dcrat | 533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106.exe
Size

1.3MB
MD5

e68c015735fcb05aed182adc649d6914
SHA1

3638d6f2927261fb4d1c585bac167ad24d6ce50a
SHA256

533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106
SHA512

3e0fcf06da8572a492f36b889f28cd90265fd1df686c31761abad93f263ad71c34f4725f7324c399879960a3e484575af18246af6f4841b69c87eb80003207a6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2532	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2620	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1000	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1684	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1048	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1632	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2880	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2100	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2052	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1032	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2920	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2980	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	568	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2836	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1316	2836	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015d31-11.dat	dcrat
behavioral1/memory/2744-13-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/2076-50-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat
behavioral1/memory/2664-182-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/2260-301-0x0000000001270000-0x0000000001380000-memory.dmp	dcrat
behavioral1/memory/2456-361-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/912-421-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1056-482-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat
behavioral1/memory/2512-542-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2436-602-0x0000000000D10000-0x0000000000E20000-memory.dmp	dcrat
behavioral1/memory/2616-662-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2768	powershell.exe
2020	powershell.exe
2944	powershell.exe
2220	powershell.exe
1340	powershell.exe
2152	powershell.exe
1848	powershell.exe
2208	powershell.exe
1976	powershell.exe
2468	powershell.exe
1740	powershell.exe
2016	powershell.exe
2260	powershell.exe
844	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2744	DllCommonsvc.exe
2076	OSPPSVC.exe
2664	OSPPSVC.exe
2072	OSPPSVC.exe
2260	OSPPSVC.exe
2456	OSPPSVC.exe
912	OSPPSVC.exe
1056	OSPPSVC.exe
2512	OSPPSVC.exe
2436	OSPPSVC.exe
2616	OSPPSVC.exe

Loads dropped DLL 2 IoCs

pid	Process
2672	cmd.exe
2672	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
18	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
22	raw.githubusercontent.com
25	raw.githubusercontent.com
28	raw.githubusercontent.com
31	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\System32\1610b97d3ab4a7	DllCommonsvc.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Journal\es-ES\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\es-ES\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\fr-FR\spoolsv.exe	DllCommonsvc.exe
File created	C:\Windows\fr-FR\f3b6ecef712a24	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\System\audiodg.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\Writers\System\42af1c969fbb7b	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3000	schtasks.exe
1316	schtasks.exe
2664	schtasks.exe
1632	schtasks.exe
2196	schtasks.exe
2436	schtasks.exe
1696	schtasks.exe
2264	schtasks.exe
704	schtasks.exe
1032	schtasks.exe
2740	schtasks.exe
2532	schtasks.exe
1684	schtasks.exe
568	schtasks.exe
1092	schtasks.exe
672	schtasks.exe
1760	schtasks.exe
2128	schtasks.exe
2880	schtasks.exe
1308	schtasks.exe
1000	schtasks.exe
2732	schtasks.exe
2920	schtasks.exe
1852	schtasks.exe
692	schtasks.exe
1780	schtasks.exe
3032	schtasks.exe
1128	schtasks.exe
1944	schtasks.exe
1048	schtasks.exe
2052	schtasks.exe
1492	schtasks.exe
2620	schtasks.exe
3004	schtasks.exe
2516	schtasks.exe
2980	schtasks.exe
2004	schtasks.exe
2728	schtasks.exe
2100	schtasks.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
2744	DllCommonsvc.exe
1976	powershell.exe
2468	powershell.exe
2016	powershell.exe
2768	powershell.exe
2944	powershell.exe
2076	OSPPSVC.exe
1340	powershell.exe
1740	powershell.exe
2260	powershell.exe
844	powershell.exe
2208	powershell.exe
2020	powershell.exe
2152	powershell.exe
2220	powershell.exe
1848	powershell.exe
2664	OSPPSVC.exe
2072	OSPPSVC.exe
2260	OSPPSVC.exe
2456	OSPPSVC.exe
912	OSPPSVC.exe
1056	OSPPSVC.exe
2512	OSPPSVC.exe
2436	OSPPSVC.exe
2616	OSPPSVC.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2744	DllCommonsvc.exe
Token: SeDebugPrivilege	1976	powershell.exe
Token: SeDebugPrivilege	2076	OSPPSVC.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	2944	powershell.exe
Token: SeDebugPrivilege	1340	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	2152	powershell.exe
Token: SeDebugPrivilege	2220	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2664	OSPPSVC.exe
Token: SeDebugPrivilege	2072	OSPPSVC.exe
Token: SeDebugPrivilege	2260	OSPPSVC.exe
Token: SeDebugPrivilege	2456	OSPPSVC.exe
Token: SeDebugPrivilege	912	OSPPSVC.exe
Token: SeDebugPrivilege	1056	OSPPSVC.exe
Token: SeDebugPrivilege	2512	OSPPSVC.exe
Token: SeDebugPrivilege	2436	OSPPSVC.exe
Token: SeDebugPrivilege	2616	OSPPSVC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3044 wrote to memory of 2448	3044	JaffaCakes118_533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106.exe	31
PID 3044 wrote to memory of 2448	3044	JaffaCakes118_533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106.exe	31
PID 3044 wrote to memory of 2448	3044	JaffaCakes118_533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106.exe	31
PID 3044 wrote to memory of 2448	3044	JaffaCakes118_533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106.exe	31
PID 2448 wrote to memory of 2672	2448	WScript.exe	32
PID 2448 wrote to memory of 2672	2448	WScript.exe	32
PID 2448 wrote to memory of 2672	2448	WScript.exe	32
PID 2448 wrote to memory of 2672	2448	WScript.exe	32
PID 2672 wrote to memory of 2744	2672	cmd.exe	34
PID 2672 wrote to memory of 2744	2672	cmd.exe	34
PID 2672 wrote to memory of 2744	2672	cmd.exe	34
PID 2672 wrote to memory of 2744	2672	cmd.exe	34
PID 2744 wrote to memory of 1976	2744	DllCommonsvc.exe	75
PID 2744 wrote to memory of 1976	2744	DllCommonsvc.exe	75
PID 2744 wrote to memory of 1976	2744	DllCommonsvc.exe	75
PID 2744 wrote to memory of 2768	2744	DllCommonsvc.exe	76
PID 2744 wrote to memory of 2768	2744	DllCommonsvc.exe	76
PID 2744 wrote to memory of 2768	2744	DllCommonsvc.exe	76
PID 2744 wrote to memory of 2020	2744	DllCommonsvc.exe	78
PID 2744 wrote to memory of 2020	2744	DllCommonsvc.exe	78
PID 2744 wrote to memory of 2020	2744	DllCommonsvc.exe	78
PID 2744 wrote to memory of 844	2744	DllCommonsvc.exe	79
PID 2744 wrote to memory of 844	2744	DllCommonsvc.exe	79
PID 2744 wrote to memory of 844	2744	DllCommonsvc.exe	79
PID 2744 wrote to memory of 2016	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 2016	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 2016	2744	DllCommonsvc.exe	80
PID 2744 wrote to memory of 1740	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 1740	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 1740	2744	DllCommonsvc.exe	81
PID 2744 wrote to memory of 2468	2744	DllCommonsvc.exe	82
PID 2744 wrote to memory of 2468	2744	DllCommonsvc.exe	82
PID 2744 wrote to memory of 2468	2744	DllCommonsvc.exe	82
PID 2744 wrote to memory of 2152	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 2152	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 2152	2744	DllCommonsvc.exe	83
PID 2744 wrote to memory of 2208	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 2208	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 2208	2744	DllCommonsvc.exe	85
PID 2744 wrote to memory of 1340	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 1340	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 1340	2744	DllCommonsvc.exe	87
PID 2744 wrote to memory of 2220	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 2220	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 2220	2744	DllCommonsvc.exe	88
PID 2744 wrote to memory of 1848	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 1848	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 1848	2744	DllCommonsvc.exe	90
PID 2744 wrote to memory of 2944	2744	DllCommonsvc.exe	91
PID 2744 wrote to memory of 2944	2744	DllCommonsvc.exe	91
PID 2744 wrote to memory of 2944	2744	DllCommonsvc.exe	91
PID 2744 wrote to memory of 2260	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2260	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2260	2744	DllCommonsvc.exe	92
PID 2744 wrote to memory of 2076	2744	DllCommonsvc.exe	95
PID 2744 wrote to memory of 2076	2744	DllCommonsvc.exe	95
PID 2744 wrote to memory of 2076	2744	DllCommonsvc.exe	95
PID 2076 wrote to memory of 1980	2076	OSPPSVC.exe	104
PID 2076 wrote to memory of 1980	2076	OSPPSVC.exe	104
PID 2076 wrote to memory of 1980	2076	OSPPSVC.exe	104
PID 1980 wrote to memory of 2984	1980	cmd.exe	106
PID 1980 wrote to memory of 2984	1980	cmd.exe	106
PID 1980 wrote to memory of 2984	1980	cmd.exe	106
PID 1980 wrote to memory of 2664	1980	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_533365cf9f7054f80efbcf17621760990447c9f53a323a74accbf08f36cf6106.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2672
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\es-ES\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\fr-FR\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Recent\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\System32\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\NetHood\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\Writers\System\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2076
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2984
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2664
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat"
        8⤵
        
        PID:2136
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1812
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
        10⤵
        
        PID:2804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2860
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        12⤵
        
        PID:2888
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1736
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat"
        14⤵
        
        PID:676
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:548
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat"
        16⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1672
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat"
        18⤵
        
        PID:2720
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1776
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat"
        20⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1380
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\38GCmEMl12.bat"
        22⤵
        
        PID:2244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:348
        
        C:\Windows\System32\OSPPSVC.exe
        
        "C:\Windows\System32\OSPPSVC.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat"
        24⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Journal\es-ES\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1684

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Portable Devices\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Users\Public\Libraries\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Libraries\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Libraries\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\providercommon\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\providercommon\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Windows\fr-FR\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Windows\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Windows\fr-FR\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Users\Admin\Recent\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Windows\System32\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\System32\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Windows\System32\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\NetHood\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Admin\NetHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\NetHood\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 9 /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Windows\Vss\Writers\System\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2920

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 5 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1308

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1316

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
690ce137ae847b8dd4c030bc60e817db

SHA1
db2feaeb4371bc1c25123db611be391b7b6512db

SHA256
786ac664689272b6e5d3027086179f2da015dd1b1fada650e67e2447a88e68db

SHA512
d9227709debdf5c450e87eca3eb6a5aaf06479a18f08aea9b791a3a460777c057fdb889c0d0aefa5546d58e599b77c224f1ae7817cb454f4babb5589b2bdffaa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fe6aba2b964bbfe2553afa27429498a

SHA1
34b57086ea1f2406c88c88d4790afbbc3910f12a

SHA256
941170993a118f50ee266ed98ba2f46567359670d320616df035ead2075bba59

SHA512
cd15320ba4bc314e10de441124981ab17ecabb3abb8b25b7bc85d72ffd135514416e2251469217e1b1532645f2b93985cf7e4a592aa09c8beab9fcfaf45f18db

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7d2aa1bf187eef7e37ce0c7cceeb7597

SHA1
d1303e68a9071047a806ed71fe8b201a09caa7a8

SHA256
bc2d741af9b68e6e107631115aaa00f034558f6caeb22a44ebfe1693ef3ffba8

SHA512
ed151cc4fbc668c91d4c25582105e77b7a2f17ad50c7f1f178cab65e9c71a6354244c24234144074f20a9164e44c0659a3e5d9cd072a8112b2b39462d86195e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d07fb1341f8c25be3c10e6440391b470

SHA1
e6a84678a9476655fbaa0d9574364b934fdabcf7

SHA256
47cb3fca2d057720cd3393087f0e5b43e5d360e59741649f80d3ae8e8ba4800f

SHA512
dafc80fbe583c00363ca08ca43732756003a09a6c697fc0e5e492975490ea586f5be043b937492d67e00ca480da2b28e4dae38b9cba64ee3d0e581606fe9bafc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
90073fbfceea3d40e4ffe81c403d3907

SHA1
d67ed4b4cd100ee1d25466f123ddb86676c3f5d5

SHA256
477a025139ebf6c8a9441beccd5148e04668907e10999efcb4b2b81e86b5ea77

SHA512
cdb8a891aeeec02b670f3be72db8f07639b177bbfd2962ede333f5226b73d0bb2a7e74ac343daa02ff8a08561e488482f0ba38009cdac3051d2f06b200d3c7cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dbdd2409f3aa8fd8fe981efffa10ee22

SHA1
a0ac817720f7c8941fb0f5d7195dea6c2f3b0b7b

SHA256
ebf0725bc4573f8f5ba2a5665e8cf2f7bda7e79e276445642351829fd1c6382c

SHA512
935047c4e4686ae88a439337368be4bd6b8675b6bb30f1327041ae6be4b09f9a8212a0bb07893e9f981916fc424756c851f16af3f1a4c22036610fa38c9340b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bbf36b975a16767530cceaab9300cf72

SHA1
5bdf5e3632fcd5e3a5d2dc30e5d9f24ef0aa3ff3

SHA256
edf1c85a3f424fb6d0e02effdce027083f35f2ac5e5d00e9577facd3f81b6a8a

SHA512
62417012e1e986da794d1491d25ce0bf94cbef50488f3cd909afefd383670e3b43648a44e291ee966fed1f29f9dfa01546ce47835763d32f8ba15d3daff2b256

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b2318ab9c16cad4873c88e91d12038e7

SHA1
00ba49a67d87a4514ee8a384220a49df498360a6

SHA256
74bb332fd7d404cb2815eec320821eec28adbb48a6b8998e4ed57e9caf65d9d0

SHA512
0b0f62f0c85941f793da029c7c8107e10e71495fbe7ddf88f21a9fd2dd1e63c9814aba393739f38b2de060e17de8772587be7d2850a2ed4d5461e3d6fc155d45

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f44578454de5b705a241eee4483f0f2

SHA1
699af89bc67884cd65b07d4aea60da655bee7004

SHA256
5fb3f1fbab052680f06ce0ee7c0704ff3784664e9623cd3bb317e01fe5b44707

SHA512
e464628472a4d723bfa113056e4fa8845d1a2d33c6bf6050a3ec7edaf35c13c32218aa88e59b3f0cbfde1b975e3f96277c4dd00d581423f0be97db7d25ec8a21

Download Submit
C:\Users\Admin\AppData\Local\Temp\38GCmEMl12.bat

Filesize
196B

MD5
0e9aa6c4a3996112ef8c9b44041ce6dc

SHA1
5eceec6d5a8691bb40f2c1bb913a25734136f8f5

SHA256
fbca8633b56d0d2d0bdb9c64128b9e4ede739efe51ad887f01f1a6015ef57859

SHA512
74d01fe5a3e1895519b07eb1c03f813d9498175f20e6a078f54b12ddb275b7e12ae9ac0242dee01bd2c52838c11b3db928a6cc5765c2220cf52bc25bba1418c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3jGxsc69Nm.bat

Filesize
196B

MD5
55647c1cbb4f6c93e88d94047614f462

SHA1
7975ba9d5ca47eb9c33bcf52f7f2ceb41f4c7dbf

SHA256
fa47c60fd8dd20355aafe12ebc814b43c3c816d84490c72656a9dc18d50bc2f7

SHA512
b25ac1e7b1947af51cca8130887ecc1915a4271c8a689b2a8d0a5ececfc1f9d95d0145cd9d7e227f293386e9a2fa0048f429f256c49d175384c392c0cf23992a

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
196B

MD5
e3fc9c580089265f576d6d95372b7cd8

SHA1
33e1d16e92b8709a16e97d0ea5dc457f0858fb01

SHA256
336237f0da3aa7d849bebf9fac757d38124d2efdb1950d58097addde5d95d731

SHA512
d61162a6613e6d8506097bf3ec3bbe29e99b996e56025a3e25b89a09a834eb0baf78914e9fdfcf179921ad15a90fba144bcf96295d7e27dbbc700bc37c35c319

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab203F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2061.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VF9LbKHiRa.bat

Filesize
196B

MD5
b7962f0e6666a1c9029ee56b5aac4698

SHA1
57f8fe15a33d8991780b71c1980cb4958c967e6b

SHA256
5ffde97bcb9e095ab66278911861784baf2b9256046fde3b7a4f9874250cb8fd

SHA512
ed59c7d4267685449d1ee47022ebdd2515f00ba21a598ffe963c8d4d317cc482dcd6c965e046bbf11929e2da3a7371b8308aa981bb8b46e641a251a63044170e

Download Submit
C:\Users\Admin\AppData\Local\Temp\kz4ReWEb5Y.bat

Filesize
196B

MD5
ca21a5cfa6dab4dab7956a269d6ec416

SHA1
6560744399f931ea9d895a8d6fe2036ae19aaa50

SHA256
b02007df633e09a7118a0afafc55aac69493813a5c042f15d6525467e5ed348d

SHA512
04fb5358000ee2081f33929d054795ce3cdd9bcf027c155b403859c26054dea2cf8f17bb2688dcb1339845173725cbdbc9e80b1602e8eca2ae626a7d28a63e25

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHuJ4aKJis.bat

Filesize
196B

MD5
69b086901b6b64bf5dc5c76d296be481

SHA1
880e07e3c75aed4c7fe33050160c8384796eede1

SHA256
69949b1a367d7653424c5830baab4376d972e2479098ab7cee0f49d94cabe280

SHA512
4c6c761bcc3b252d24d1f467fb1b63b44385ee8a81329071bbec4646979c4057e15255290442752fcc1864022e5338d8a4371495cb9bdf5e208eae8dd011ed7f

Download Submit
C:\Users\Admin\AppData\Local\Temp\mJIFszAWFu.bat

Filesize
196B

MD5
5721c49a8455081574ad16e38271378d

SHA1
bab0fcd6866ec759213827e38a791fe6a3718d71

SHA256
f2fa8caaea3c7dc6f5a252b31ef91e7ff3e8e35f38b14f8a86d82c1b06970747

SHA512
41e02b74a34f951857638fd89e32422d5f6e689a702374c90fd7ddb97fe8fdbe5e17d86a2386f8f2f96c0c1ad37a114a078ab190bd883b633a27073579983098

Download Submit
C:\Users\Admin\AppData\Local\Temp\nDq7RH5Uwz.bat

Filesize
196B

MD5
c06aa44588427e5402070fa41a65dea8

SHA1
0f2077dee7822534b5cb8246474fa1d48cc6a78b

SHA256
edf4f3ca8affbbcf1358ed0a6569634dbbcda7791e018670f0b7af249f98a33b

SHA512
00329ac9053d4ca9e28b316fc02e76be129bab586bd3ed253d84c04a490c9d5e077570afedba0c68cd047777b8de32f58e95c347f6ba80296e2e85fb23e79055

Download Submit
C:\Users\Admin\AppData\Local\Temp\p9sA7N8NGm.bat

Filesize
196B

MD5
4e77ab296853ff526e4cf81ecf948c57

SHA1
313d629584cd8dcdee18530fdfe7309b335e00ae

SHA256
bbd5f9d781a159da6484a748bc0943d1f704e635307aed0cea09eaf60aabcc1c

SHA512
429d86174ff0fed196db1ae02a02ba3028435ca09a070673f65507b814b7b8ec7f079db09b7ff3f678dd67337b52d2e71d27b5d5a21b5f073c2a45bb5911c62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

Filesize
196B

MD5
4d62f5ed3caa7e6039961cf24ed4f6c0

SHA1
c96de1e89447d281963cad877dabc0d3e5cd5d55

SHA256
d4088c0b6d0331f7ffce21eb4162aadaac5e9b0f4949deb0816cd9a327e24ee0

SHA512
af4dd45ba1e03186382c8e948d94b6a4a35374604ae8aacfbdf86265ac3147a9b9fdbd2d97147476cc9451224bfcfc09db40e790e16102f8d2a502877e844ace

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\30YRNX9ZXILNA36Z5G01.temp

Filesize
7KB

MD5
81ac68d9ae8be23312ff1ad814692465

SHA1
70abe097c6f869693eef0c784a21e0255116339d

SHA256
7316d96a6662bdec194363cfecaaa8e86797ac2e52db58d46ae177bb0ff49962

SHA512
48bc9f6ce2c959b494f3980121a027768a05a7b3c49a361d885f5298960bd628d6a024b785b486df85d4bafef88d42434fd0f2f482aa528d3b555a5e995121b6

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/912-421-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/912-422-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/1056-482-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/1976-55-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/1976-57-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download
memory/2076-72-0x0000000000160000-0x0000000000172000-memory.dmp

Filesize
72KB

Download
memory/2076-50-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/2260-301-0x0000000001270000-0x0000000001380000-memory.dmp

Filesize
1.1MB

Download
memory/2436-602-0x0000000000D10000-0x0000000000E20000-memory.dmp

Filesize
1.1MB

Download
memory/2456-361-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download
memory/2512-542-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2616-662-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/2664-182-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/2744-17-0x0000000002050000-0x000000000205C000-memory.dmp

Filesize
48KB

Download
memory/2744-16-0x0000000002030000-0x000000000203C000-memory.dmp

Filesize
48KB

Download
memory/2744-15-0x0000000002040000-0x000000000204C000-memory.dmp

Filesize
48KB

Download
memory/2744-14-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download
memory/2744-13-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download