dcrat | 1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6

Analysis

max time kernel
146s
max time network
141s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 08:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6.exe
Size

1.3MB
MD5

a3feca78989db5dadcb0f24b7cd539aa
SHA1

7d203e2bd44f55dbaf4b030bd8073a3b801252c7
SHA256

1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6
SHA512

a08eb52208a4f1421d11f1cfb0e8ca5821d6becb31388505aad6933db6ada2e9b96758deb2d0ec8792a019cd71a59bfa7055a14f55e52d768e25a85c74cc6231
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	596	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1012	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2352	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	872	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	848	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2996	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2420	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1272	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1380	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	972	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2344	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	908	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	288	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2792	288	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015d87-12.dat	dcrat
behavioral1/memory/2692-13-0x0000000000DA0000-0x0000000000EB0000-memory.dmp	dcrat
behavioral1/memory/1576-44-0x00000000000B0000-0x00000000001C0000-memory.dmp	dcrat
behavioral1/memory/2600-99-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/2612-366-0x00000000013E0000-0x00000000014F0000-memory.dmp	dcrat
behavioral1/memory/3060-664-0x00000000002B0000-0x00000000003C0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2076	powershell.exe
2680	powershell.exe
2700	powershell.exe
2208	powershell.exe
2716	powershell.exe
2756	powershell.exe
2060	powershell.exe
2824	powershell.exe
2632	powershell.exe
2956	powershell.exe
2776	powershell.exe
868	powershell.exe
2556	powershell.exe
2204	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2692	DllCommonsvc.exe
1576	DllCommonsvc.exe
2600	explorer.exe
2144	explorer.exe
800	explorer.exe
1704	explorer.exe
2612	explorer.exe
1784	explorer.exe
1116	explorer.exe
1328	explorer.exe
2988	explorer.exe
3060	explorer.exe

Loads dropped DLL 2 IoCs

pid	Process
2816	cmd.exe
2816	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
29	raw.githubusercontent.com
4	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 12 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\de-DE\6203df4a6bafc7	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\es-ES\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\69ddcba757bf72	DllCommonsvc.exe
File opened for modification	C:\Program Files\Common Files\System\es-ES\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Common Files\System\es-ES\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1272	schtasks.exe
2216	schtasks.exe
2136	schtasks.exe
848	schtasks.exe
108	schtasks.exe
2596	schtasks.exe
2344	schtasks.exe
1644	schtasks.exe
596	schtasks.exe
1012	schtasks.exe
1584	schtasks.exe
2440	schtasks.exe
2000	schtasks.exe
2144	schtasks.exe
2792	schtasks.exe
872	schtasks.exe
2248	schtasks.exe
700	schtasks.exe
892	schtasks.exe
1904	schtasks.exe
2040	schtasks.exe
2772	schtasks.exe
2352	schtasks.exe
2996	schtasks.exe
2420	schtasks.exe
972	schtasks.exe
2508	schtasks.exe
1380	schtasks.exe
316	schtasks.exe
1420	schtasks.exe
1596	schtasks.exe
1832	schtasks.exe
908	schtasks.exe
2656	schtasks.exe
2172	schtasks.exe
2328	schtasks.exe

Suspicious behavior: EnumeratesProcesses 30 IoCs

pid	Process
2692	DllCommonsvc.exe
868	powershell.exe
2076	powershell.exe
2060	powershell.exe
1576	DllCommonsvc.exe
1576	DllCommonsvc.exe
1576	DllCommonsvc.exe
1576	DllCommonsvc.exe
1576	DllCommonsvc.exe
2756	powershell.exe
2776	powershell.exe
2208	powershell.exe
2632	powershell.exe
2716	powershell.exe
2556	powershell.exe
2956	powershell.exe
2680	powershell.exe
2700	powershell.exe
2824	powershell.exe
2204	powershell.exe
2600	explorer.exe
2144	explorer.exe
800	explorer.exe
1704	explorer.exe
2612	explorer.exe
1784	explorer.exe
1116	explorer.exe
1328	explorer.exe
2988	explorer.exe
3060	explorer.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	DllCommonsvc.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2076	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	1576	DllCommonsvc.exe
Token: SeDebugPrivilege	2756	powershell.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2716	powershell.exe
Token: SeDebugPrivilege	2556	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	2600	explorer.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2700	powershell.exe
Token: SeDebugPrivilege	2824	powershell.exe
Token: SeDebugPrivilege	2204	powershell.exe
Token: SeDebugPrivilege	2144	explorer.exe
Token: SeDebugPrivilege	800	explorer.exe
Token: SeDebugPrivilege	1704	explorer.exe
Token: SeDebugPrivilege	2612	explorer.exe
Token: SeDebugPrivilege	1784	explorer.exe
Token: SeDebugPrivilege	1116	explorer.exe
Token: SeDebugPrivilege	1328	explorer.exe
Token: SeDebugPrivilege	2988	explorer.exe
Token: SeDebugPrivilege	3060	explorer.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2756 wrote to memory of 2688	2756	JaffaCakes118_1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6.exe	30
PID 2756 wrote to memory of 2688	2756	JaffaCakes118_1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6.exe	30
PID 2756 wrote to memory of 2688	2756	JaffaCakes118_1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6.exe	30
PID 2756 wrote to memory of 2688	2756	JaffaCakes118_1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6.exe	30
PID 2688 wrote to memory of 2816	2688	WScript.exe	31
PID 2688 wrote to memory of 2816	2688	WScript.exe	31
PID 2688 wrote to memory of 2816	2688	WScript.exe	31
PID 2688 wrote to memory of 2816	2688	WScript.exe	31
PID 2816 wrote to memory of 2692	2816	cmd.exe	33
PID 2816 wrote to memory of 2692	2816	cmd.exe	33
PID 2816 wrote to memory of 2692	2816	cmd.exe	33
PID 2816 wrote to memory of 2692	2816	cmd.exe	33
PID 2692 wrote to memory of 868	2692	DllCommonsvc.exe	41
PID 2692 wrote to memory of 868	2692	DllCommonsvc.exe	41
PID 2692 wrote to memory of 868	2692	DllCommonsvc.exe	41
PID 2692 wrote to memory of 2060	2692	DllCommonsvc.exe	42
PID 2692 wrote to memory of 2060	2692	DllCommonsvc.exe	42
PID 2692 wrote to memory of 2060	2692	DllCommonsvc.exe	42
PID 2692 wrote to memory of 2076	2692	DllCommonsvc.exe	43
PID 2692 wrote to memory of 2076	2692	DllCommonsvc.exe	43
PID 2692 wrote to memory of 2076	2692	DllCommonsvc.exe	43
PID 2692 wrote to memory of 2544	2692	DllCommonsvc.exe	47
PID 2692 wrote to memory of 2544	2692	DllCommonsvc.exe	47
PID 2692 wrote to memory of 2544	2692	DllCommonsvc.exe	47
PID 2544 wrote to memory of 3028	2544	cmd.exe	49
PID 2544 wrote to memory of 3028	2544	cmd.exe	49
PID 2544 wrote to memory of 3028	2544	cmd.exe	49
PID 2544 wrote to memory of 1576	2544	cmd.exe	50
PID 2544 wrote to memory of 1576	2544	cmd.exe	50
PID 2544 wrote to memory of 1576	2544	cmd.exe	50
PID 1576 wrote to memory of 2680	1576	DllCommonsvc.exe	81
PID 1576 wrote to memory of 2680	1576	DllCommonsvc.exe	81
PID 1576 wrote to memory of 2680	1576	DllCommonsvc.exe	81
PID 1576 wrote to memory of 2776	1576	DllCommonsvc.exe	82
PID 1576 wrote to memory of 2776	1576	DllCommonsvc.exe	82
PID 1576 wrote to memory of 2776	1576	DllCommonsvc.exe	82
PID 1576 wrote to memory of 2700	1576	DllCommonsvc.exe	84
PID 1576 wrote to memory of 2700	1576	DllCommonsvc.exe	84
PID 1576 wrote to memory of 2700	1576	DllCommonsvc.exe	84
PID 1576 wrote to memory of 2756	1576	DllCommonsvc.exe	85
PID 1576 wrote to memory of 2756	1576	DllCommonsvc.exe	85
PID 1576 wrote to memory of 2756	1576	DllCommonsvc.exe	85
PID 1576 wrote to memory of 2716	1576	DllCommonsvc.exe	86
PID 1576 wrote to memory of 2716	1576	DllCommonsvc.exe	86
PID 1576 wrote to memory of 2716	1576	DllCommonsvc.exe	86
PID 1576 wrote to memory of 2956	1576	DllCommonsvc.exe	87
PID 1576 wrote to memory of 2956	1576	DllCommonsvc.exe	87
PID 1576 wrote to memory of 2956	1576	DllCommonsvc.exe	87
PID 1576 wrote to memory of 2208	1576	DllCommonsvc.exe	89
PID 1576 wrote to memory of 2208	1576	DllCommonsvc.exe	89
PID 1576 wrote to memory of 2208	1576	DllCommonsvc.exe	89
PID 1576 wrote to memory of 2204	1576	DllCommonsvc.exe	90
PID 1576 wrote to memory of 2204	1576	DllCommonsvc.exe	90
PID 1576 wrote to memory of 2204	1576	DllCommonsvc.exe	90
PID 1576 wrote to memory of 2824	1576	DllCommonsvc.exe	92
PID 1576 wrote to memory of 2824	1576	DllCommonsvc.exe	92
PID 1576 wrote to memory of 2824	1576	DllCommonsvc.exe	92
PID 1576 wrote to memory of 2556	1576	DllCommonsvc.exe	94
PID 1576 wrote to memory of 2556	1576	DllCommonsvc.exe	94
PID 1576 wrote to memory of 2556	1576	DllCommonsvc.exe	94
PID 1576 wrote to memory of 2632	1576	DllCommonsvc.exe	95
PID 1576 wrote to memory of 2632	1576	DllCommonsvc.exe	95
PID 1576 wrote to memory of 2632	1576	DllCommonsvc.exe	95
PID 1576 wrote to memory of 2600	1576	DllCommonsvc.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_1576d2d3c7eb23e4434c03cc7288bcfa1f5c4a7714854a16b1e72a8bd05ed6d6.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2756
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2688
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2816
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2692
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2076
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tdnSJsnH3X.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2544
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3028
      - C:\providercommon\DllCommonsvc.exe
        
        "C:\providercommon\DllCommonsvc.exe"
        6⤵
        Executes dropped EXE
        Drops file in Program Files directory
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Common Files\System\es-ES\explorer.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2756
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2716
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2204
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Downloads\WmiPrvSE.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2556
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2600
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat"
        8⤵
        
        PID:2300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1900
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat"
        10⤵
        
        PID:2592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:856
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat"
        12⤵
        
        PID:1688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2700
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat"
        14⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1868
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat"
        16⤵
        
        PID:332
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:276
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
        18⤵
        
        PID:960
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2012
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat"
        20⤵
        
        PID:1192
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1732
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat"
        22⤵
        
        PID:2308
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2388
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat"
        24⤵
        
        PID:588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2224
        
        C:\Program Files\Common Files\System\es-ES\explorer.exe
        
        "C:\Program Files\Common Files\System\es-ES\explorer.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Microsoft Visual Studio 8\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1012

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Windows\Installer\{AC76BA86-7AD7-1033-7B44-A90000000001}\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 6 /tr "'C:\Program Files\Common Files\System\es-ES\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Common Files\System\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Program Files\Common Files\System\es-ES\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 5 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 6 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2508

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Downloads\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\Downloads\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Photo Viewer\de-DE\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ef599bca20c615a304a69e15fbd51ce4

SHA1
c3d8ae65dc14f5e05621b1fce39dd8026b0e2d4d

SHA256
e48cda71dcbfb1633b8b1c986fda57e73e37b14c886bc814278708a45ba699da

SHA512
3a21b355da8382f5d4cc99e441d46947395e801c1cd625e708956bcbe38fc3238f5aeb1bd2d9b8487b94586126604d6ae973fe027e469742f8ad5739f06a3d46

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51b90af35a6d0ef4c5ac6ac8f387ee3b

SHA1
6a56fc4ccd03abb997542ffeb98807bf24c40a93

SHA256
6934fdf0867f63d87577536c770d5bb44c3816fd541e17e77a362e27a136c0e3

SHA512
70ad09533e4e28c44e8f27980cbbc0ae576a23e7aa0795dd1bcae17d8e1c37ddd9b3ba8c303da87d9408a3395e07c7629e10f58fdbe7f1e2c79d6cec63ee0f7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd08aeb61a9c7e28593cb2ff00267e63

SHA1
baffe6b7a4e6d8ee94bf61c6a8ff8fa0d3fb3c9b

SHA256
d7d393d2eabbafa592cea5f16f2fdabc24b2a090ef42a6b80c3c2eec83f2f728

SHA512
a160c96acfb870e10c5167bbb492c3e530f78575cb9917d8b6ce1b08fbcff4b695ce84442163bd694cf0fa7ad5684fa30cbde018566d11118828677c263396e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
38c864923b77005e4d16cb4e92968df7

SHA1
c8708aa3f0a7d14c9b2e408e1c1bfca1cd29e222

SHA256
0977f7ba198197bc451328853ad5c0a22c932779b98b2d0f5dc8d1e70faf78ad

SHA512
1c64f6ce77c2c95e034fe2b7c7f286d4ce3bac58f993b95cc70abfb37facc34f96480b6c513ce7b87719074d7a7f3423474330d98ff6a4100bf3582041c41539

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
71c1ae40ee177d71bbf83e2bc150a836

SHA1
05bdd21d74d141f8cb2fa8457ed4771ef0c9dd4e

SHA256
64bd789d3fabe3738d262fa5c4fb90225f18843efd3d2218c5d3dc3854c78668

SHA512
2dcfec924f33c0e42cd8f3458d4b0441e928fbc9ecc1761876d46a4a1cd5bca92313bce315330efa604ff2a27db06ee95a7813ffcfd8b7992930c935cbc25f81

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f201fe7c20fb3375bd18689d04ebc309

SHA1
3dbedaf9713acaf9be98b1dc8c241d71d4d9e99f

SHA256
0b1c6bbf0424858af1647cd2ea3f992915cd0cdca9a41bbaf279270f1ac1f4d6

SHA512
c9db235c19c52963cece9f3c9f6b34292f6979baf926cc06ffaaea36b9f3400b6aa24643ce8f639ec22da605535a6cef097fc67dd6ca5d96f7a2a2807a0ca274

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
249bea081ff03d851d95ebe3403507ad

SHA1
f486454dbb9ff2d10f856cac3491b929a1699f0f

SHA256
dd2a77cc76ca668ffe2e9752e85c58d6604839fa0294f96b61e1d6f5377a8d78

SHA512
e75a2431cd41f0eaed7e20fcfd187919f5e8fd4f766401e3994f2c43ed5ada13efa53db221f67df0b805d499e0dd92c7b0dc7bd3015b0e836710fa96809a7bc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
34246580865c3e32d346500d4230382b

SHA1
4297813dc8b79410d4eae98578d379146cb76fc3

SHA256
2edf29e9863bde3dfadaa3675f2a442bc47558bae170e8a3fb2d154733b912e2

SHA512
61202d34c0fd561378487ac4d8cc9a1f121e09acefbaebe0c01738cc708f32383f29594f320c2e7e0d5f457de21a402d2378effb52536093d2c4cd74350c09dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\6uMgbjYtd5.bat

Filesize
220B

MD5
b9ceeafa7394c3e996fea8df61249290

SHA1
9645ca20769d512a37025878976d21e8e76f6dce

SHA256
22aad62a4be1194301a67a77e164a8f38da0c86ebb143e36409e9ae891ab3175

SHA512
3557369d0c77148d661af9e175453348569c40a5a32d10856ec0f545e78cfed3da632530ad5010f543ea63faf02101ca056bb1fa7c54bd002d574b3bc7707a1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8C2B.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\IuwUCT1VMm.bat

Filesize
220B

MD5
0b96d05d65635240ddbc9e7313f94f42

SHA1
72099c75a0355ebdf9a76fbe65f2b8b626ccaeb9

SHA256
99641a72c99e33e5f7c501c95377b5942144225cf0945f2f00d8c61013e9d438

SHA512
579735cf87197ffd488cbeab703ad1eb160cca05c00518314e6a53f9980cce3a2e0eb62495d3e199fcadc4581d9dc521d47f9a5c7f5ecc08cb69a25ba4ded593

Download Submit
C:\Users\Admin\AppData\Local\Temp\RE4R3BzSze.bat

Filesize
220B

MD5
53d1b90834014e81914805723144ab4b

SHA1
d44c8c851c4cc8038566c3f551f9f1922fd810f9

SHA256
98633ab8fe9206a18ccf72af16508a528f7735766c6d7fe281dcb631e980eeda

SHA512
ba07092327b101d2366ab1470e0704f316da672253ea649055a096493fbb66c70bfba8b8d9edfeae08c507ce1ccb537e650c00734418ee194379a5a53ce625d5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RkPY472Oq9.bat

Filesize
220B

MD5
bc39d9d0cc092a042285868bd50b678a

SHA1
55b35c41a373cc80ebaea4e7154371bf4f203fcf

SHA256
535f118ea955af0e0793db64d77c3f4d3cb7379c85413812ed069156e1fdbf80

SHA512
85eb9f579c415007a07bb7ad08e682a32491532e0f755f399b0eed893fd0724978404924a7b5372dac52f0861eea34334bcb180d52f0ca8e70bb2365fb93fe78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8C3E.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VbZulfStaN.bat

Filesize
220B

MD5
0edef710df714f71c7bb4e7a9ed3a40d

SHA1
4b5d2b14b4abf83a40f0c9cae4d485927716c6ba

SHA256
a8a3f6597bc51bb72b9492055aad78accc844eee60415274e1b672eb58131b9d

SHA512
179b184ac0d2996d4291765266e27a93f7334725eb5417f8d5f61c8db96d98be355a6f0fe96e2d2f360a83412d36e48a07489d5bb83097234f2a6ea0fae019da

Download Submit
C:\Users\Admin\AppData\Local\Temp\a4RGbRhdNM.bat

Filesize
220B

MD5
1e8b54a3ee81e8180cd02983b45222a8

SHA1
456b786e3326e6ffa3bea3f5a244a429e2d38da5

SHA256
e8171be22c9894f4f0ded60cc83c7eec6b5f28ce7c7a715a1ff0666870e98236

SHA512
fe0ddedb9480a3de1782ff6bb22a36b23eb6f5fd53601f5d6725b65c32866181a6d30d567b9b95c452cb8ee916bd03dfbe0a119b7e4c803795b58fbc060293a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat

Filesize
220B

MD5
818aba9b18e8fe84e05bc2cb4d33287f

SHA1
cdb4866e59833195797ac54e76ad131968e1608a

SHA256
91d1b0bf666ba8f4a87fb8c3e775457a1e81f11963b32a926168ecc5641774b2

SHA512
d0e2015c14ed0c993cd8d3e2b994601c9acba976de65829333b0e5ddb655aa323e7cf5e9d91416dd7a299b72f6e8e4eb0062f7ae62fa21cc7a219c8fa4c26de0

Download Submit
C:\Users\Admin\AppData\Local\Temp\kUVpzpaF2i.bat

Filesize
220B

MD5
8248e8a15813548d9d715e096e9b8a7d

SHA1
150169d476a7be9633efcada9acd2ee5b30ecceb

SHA256
3165318b2655cfecf48fbab5c7c5e5b048270972e38426ecdbca4a9f60462dee

SHA512
64465cb018fc5cf30578bf87e0f6511f0e359f17ae03d63f4210af10000fb81be730a71531fc26e74fdc583c25bc9394e007c91c8caf3416d74f8c567f1629aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\rZY5mW9Lj2.bat

Filesize
220B

MD5
3119656144a683864ae6d8ba0ee4b46f

SHA1
f963f95109b563bb71c53385a75a9b56ae1d364d

SHA256
07888f44dc5317d0392bb336475e2625bd714b20e17ad24f9a8c2326024aebbd

SHA512
9bfd95cf55a53bb7f32839ad9e84acb83b950504624526f0d1bcd645b603b35476e7f5a6b8fa787db2c4b7f855b24e92d69b3fef936ed36b8318e1a6adffefeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tdnSJsnH3X.bat

Filesize
199B

MD5
e67e2fdd9fcb32b043c088ff05b89e91

SHA1
3827a7bc48d4eab88316e656a9a20eb8e82bb13f

SHA256
8425c8d3f347a9f464197c2c98d48dea4b90188dc9a4259c335230aba17205f0

SHA512
a568071e0c6123877f8b6ef7dcaa2412169a1a14b1c9198836a7b9785ba3ff068f2917cf2bfbd7354704ac848dfdb20d9ae941e077c32bd05811a2e5815e98a7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
334d4ff4f10ff7d58ac1b41a9346f320

SHA1
d99fca5ac1c13ac8ff601cbdb83b0aa93b873c96

SHA256
923da12571a965d2081afa0a0770b234584069e2d30eaaac7cbd49c0b6a8a69a

SHA512
7f77a11faf9d33e27273d58c4f280bd6d3092a1030fd419b462c8c0f9c8762c55785ba2409dae936ec1f223998dfcbafcd54e7ab100eb62e30b7162d811d832f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/868-37-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/868-35-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/1116-485-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/1576-44-0x00000000000B0000-0x00000000001C0000-memory.dmp

Filesize
1.1MB

Download
memory/2600-99-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2600-121-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2612-366-0x00000000013E0000-0x00000000014F0000-memory.dmp

Filesize
1.1MB

Download
memory/2692-17-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2692-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/2692-15-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2692-14-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2692-13-0x0000000000DA0000-0x0000000000EB0000-memory.dmp

Filesize
1.1MB

Download
memory/2756-83-0x0000000002330000-0x0000000002338000-memory.dmp

Filesize
32KB

Download
memory/2756-78-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2988-604-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/3060-664-0x00000000002B0000-0x00000000003C0000-memory.dmp

Filesize
1.1MB

Download