	DllCommonsvc.exe	75
PID 2676 wrote to memory of 1536	2676	DllCommonsvc.exe	75
PID 2676 wrote to memory of 1536	2676	DllCommonsvc.exe	75
PID 2676 wrote to memory of 888	2676	DllCommonsvc.exe	76
PID 2676 wrote to memory of 888	2676	DllCommonsvc.exe	76
PID 2676 wrote to memory of 888	2676	DllCommonsvc.exe	76
PID 2676 wrote to memory of 2096	2676	DllCommonsvc.exe	77
PID 2676 wrote to memory of 2096	2676	DllCommonsvc.exe	77
PID 2676 wrote to memory of 2096	2676	DllCommonsvc.exe	77
PID 2676 wrote to memory of 1804	2676	DllCommonsvc.exe	78
PID 2676 wrote to memory of 1804	2676	DllCommonsvc.exe	78
PID 2676 wrote to memory of 1804	2676	DllCommonsvc.exe	78
PID 2676 wrote to memory of 1524	2676	DllCommonsvc.exe	79
PID 2676 wrote to memory of 1524	2676	DllCommonsvc.exe	79
PID 2676 wrote to memory of 1524	2676	DllCommonsvc.exe	79
PID 2676 wrote to memory of 1856	2676	DllCommonsvc.exe	80
PID 2676 wrote to memory of 1856	2676	DllCommonsvc.exe	80
PID 2676 wrote to memory of 1856	2676	DllCommonsvc.exe	80
PID 2676 wrote to memory of 1528	2676	DllCommonsvc.exe	81
PID 2676 wrote to memory of 1528	2676	DllCommonsvc.exe	81
PID 2676 wrote to memory of 1528	2676	DllCommonsvc.exe	81
PID 2676 wrote to memory of 2216	2676	DllCommonsvc.exe	82
PID 2676 wrote to memory of 2216	2676	DllCommonsvc.exe	82
PID 2676 wrote to memory of 2216	2676	DllCommonsvc.exe	82
PID 2676 wrote to memory of 1540	2676	DllCommonsvc.exe	83
PID 2676 wrote to memory of 1540	2676	DllCommonsvc.exe	83
PID 2676 wrote to memory of 1540	2676	DllCommonsvc.exe	83
PID 2676 wrote to memory of 2080	2676	DllCommonsvc.exe	84
PID 2676 wrote to memory of 2080	2676	DllCommonsvc.exe	84
PID 2676 wrote to memory of 2080	2676	DllCommonsvc.exe	84
PID 2676 wrote to memory of 324	2676	DllCommonsvc.exe	98
PID 2676 wrote to memory of 324	2676	DllCommonsvc.exe	98
PID 2676 wrote to memory of 324	2676	DllCommonsvc.exe	98
PID 324 wrote to memory of 2872	324	csrss.exe	100
PID 324 wrote to memory of 2872	324	csrss.exe	100
PID 324 wrote to memory of 2872	324	csrss.exe	100
PID 2872 wrote to memory of 2148	2872	cmd.exe	102
PID 2872 wrote to memory of 2148	2872	cmd.exe	102
PID 2872 wrote to memory of 2148	2872	cmd.exe	102
PID 2872 wrote to memory of 2424	2872	cmd.exe	103
PID 2872 wrote to memory of 2424	2872	cmd.exe	103
PID 2872 wrote to memory of 2424	2872	cmd.exe	103
PID 2424 wrote to memory of 1012	2424	csrss.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_32896daafca331de00ee44f0860aed50f8f65a069b958d3ac348d1074892e2c5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2616
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1276
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2392
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2676
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\fr-FR\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2096
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
    - - C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:324
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2148
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2424
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat"
        8⤵
        
        PID:1012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2352
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3036
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat"
        10⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2356
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        12⤵
        
        PID:2784
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1768
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat"
        14⤵
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2388
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat"
        16⤵
        
        PID:2096
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2632
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"
        18⤵
        
        PID:2856
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2068
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat"
        20⤵
        
        PID:1920
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1676
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat"
        22⤵
        
        PID:788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2852
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat"
        24⤵
        
        PID:2008
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2792
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2828
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat"
        26⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1312
        
        C:\Windows\Help\Windows\fr-FR\csrss.exe
        
        "C:\Windows\Help\Windows\fr-FR\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\setup.exe\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Windows\fr-FR\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Help\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Windows\fr-FR\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\providercommon\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:292

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\providercommon\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 10 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1488

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\en-US\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
79ad3cf666033d095c5004c79740aafb

SHA1
c6fe3c4bee4115824be671a453fca74ed1856046

SHA256
f7ae3bc9a5763c607d1b1e844b60ab8a6b1da9fd8f1d7181f5d0cae6c4a062c4

SHA512
30d8550f97ca1c8fdb228c13801d2bf1e6fbfe592a1b469fed137985e9bf00ccadfa14eb46d4f851796bb7e7d4dde994ae77a82cb5c226de7fd98471ebfce318

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c8438adcde8201d5256d6cf3fa86193

SHA1
857adf49a686c9c60e95988ae0dbce24d7cd3e3b

SHA256
7f268ff70e2658fce39c1b15ad25a97ebef71366dfe07f27bb379f72e1092c18

SHA512
45ded9363f99c2bcbdde8616c5d904ab9ada27ef027706da2024405fc9d639823d643da9fd14b54f63f10441d77041ebc6113d9c77b2acf99e05d9dbbc265cd6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a67ae69ea2778763915edb2711efecf5

SHA1
118b49952e1c9258ee91ff78f329ac72d1a12ea5

SHA256
8a216369fbb4a134da1787841b89c2c8543a3d458e168b55f47cdf0595c18bf0

SHA512
5b67d688af5c298ddb871345c8c987d7bcc1b8bd9062232db0c1637d27f92b1a10cb7ee9565c20f0dd0fc54b1b7fa50a34540613262a3e9862471fb3f1617b83

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b112162221bacaf92ce0f869f3632d4f

SHA1
1f9c58955916772cf7985073e80f8b57925e0565

SHA256
08ef7565788f08f0c6b34c2e916dde031566e9bda446a58154873895bf30284f

SHA512
8a537aa7aa4e00c7d9e6c4df5c6305686759a6ca49b6f18a803f516918d753b1c4f675018517aec7a65c454712b92bcfa918900b720f91e7c4f763039d3641fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16e4696543233c52f015cf38695e4a2a

SHA1
da8b3f377e8df30e9e8619ea7fe97f1934f7c5aa

SHA256
bb8010edb885d4f8c914060336b740041d4e9f3d5f807c594ee7030f4448b225

SHA512
1a57b80fd92b2a2274e35568c80f03c1d3b7dba564642c972ce098df08d23ef6b88ed870cdc915a471f268105aa6ca73d73f0c0bccdddeb802dc701ea7a6a559

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87afd07906d88d67d0a11791920cdfbb

SHA1
8cd04847fb233ce0128620ea36d1227bcb5b40ec

SHA256
f522143bca80b7b84f5a68755a9cbfeb34698754feaaf0074575c8ecd5514a88

SHA512
204e78cc7e7da334f34939e7b08d7f94235e62fafa7e774dd00930fb4843f216763b44b1debb3ff0e33a0b61686ec75ed98fd6f577992115ecd48f955f99ef2c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
78db7427dc679f82e7b22c6537b1c2b1

SHA1
24f1bc6897d0cdc40070baa58ed392c1062b3b0f

SHA256
74b1b0b0a6ba7176a1248eb652109aa1fb73d614642868f7c8f8a7c1d6845cb1

SHA512
3d3d0dd6a13983f90a9c67f0e2445e8169c125e50941df64a4b592fe5b24eb6c385a3a5fc96d00fd7c99fa39ca5c30374c0570e8c719d9217c6d6fb61823a464

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e52abc892572782899366661d982eb0b

SHA1
3defc3d16ac87799a51047dbbdb813012504f992

SHA256
efa8100bd7b7b833173946924b2627e05954c5e60be7d729b3fefeb1dd19624a

SHA512
c1efd5cf331d49dcad1deee65707a08a173858ee1eb625947d697bf05c1ecf38ec4d997d0c30c002ea5caad5b5bc2716488fc9007bf2d3954be84bb7110d37e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b9d923a625e75065929ebc13d701944

SHA1
2b521827db64e7c09e8de39d835088c43d2e4176

SHA256
615b91c6f8216413adc840f4cd764255d29c26d659468c99b7a803f75b7dbeef

SHA512
c9945d6654dae02993278f3562234af1885a50ccc17e572aa592625772686c01470ee17fa732624944232a13c4e4b83f51b0ca114fbef1ce91dffc9f9d87d85f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0322caa6677ec817a22eab4ff4451778

SHA1
7dba50c2f3ccfb4772fcf7e0b23864eb312aa680

SHA256
fe7f54935b2de148150dec29313cec989297185c030dcdf1b56808349bf43683

SHA512
3bebbd11e85de22bf1e92dabf3924f6642c6beacf90b4fa30a37e7e52f4664c37553bb6b78a920c1fd3b6f94a5fe3b18effad84e84fd3307a3c683ba3fded176

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2686.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DemtbJLPzJ.bat

Filesize
204B

MD5
eb09b6423c3523f41ae4c8a43f32303f

SHA1
718164a95ab674e39efc3565aaf1d5060552fa6c

SHA256
9dfb23ef7108ae34b7e7cff067d546bc773e9b6e79fac86889ce983ed12abae4

SHA512
e8abee3fc46ed254a145161ab85b965edb275d7ae75c4f04200e1eccc4cc58673dd6013f309b90b02eef21bf602ca330dd510513a115401227a204b151ff875b

Download Submit
C:\Users\Admin\AppData\Local\Temp\LdHmevWlG3.bat

Filesize
204B

MD5
2180b556f50afbd7959c8b5ef1e11df4

SHA1
4d65f9fc9da4fe2b33b7d59d8ae6e8fece39ea3b

SHA256
55fd05543badb2355116a14bbeae33008c639150b240cbaea4cce716dc03ef0c

SHA512
d972c5981aedd087f47a358184d6b1ab733d576c2c3fc90c63ac547a26303c8365f78f491cfbb14649d564f5595e88f9f92eaf390a2b51dda472f93ff2e53034

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2699.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YQG5KQjShu.bat

Filesize
204B

MD5
391ef3ab7e047b645639ff4b6a614886

SHA1
73ffc06b0a9d4f6787525918ab7d7e1ad743eef4

SHA256
45d4cc19818a462a15a9d5581c4d655d0d6dfdc0ae365ec2146dea6f748f947d

SHA512
62ee2eb5ab4d69de5b31825b329dc8a7905ba1e3dabfd2ef06921cece9d41f4ace716e2f99b8ce6200676a749190f3cce0b7e9f7a1bd6dbf0d38ed048e5be630

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat

Filesize
204B

MD5
502b6138b6e81c6f79a629ca7001d97a

SHA1
9e1355015db491d51547e7f38c00f3d3913973e1

SHA256
b39ad885178981ae09f65b50e51f41d8902b9d23dc19caaf8e8a5ce1c117556b

SHA512
c96e3f4b3abbc47204f85c43a330182bec4c9ab68ed1341df5614d16b3a1b90e08a0c82d7506b6986dcd59b9c2092803c46be3b18661f67ed5b1d9dcc1017696

Download Submit
C:\Users\Admin\AppData\Local\Temp\dCyIaH4v8D.bat

Filesize
204B

MD5
892f2c5ccb58d4b0a53bd96c17949bc4

SHA1
590f9909e575beff46f1203f41979a97c81f6b11

SHA256
d842abf99a66aa8d4bd056e9fb5f0c58c11d9d090a698ef75693c1f341e966bd

SHA512
56a5d075273a148fe9616595cb8ffc7e300ebdc7fbb6301886d29ae5e67b4b2c61c405335e449f9f39fbda1aeee4bb7a6940a2a822e382d7ce6c7e96831d54f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\fg7ffKrc0I.bat

Filesize
204B

MD5
65fe16734cd6696fe88e0f3324cb3056

SHA1
f8b6b72fc07b40c9809de486c1a40a1d1178b0dd

SHA256
b0d8acb470fe944c54567b892b71a2545b6eb8a41f7530a9b530da68e62f82ad

SHA512
3735916b563ea0df2a50256bd6c61a016fae10076c2a00ca8053d64389e14ce9f689a6ced5775f7f842de919f3015305ebda220f3c951069019f5ec854272c77

Download Submit
C:\Users\Admin\AppData\Local\Temp\oPL6j2OtN4.bat

Filesize
204B

MD5
cc8e1e24d0e6f775d9f19066864eac7d

SHA1
df3e1793bc6a608b07356ac6b9c5914ff34a62cf

SHA256
6dbfeb8070d392700d05741fc118f5ee9616b9295b06b1cf01ec2019ae1692af

SHA512
1528678d78a2b896c45ae3b03950c6c94f38963d11538273c308a0ccbd97f1f44961e37b358f0eb41a7ce4d98d810a1b4cc9a5ea7921f9873d39f6e7a4e716ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\vCRFnHZZKP.bat

Filesize
204B

MD5
c0c3423949e5b04c815d92a611b08364

SHA1
5e7e042ccec934b9c52613e76a3e35bbe295df77

SHA256
054b82a0e627aea7aba976c605ffb74f4f36f5d7a2168d605c4555042b88a13b

SHA512
7fb1384fb8a26cca7f030ee78015a52bdfe514b401256a4386e41552a0725d25e2399a4b093ddae83560bd54d95713a3fd718565ae6971b66ab222e02c0f2f98

Download Submit
C:\Users\Admin\AppData\Local\Temp\vkfoWdc5zM.bat

Filesize
204B

MD5
80ba69d935d2eb0db4d40aeb59280a94

SHA1
e1a017f354b8c28bdf6a19bb9270f921bb235d14

SHA256
bd7eadfc30fd50008296f147dd8bb31bde5d7352f5e656b2723d870f5a3d676b

SHA512
b7a269a15d984b21b83b063675410e6dd1cd5ab5c4c198ff198d610afea79d65365145194ffeb289ea1e90d76e8d3d0d8a2f03c679aaee46d043b486abb06f6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
204B

MD5
5ab4b279c126851a3b8f535020fd9aca

SHA1
aafdcda49e0e1a4e0388b137dbe3ceedd17ec03e

SHA256
7a99ae340f8e6f5dd7624dcbcb429db4d008797a17907944fe546bf80613f528

SHA512
fdb2304451372bedcd760ee51aeea546af39651fec28b0fe9d3a9d94ba3d2458896af6a3a6d2c3159163716e21a6143d966702bcd1ae50c3bdb28637bce80ecb

Download Submit
C:\Users\Admin\AppData\Local\Temp\wLA3izB53h.bat

Filesize
204B

MD5
11d1311bd79004231b097594af7cd096

SHA1
135c846690fd40ac5e0867064772c24afd03ab58

SHA256
2946782bd6520aa0af95c0efc867a07b191f2495915e16a529eb3bd17b6c3208

SHA512
0b95bdfe4c3f29919575757bf788a6d1511e14f537347b281e517e7c15df7214627d3ff0e1b4f14efcd72637197635181149ff835ed913746916e21988bfa0bf

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
82e441c637d98d05b91826127fe4caca

SHA1
34e04869257114311a4c674fa4be9558ce250dba

SHA256
63598aedb06dd63d3bba1d4fd62518b490d5c98b94ad2bc838a3da63c6f5ed7c

SHA512
ea27edc43ac111903816029acb11fd28a4709206fb3f582ee0f44a202fe5a2bbda6c69d1ddc92311d5fe65f32ec6ab24b5e7842451e9438c721aeb1dca612d80

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/324-63-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/324-48-0x00000000012C0000-0x00000000013D0000-memory.dmp

Filesize
1.1MB

Download
memory/996-533-0x0000000001090000-0x00000000011A0000-memory.dmp

Filesize
1.1MB

Download
memory/996-534-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1528-75-0x000000001B5F0000-0x000000001B8D2000-memory.dmp

Filesize
2.9MB

Download
memory/1584-353-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download
memory/1936-594-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2096-65-0x00000000027D0000-0x00000000027D8000-memory.dmp

Filesize
32KB

Download
memory/2160-413-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2348-473-0x00000000009B0000-0x0000000000AC0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-16-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2676-17-0x0000000000280000-0x000000000028C000-memory.dmp

Filesize
48KB

Download
memory/2676-293-0x00000000003E0000-0x00000000004F0000-memory.dmp

Filesize
1.1MB

Download
memory/2676-15-0x0000000000270000-0x000000000027C000-memory.dmp

Filesize
48KB

Download
memory/2676-14-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/2676-13-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/3032-772-0x0000000001260000-0x0000000001370000-memory.dmp

Filesize
1.1MB

Download
memory/3032-773-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/3036-233-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download