dcrat | 11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 06:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe
Size

1.3MB
MD5

056df0ec8811d5cb0d9636e72c69b7f4
SHA1

f1954a8cbbc6401833cbb7e03b96bdc00151da49
SHA256

11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074
SHA512

c1af2b7bd482ef3e2f429a7a0ea3424e8ed55cfd2b6d5550d213c22f52180323acd7a38fe94e0f637802514560e2b5e99a15c6fed46c3f61209bfecf2f690d46
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	396	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2372	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1476	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	676	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1716	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2160	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1776	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2332	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1148	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	576	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2664	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1712	2664	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001921d-12.dat	dcrat
behavioral1/memory/2956-13-0x0000000000C60000-0x0000000000D70000-memory.dmp	dcrat
behavioral1/memory/2112-48-0x0000000000170000-0x0000000000280000-memory.dmp	dcrat
behavioral1/memory/2020-170-0x00000000003C0000-0x00000000004D0000-memory.dmp	dcrat
behavioral1/memory/2848-230-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/1256-468-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/1148-529-0x0000000000140000-0x0000000000250000-memory.dmp	dcrat
behavioral1/memory/1560-589-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/292-649-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/1376-709-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1028	powershell.exe
2564	powershell.exe
2000	powershell.exe
1480	powershell.exe
1844	powershell.exe
752	powershell.exe
2508	powershell.exe
1284	powershell.exe
1256	powershell.exe
2516	powershell.exe
612	powershell.exe
1584	powershell.exe
1940	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2956	DllCommonsvc.exe
2112	smss.exe
2020	smss.exe
2848	smss.exe
2852	smss.exe
1560	smss.exe
1380	smss.exe
1256	smss.exe
1148	smss.exe
1560	smss.exe
292	smss.exe
1376	smss.exe

Loads dropped DLL 2 IoCs

pid	Process
2976	cmd.exe
2976	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
32	raw.githubusercontent.com
35	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files\Common Files\System\msadc\de-DE\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Common Files\System\msadc\de-DE\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\msadc\de-DE\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\fr-FR\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\es-ES\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\es-ES\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\Boot\PCAT\el-GR\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2908	schtasks.exe
3052	schtasks.exe
2336	schtasks.exe
2236	schtasks.exe
1308	schtasks.exe
1484	schtasks.exe
676	schtasks.exe
1932	schtasks.exe
1776	schtasks.exe
1476	schtasks.exe
1716	schtasks.exe
1800	schtasks.exe
2460	schtasks.exe
1276	schtasks.exe
2264	schtasks.exe
1900	schtasks.exe
2152	schtasks.exe
1096	schtasks.exe
2160	schtasks.exe
2216	schtasks.exe
1712	schtasks.exe
2732	schtasks.exe
2984	schtasks.exe
2332	schtasks.exe
2464	schtasks.exe
396	schtasks.exe
1512	schtasks.exe
2456	schtasks.exe
1360	schtasks.exe
576	schtasks.exe
2372	schtasks.exe
1272	schtasks.exe
2096	schtasks.exe
2072	schtasks.exe
1148	schtasks.exe
848	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2956	DllCommonsvc.exe
2564	powershell.exe
612	powershell.exe
1844	powershell.exe
2000	powershell.exe
1584	powershell.exe
1940	powershell.exe
2508	powershell.exe
1480	powershell.exe
1028	powershell.exe
1284	powershell.exe
2516	powershell.exe
1256	powershell.exe
752	powershell.exe
2112	smss.exe
2020	smss.exe
2848	smss.exe
2852	smss.exe
1560	smss.exe
1380	smss.exe
1256	smss.exe
1148	smss.exe
1560	smss.exe
292	smss.exe
1376	smss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2956	DllCommonsvc.exe
Token: SeDebugPrivilege	2564	powershell.exe
Token: SeDebugPrivilege	612	powershell.exe
Token: SeDebugPrivilege	1844	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1940	powershell.exe
Token: SeDebugPrivilege	2508	powershell.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	1028	powershell.exe
Token: SeDebugPrivilege	1284	powershell.exe
Token: SeDebugPrivilege	2516	powershell.exe
Token: SeDebugPrivilege	1256	powershell.exe
Token: SeDebugPrivilege	752	powershell.exe
Token: SeDebugPrivilege	2112	smss.exe
Token: SeDebugPrivilege	2020	smss.exe
Token: SeDebugPrivilege	2848	smss.exe
Token: SeDebugPrivilege	2852	smss.exe
Token: SeDebugPrivilege	1560	smss.exe
Token: SeDebugPrivilege	1380	smss.exe
Token: SeDebugPrivilege	1256	smss.exe
Token: SeDebugPrivilege	1148	smss.exe
Token: SeDebugPrivilege	1560	smss.exe
Token: SeDebugPrivilege	292	smss.exe
Token: SeDebugPrivilege	1376	smss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2124 wrote to memory of 2844	2124	JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe	31
PID 2124 wrote to memory of 2844	2124	JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe	31
PID 2124 wrote to memory of 2844	2124	JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe	31
PID 2124 wrote to memory of 2844	2124	JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe	31
PID 2844 wrote to memory of 2976	2844	WScript.exe	32
PID 2844 wrote to memory of 2976	2844	WScript.exe	32
PID 2844 wrote to memory of 2976	2844	WScript.exe	32
PID 2844 wrote to memory of 2976	2844	WScript.exe	32
PID 2976 wrote to memory of 2956	2976	cmd.exe	34
PID 2976 wrote to memory of 2956	2976	cmd.exe	34
PID 2976 wrote to memory of 2956	2976	cmd.exe	34
PID 2976 wrote to memory of 2956	2976	cmd.exe	34
PID 2956 wrote to memory of 1940	2956	DllCommonsvc.exe	72
PID 2956 wrote to memory of 1940	2956	DllCommonsvc.exe	72
PID 2956 wrote to memory of 1940	2956	DllCommonsvc.exe	72
PID 2956 wrote to memory of 1284	2956	DllCommonsvc.exe	73
PID 2956 wrote to memory of 1284	2956	DllCommonsvc.exe	73
PID 2956 wrote to memory of 1284	2956	DllCommonsvc.exe	73
PID 2956 wrote to memory of 612	2956	DllCommonsvc.exe	74
PID 2956 wrote to memory of 612	2956	DllCommonsvc.exe	74
PID 2956 wrote to memory of 612	2956	DllCommonsvc.exe	74
PID 2956 wrote to memory of 2516	2956	DllCommonsvc.exe	75
PID 2956 wrote to memory of 2516	2956	DllCommonsvc.exe	75
PID 2956 wrote to memory of 2516	2956	DllCommonsvc.exe	75
PID 2956 wrote to memory of 2564	2956	DllCommonsvc.exe	76
PID 2956 wrote to memory of 2564	2956	DllCommonsvc.exe	76
PID 2956 wrote to memory of 2564	2956	DllCommonsvc.exe	76
PID 2956 wrote to memory of 1256	2956	DllCommonsvc.exe	77
PID 2956 wrote to memory of 1256	2956	DllCommonsvc.exe	77
PID 2956 wrote to memory of 1256	2956	DllCommonsvc.exe	77
PID 2956 wrote to memory of 2508	2956	DllCommonsvc.exe	79
PID 2956 wrote to memory of 2508	2956	DllCommonsvc.exe	79
PID 2956 wrote to memory of 2508	2956	DllCommonsvc.exe	79
PID 2956 wrote to memory of 1028	2956	DllCommonsvc.exe	81
PID 2956 wrote to memory of 1028	2956	DllCommonsvc.exe	81
PID 2956 wrote to memory of 1028	2956	DllCommonsvc.exe	81
PID 2956 wrote to memory of 2000	2956	DllCommonsvc.exe	82
PID 2956 wrote to memory of 2000	2956	DllCommonsvc.exe	82
PID 2956 wrote to memory of 2000	2956	DllCommonsvc.exe	82
PID 2956 wrote to memory of 1480	2956	DllCommonsvc.exe	83
PID 2956 wrote to memory of 1480	2956	DllCommonsvc.exe	83
PID 2956 wrote to memory of 1480	2956	DllCommonsvc.exe	83
PID 2956 wrote to memory of 1584	2956	DllCommonsvc.exe	84
PID 2956 wrote to memory of 1584	2956	DllCommonsvc.exe	84
PID 2956 wrote to memory of 1584	2956	DllCommonsvc.exe	84
PID 2956 wrote to memory of 752	2956	DllCommonsvc.exe	85
PID 2956 wrote to memory of 752	2956	DllCommonsvc.exe	85
PID 2956 wrote to memory of 752	2956	DllCommonsvc.exe	85
PID 2956 wrote to memory of 1844	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 1844	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 1844	2956	DllCommonsvc.exe	86
PID 2956 wrote to memory of 2112	2956	DllCommonsvc.exe	98
PID 2956 wrote to memory of 2112	2956	DllCommonsvc.exe	98
PID 2956 wrote to memory of 2112	2956	DllCommonsvc.exe	98
PID 2112 wrote to memory of 2436	2112	smss.exe	99
PID 2112 wrote to memory of 2436	2112	smss.exe	99
PID 2112 wrote to memory of 2436	2112	smss.exe	99
PID 2436 wrote to memory of 2752	2436	cmd.exe	101
PID 2436 wrote to memory of 2752	2436	cmd.exe	101
PID 2436 wrote to memory of 2752	2436	cmd.exe	101
PID 2436 wrote to memory of 2020	2436	cmd.exe	102
PID 2436 wrote to memory of 2020	2436	cmd.exe	102
PID 2436 wrote to memory of 2020	2436	cmd.exe	102
PID 2020 wrote to memory of 2776	2020	smss.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_11b3dd0b51c12737f20d7021d7043fe68b2d4f8cb44b1f240139e34d88bca074.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2844
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1940
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1284
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\es-ES\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2516
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2564
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Cookies\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\fr-FR\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\Adobe\Acrobat\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1028
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:752
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
    - - C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2112
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2752
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2020
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat"
        8⤵
        
        PID:2776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:576
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat"
        10⤵
        
        PID:2560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1088
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2852
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat"
        12⤵
        
        PID:2780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2764
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat"
        14⤵
        
        PID:1976
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1716
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat"
        16⤵
        
        PID:2340
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1088
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat"
        18⤵
        
        PID:1596
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1108
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat"
        20⤵
        
        PID:108
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2128
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
        22⤵
        
        PID:2584
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2296
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat"
        24⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2472
        
        C:\providercommon\smss.exe
        
        "C:\providercommon\smss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1376

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\msadc\de-DE\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2372

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Windows\es-ES\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\es-ES\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Libraries\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\Users\Admin\Cookies\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\fr-FR\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\fr-FR\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2152

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1716

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Users\All Users\Adobe\Acrobat\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\providercommon\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\providercommon\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\Recovery\f6a14ac2-8725-11ef-a9ab-dab21757c799\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
264781972b23b73dfdbd1f85c9da3d44

SHA1
cd3ad67a5cec48d8e321b654f88f9e3d449de20e

SHA256
67a773241ef4220b1e435e86720d4b2303575115d99c5af961342dbe0526304e

SHA512
8a37275cc0045198e692f7dc5d972e6709e4f1fe9fc5510dc994bd982404d155b5ca961d031360ce3455516151eb1c25fd58cd17ef279dbba9822cc24c609aa0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
68b148d904f6befec3bf9a8f4b109d60

SHA1
cf7becf5bdc81da6546bafacf67f8543edb6981f

SHA256
85fc42b1928d890d348d35102ae32a9985fe5f8557eeb2a4e4e3a0f149efba31

SHA512
e15f336775cbead8d91a730efa248feb51f02b9e31056092e73beebeea45bdc40a85d5712f73f658c3993f78c6ac98b20c1d31d7206657a2cf1c21bf0e00e553

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d1c2dddca7345e75800bad93c7c5e4d5

SHA1
8a04e26f54fe99fcaa2cc1af4ebdf8f035f67412

SHA256
543d8b396f75744aa6ae267dfe4b1d4dd5877594bf011b702744597185cbfb34

SHA512
ab43202a70821014916d121ce2bfc64a39983b7d4ae9bfca248d67530b473c01b66726c50e27252fbe5c678f86f10976ec6b8d9deb62605fb9699d4b18044ce0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4d0710932e5806db607000c294acd8ff

SHA1
a0f00792a33d87c6b4c8f3beddb8d1fa0ec949ce

SHA256
c718bbc29a7ea88e0302eef1e9f5a25d44289aca166206f21157c5b42873ede0

SHA512
8828d5a65d75a51cb0a1267fd47f9591e5702aab2256b41fe1c158db45c93ae0909963062e904f693aa353fa62f78c0bbe12965de599a028404f6204ce58ff89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fea5a415d7f6d4501cad6d44b51e5806

SHA1
5967f05e1409e934b3522d7b8f566f67a201b750

SHA256
04e318558893e3620243e543a044327d35c77355bbf6dda62c1a6460d2ea0921

SHA512
fa2889f4f0708bc07f06140b3239d12067416a23be81946abe3016e3828b722fe07f7b53255b99a25f47f0cdabc442e83da9c71742749f494cca32b8766800ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b56a37856ad0edf9d350d6d14f5c760

SHA1
00aa2fa2dac24b4190b78c2328eec7861c5c80e2

SHA256
ce7b54b1c9e644a3e841b16ab34a51303365521fed83745eac923349d8465e79

SHA512
d998b3c7a41c4465f3a4acd3a4ae771613792cc4e3eb0db990e7a314d9f0b4ddfb5b1c75351ae408cb3ebb661ad108658146a0ec0f43893ab749256b276252a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
86ea376256ba441c1863e95abf22d5fd

SHA1
890e910d1573b0c809dbf0aa638b58ee4a224446

SHA256
01aaa95f1ef4eda7247e734c0b19e38fdd5cc1201ae1dc86fbc90e8ed15e1eab

SHA512
9c1704a97babc48d9ee9a2581ee6a0f9269eb90644646bac8d711a62769d9b98ee7c2b5905be02520c5b59b0408de925b38d46d6dfc9496b9a4a632107b480fb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
de127e1a4229924c1edeacd2ae6b24e5

SHA1
f435422ec012cc5c6b5c7f5391ec375bab3fd836

SHA256
8bcc6e334d698722e8d323e0fad292bff4f2c512d480ee8735a9ad65b7f182a5

SHA512
857559e713dd1fd6b107170882e8dc36aacd79ef61f736ff3d652308e676afb257221b54069e66ec0766730fcc837f404b7835ca7aaaf7152cba7658526ba62b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e4487ef6bab1ad09e158df10f1ff4b1a

SHA1
7b127b88a61b0c93b993915b7dcab8b51d2eb94a

SHA256
118caa5d6828a00eab2016a732cf165f2772203024d5566de98dfcbc8c0085b0

SHA512
1e767e1d2c1b1ee832c07d4d137bc53d9f9caa373b142a4879623858c7c2799feaff86743a1a237424173515e136b669480928a2f7b77046c24c8eea09a0fd7c

Download Submit
C:\Users\Admin\AppData\Local\Temp\8NcI1AeIbp.bat

Filesize
191B

MD5
ffa3693ff5c29eb1f9609c592fe48bc9

SHA1
90f0e2203db72ade4543c00f6f04b416fabf629a

SHA256
f9a2f68384f33a94ff1fe36dd286dfe6e1f3a0529158c418c441cbe88f0612b7

SHA512
cd8b21fdde22f410de6f9e40b15168906c65835cf721e1f9859129966a8a065a7e1538f9c57b0c61d3c3b02623a608580668ce31ac1853a50c0eebffa26bddf9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab233C.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EtrZeLjFvq.bat

Filesize
191B

MD5
2351bcd0df85e48525184f3c1a8b6861

SHA1
d22cf46f2af5efe31cc913782cc251fbd84e8943

SHA256
06806d62344ffc0f28015ce47b308ca452c71cab9f5d6f526d1b2ed48038d11c

SHA512
145d1fad5ebab6b4cda18e95604cf190e591731fb06fbed65da2ed3a2e16b02936d13a7ab274bc5988a8a514bcf95ee5eaf59b6ae16b461483b616f4368b615b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IVqzzTSBcr.bat

Filesize
191B

MD5
42b6a5f1047479e2a8e1ca8f7f697154

SHA1
c8c0fae0928201452e60b8589f5914876f995f92

SHA256
d7c30c7656ea6470845ea96709a532951a246da78e3e9727e1e73fce103d48e5

SHA512
d1574a00097999f0d06bb1a36913617c7dc1dc757d6ba82feae8c8a0a22ffcfdd093323a1421b7dfeaea9728081394c995b81ee9d8e3da52b98513573061e43e

Download Submit
C:\Users\Admin\AppData\Local\Temp\JJ2zQTaq6h.bat

Filesize
191B

MD5
f45ee13ccbc4dd0b1450332ece3ccbef

SHA1
1cb7b606f5d77e6753cb2bed6452a000b53512f9

SHA256
f4ec6c974746af3956125843d1e1acd4fdbf7d425882d9206fb1608d54c1e5d1

SHA512
b436c2afe4779a3da43785e58ada75067f748fda78497eb7d2535a03a1739dae01fa7e7f0988a6865b37de44f955bc7f549a3ff164379fc209c9f32262702c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\NjKeWzk8OD.bat

Filesize
191B

MD5
3668a307cfb0b57b0839c9e729c85758

SHA1
f10bd8b005e50f2cb53915aee8700800c40e9347

SHA256
390485ea8207cafc60f01681e5587a4c76c543de798b35a6e195c51219d48ceb

SHA512
593b538d21963a584f9fb0608fc9365e28617013d9189310104df834bf48d4659a6f269bd085367394a1dd9cbf98c125463787ff23113c9ffd12e69f9d1f6b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar235E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TdlfhXh7Yo.bat

Filesize
191B

MD5
a455425660b1663898004aefdbd12dde

SHA1
f6f8d9fa954603c9a8c2cb7e15852a632a95d3de

SHA256
010b784e1bfb01264c884ea7707cfc00f1db4b2de0807a1b2926bf479bcae3ae

SHA512
2717570b382d0851c7daf265a0339696de93814a2173e27969bbe75f5e6ebe15aeb9ca34edca7a7df64707c0eb980d32ef1c3ac9999f97a75b39dd70105a04e4

Download Submit
C:\Users\Admin\AppData\Local\Temp\g1eT93LUFj.bat

Filesize
191B

MD5
c65580305d3e45eded1d12236017153b

SHA1
866a562e40bc5b309a754c9c478cbf38362d37a2

SHA256
d8197a857db4ca4da3945ff643776f2ca36fd756f672939b7fb2c22896d6cdf8

SHA512
0736e3746debfbf4a9affed729ae3130f47d8a43f2e65fe1faa3f288eddc797d2c213b4dad711007a5dd65a260d89d86600b2a88ff740e17b51ebd16f7e23d3c

Download Submit
C:\Users\Admin\AppData\Local\Temp\gJVLZ7RDs3.bat

Filesize
191B

MD5
b7ea8b6417811c7cb4084e34962a6cce

SHA1
1ea221f21229c848ccee52345a8ca08bc1396087

SHA256
593eb2fc51aa1edae51be9222cc9ce3c72e4373bc7b0272e95705e8ae1c106f0

SHA512
c758bb8be580a81d283d941dffd305852782a8bc6deabb7d1c3e29e009fc2ba7950955b0f6ba4ff8c6a3b08808e0acea68febe20f18e21af97ad7d59c5941309

Download Submit
C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat

Filesize
191B

MD5
b57f876829564fddb0e733220a57ae7e

SHA1
26f2ab7ed8305fac31f04c32536d2957a2f115f5

SHA256
1ab4bf00613f28639db3fedff2afa30604e266046ab683feeed746b8fb7970d2

SHA512
149da49723bf8b4b25e0574640615c3a73c8e85fca68ca0258003abcadd418c32fc7b52859d665cd72fa5342a0cefe40506b2584f7d94abe6b39f64bd7be1b4a

Download Submit
C:\Users\Admin\AppData\Local\Temp\x5nMQhEI33.bat

Filesize
191B

MD5
e6844ccf19747c7f69285b9919340339

SHA1
c280e4fc9b655bf8166f00ea61fc3bfa2f8bbff7

SHA256
5eaaaed39fb3472c7e2887875963d852b99f4cb1f981b6846235b27802ad4520

SHA512
db34279bc230c916e7cc91bcaf83d35fb4a3cd825e98d5d5d31740f60101a20e514620f32d4b4596d0751579570c099bc069a2fb7047600e0634010ab66ce891

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
e816584ff4086f8a2bc302da1a379c57

SHA1
aead8faaea6f97c2c21e17f690c40aaa529d339c

SHA256
e334bc0f2cc9e81c40cef203f48bd9386c10dba62f1d1ee9d37b8afa8f5b103c

SHA512
bc548e5bd6b357364f31e9cbf19d30236bded0228dfce25b09be080ffdf1f0507cb3e4055165fb469c22b7b9b51942f234173d23bc9352461397322be2b9a318

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/292-649-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/612-72-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1148-529-0x0000000000140000-0x0000000000250000-memory.dmp

Filesize
1.1MB

Download
memory/1256-468-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/1256-469-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/1376-709-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/1560-589-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2020-170-0x00000000003C0000-0x00000000004D0000-memory.dmp

Filesize
1.1MB

Download
memory/2112-48-0x0000000000170000-0x0000000000280000-memory.dmp

Filesize
1.1MB

Download
memory/2564-71-0x000000001B490000-0x000000001B772000-memory.dmp

Filesize
2.9MB

Download
memory/2848-230-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/2852-290-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2956-13-0x0000000000C60000-0x0000000000D70000-memory.dmp

Filesize
1.1MB

Download
memory/2956-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2956-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2956-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/2956-17-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download