dcrat | cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa

Analysis

max time kernel
150s
max time network
145s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 08:08

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa.exe
Size

1.3MB
MD5

d4a8b0e4a5b4283e749699232da019e1
SHA1

70233c8d0347f28d049c3c96af0eb6f56c1af3aa
SHA256

cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa
SHA512

5969e2abc6280d872c886418f0f7db88918da16db3354ff2b77c06206c3938b512a98432bc9dd432a1f3eaf1e8f5379474c1f088d6a2e8a6c4f598ac6d1d2e5c
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2764	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	648	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1844	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1432	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2000	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2072	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2696	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	700	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2528	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1512	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1240	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	448	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1900	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	984	1900	schtasks.exe	34

DCRat payload 8 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00080000000162b2-9.dat	dcrat
behavioral1/memory/2008-13-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat
behavioral1/memory/3056-73-0x0000000000F10000-0x0000000001020000-memory.dmp	dcrat
behavioral1/memory/2296-167-0x0000000000290000-0x00000000003A0000-memory.dmp	dcrat
behavioral1/memory/1540-228-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/2696-347-0x0000000000FB0000-0x00000000010C0000-memory.dmp	dcrat
behavioral1/memory/2100-468-0x0000000001050000-0x0000000001160000-memory.dmp	dcrat
behavioral1/memory/2032-707-0x0000000001100000-0x0000000001210000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2468	powershell.exe
1528	powershell.exe
1784	powershell.exe
956	powershell.exe
1372	powershell.exe
2148	powershell.exe
1136	powershell.exe
2460	powershell.exe
672	powershell.exe
1868	powershell.exe
1684	powershell.exe
1364	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2008	DllCommonsvc.exe
3056	dllhost.exe
2296	dllhost.exe
1540	dllhost.exe
1832	dllhost.exe
2696	dllhost.exe
1584	dllhost.exe
2100	dllhost.exe
3056	dllhost.exe
2732	dllhost.exe
2344	dllhost.exe
2032	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
1140	cmd.exe
1140	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com
29	raw.githubusercontent.com
36	raw.githubusercontent.com
9	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\System.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File created	C:\Windows\Cursors\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\Help\mui\040C\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\040C\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Cursors\explorer.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Cursors\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2632	schtasks.exe
2616	schtasks.exe
2000	schtasks.exe
2072	schtasks.exe
2596	schtasks.exe
1432	schtasks.exe
1500	schtasks.exe
648	schtasks.exe
2944	schtasks.exe
632	schtasks.exe
2528	schtasks.exe
1844	schtasks.exe
3032	schtasks.exe
2832	schtasks.exe
2172	schtasks.exe
1512	schtasks.exe
1240	schtasks.exe
1172	schtasks.exe
984	schtasks.exe
2764	schtasks.exe
2720	schtasks.exe
2432	schtasks.exe
2816	schtasks.exe
2836	schtasks.exe
1472	schtasks.exe
2696	schtasks.exe
700	schtasks.exe
2624	schtasks.exe
2648	schtasks.exe
560	schtasks.exe
1628	schtasks.exe
448	schtasks.exe
1436	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2008	DllCommonsvc.exe
2148	powershell.exe
1372	powershell.exe
2468	powershell.exe
1868	powershell.exe
1684	powershell.exe
1528	powershell.exe
956	powershell.exe
1136	powershell.exe
1364	powershell.exe
1784	powershell.exe
2460	powershell.exe
672	powershell.exe
3056	dllhost.exe
2296	dllhost.exe
1540	dllhost.exe
1832	dllhost.exe
2696	dllhost.exe
1584	dllhost.exe
2100	dllhost.exe
3056	dllhost.exe
2732	dllhost.exe
2344	dllhost.exe
2032	dllhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	DllCommonsvc.exe
Token: SeDebugPrivilege	2148	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	1868	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	956	powershell.exe
Token: SeDebugPrivilege	1136	powershell.exe
Token: SeDebugPrivilege	1364	powershell.exe
Token: SeDebugPrivilege	1784	powershell.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	3056	dllhost.exe
Token: SeDebugPrivilege	672	powershell.exe
Token: SeDebugPrivilege	2296	dllhost.exe
Token: SeDebugPrivilege	1540	dllhost.exe
Token: SeDebugPrivilege	1832	dllhost.exe
Token: SeDebugPrivilege	2696	dllhost.exe
Token: SeDebugPrivilege	1584	dllhost.exe
Token: SeDebugPrivilege	2100	dllhost.exe
Token: SeDebugPrivilege	3056	dllhost.exe
Token: SeDebugPrivilege	2732	dllhost.exe
Token: SeDebugPrivilege	2344	dllhost.exe
Token: SeDebugPrivilege	2032	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1044 wrote to memory of 2384	1044	JaffaCakes118_cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa.exe	30
PID 1044 wrote to memory of 2384	1044	JaffaCakes118_cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa.exe	30
PID 1044 wrote to memory of 2384	1044	JaffaCakes118_cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa.exe	30
PID 1044 wrote to memory of 2384	1044	JaffaCakes118_cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa.exe	30
PID 2384 wrote to memory of 1140	2384	WScript.exe	31
PID 2384 wrote to memory of 1140	2384	WScript.exe	31
PID 2384 wrote to memory of 1140	2384	WScript.exe	31
PID 2384 wrote to memory of 1140	2384	WScript.exe	31
PID 1140 wrote to memory of 2008	1140	cmd.exe	33
PID 1140 wrote to memory of 2008	1140	cmd.exe	33
PID 1140 wrote to memory of 2008	1140	cmd.exe	33
PID 1140 wrote to memory of 2008	1140	cmd.exe	33
PID 2008 wrote to memory of 956	2008	DllCommonsvc.exe	68
PID 2008 wrote to memory of 956	2008	DllCommonsvc.exe	68
PID 2008 wrote to memory of 956	2008	DllCommonsvc.exe	68
PID 2008 wrote to memory of 1372	2008	DllCommonsvc.exe	69
PID 2008 wrote to memory of 1372	2008	DllCommonsvc.exe	69
PID 2008 wrote to memory of 1372	2008	DllCommonsvc.exe	69
PID 2008 wrote to memory of 672	2008	DllCommonsvc.exe	70
PID 2008 wrote to memory of 672	2008	DllCommonsvc.exe	70
PID 2008 wrote to memory of 672	2008	DllCommonsvc.exe	70
PID 2008 wrote to memory of 2148	2008	DllCommonsvc.exe	71
PID 2008 wrote to memory of 2148	2008	DllCommonsvc.exe	71
PID 2008 wrote to memory of 2148	2008	DllCommonsvc.exe	71
PID 2008 wrote to memory of 1136	2008	DllCommonsvc.exe	72
PID 2008 wrote to memory of 1136	2008	DllCommonsvc.exe	72
PID 2008 wrote to memory of 1136	2008	DllCommonsvc.exe	72
PID 2008 wrote to memory of 2468	2008	DllCommonsvc.exe	73
PID 2008 wrote to memory of 2468	2008	DllCommonsvc.exe	73
PID 2008 wrote to memory of 2468	2008	DllCommonsvc.exe	73
PID 2008 wrote to memory of 1868	2008	DllCommonsvc.exe	74
PID 2008 wrote to memory of 1868	2008	DllCommonsvc.exe	74
PID 2008 wrote to memory of 1868	2008	DllCommonsvc.exe	74
PID 2008 wrote to memory of 1684	2008	DllCommonsvc.exe	75
PID 2008 wrote to memory of 1684	2008	DllCommonsvc.exe	75
PID 2008 wrote to memory of 1684	2008	DllCommonsvc.exe	75
PID 2008 wrote to memory of 1364	2008	DllCommonsvc.exe	76
PID 2008 wrote to memory of 1364	2008	DllCommonsvc.exe	76
PID 2008 wrote to memory of 1364	2008	DllCommonsvc.exe	76
PID 2008 wrote to memory of 1528	2008	DllCommonsvc.exe	77
PID 2008 wrote to memory of 1528	2008	DllCommonsvc.exe	77
PID 2008 wrote to memory of 1528	2008	DllCommonsvc.exe	77
PID 2008 wrote to memory of 1784	2008	DllCommonsvc.exe	78
PID 2008 wrote to memory of 1784	2008	DllCommonsvc.exe	78
PID 2008 wrote to memory of 1784	2008	DllCommonsvc.exe	78
PID 2008 wrote to memory of 2460	2008	DllCommonsvc.exe	79
PID 2008 wrote to memory of 2460	2008	DllCommonsvc.exe	79
PID 2008 wrote to memory of 2460	2008	DllCommonsvc.exe	79
PID 2008 wrote to memory of 3056	2008	DllCommonsvc.exe	92
PID 2008 wrote to memory of 3056	2008	DllCommonsvc.exe	92
PID 2008 wrote to memory of 3056	2008	DllCommonsvc.exe	92
PID 3056 wrote to memory of 2324	3056	dllhost.exe	93
PID 3056 wrote to memory of 2324	3056	dllhost.exe	93
PID 3056 wrote to memory of 2324	3056	dllhost.exe	93
PID 2324 wrote to memory of 2768	2324	cmd.exe	95
PID 2324 wrote to memory of 2768	2324	cmd.exe	95
PID 2324 wrote to memory of 2768	2324	cmd.exe	95
PID 2324 wrote to memory of 2296	2324	cmd.exe	97
PID 2324 wrote to memory of 2296	2324	cmd.exe	97
PID 2324 wrote to memory of 2296	2324	cmd.exe	97
PID 2296 wrote to memory of 3064	2296	dllhost.exe	98
PID 2296 wrote to memory of 3064	2296	dllhost.exe	98
PID 2296 wrote to memory of 3064	2296	dllhost.exe	98
PID 3064 wrote to memory of 1264	3064	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_cecca2b529e7324340d3485a6e7da6920e17b30243b744af3f967306928d8dfa.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1044
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2384
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1140
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1136
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\040C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1364
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1784
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3056
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2324
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2768
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:3064
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1264
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        10⤵
        
        PID:688
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3028
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1832
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat"
        12⤵
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2976
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat"
        14⤵
        
        PID:2120
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2844
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat"
        16⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2212
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2100
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat"
        18⤵
        
        PID:1692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1208
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        20⤵
        
        PID:2328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:3000
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat"
        22⤵
        
        PID:3040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1364
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"
        24⤵
        
        PID:2172
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1792
        
        C:\Program Files (x86)\Reference Assemblies\dllhost.exe
        
        "C:\Program Files (x86)\Reference Assemblies\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Cursors\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 13 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\providercommon\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\providercommon\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\040C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Help\mui\040C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\040C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1432

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2072

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1512

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:984

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
47cea818989f0d91c4d75989cacf3edb

SHA1
6f3933dd58d50c1eb040980245ff8b69715181b7

SHA256
f3b1ea6992818f471759746b8942f754c8c63c07dfc0dd43d2ad18d47a5c1149

SHA512
f3f74b81e6d190611c72c1ab9c97743685a8667530b27b9d54762750efc310d35a163226b6da3dd1261c5ca02033005feca6b9b3277293ac1619004a763a93ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d58bb48e5b6cf570d054445485202b78

SHA1
2ee7957fdbfdcc7157160d39d93ad4da7eaf823a

SHA256
c3696b3ce799a07bb8badf6b0e12eca9c6669897c6a57c6f9cf7a42df20c9d6d

SHA512
3114417d6d217409d9b33e7e3e2c9d8419f3541a968110e82b46edec3e02266f93b90876640d326d5f03e8dceaf6c623cf98306cf78085c8489e4706b4473dab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d568c581969dcc043ee3e29768d8c72e

SHA1
1747dcc1004f349fcc1e5f963dc3ef3077125749

SHA256
00b1d32343525950c1f01677d1fc74ce0cc4022b825454773bcc5f562d234d87

SHA512
0fb6ce3c24bb7a49149952a0213be471ef79bd493ceee63577b5e321dcd5ab15d2d74286883d379e36ac089816bb0efdef8668d02bf4c2134308f91a5775d05c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0be251175731077d6ccf71f79e341000

SHA1
76abd394ad1fe89fe87bccba9a21f03e82a1f98e

SHA256
391583a2ebe6fb713fcd5ed5c4036b2633ca8183479a252d79b90073985c3ac3

SHA512
3e2b2f5b65c00a143268ef4ffebdfb95b4712d1a459b4bed3e4f6b4b63d51ef06d780b9ca7745ef7137e89ff759665e8865e3c73ebc973f3567679c05ff89901

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4c6970367ca1ef52cdec960b6d7151ed

SHA1
6be88cd3d637151ba02b344b2e714b0591bff5cc

SHA256
432cc94fef7773fd83c30e609b8f40f168ce2cd1e68ecaa2f9d14681cb930716

SHA512
3c9b3f08d1a4301bbc045226565e7863d94933048fcb3a3fa8d93496c51e9381233b8ab8a22ee17df475306df3035b01163e726963120792328ea9395a740b06

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
772ad144c2771232cd6c44f32c92a966

SHA1
35a221c32e8893549f91a2452640ae8b248f775d

SHA256
38a2e3477cbebf0a9f9ca71856db3ec9060ec1bac3ea7208fc4fe8f0d2a9cc1b

SHA512
9b27aeb2e60dc8e8b8be6ac8cb30d843427fd2a7f7b2f0decb34de8cbc949c14ea6f58fc45d9f54c3b95d0e45c862247f16468d8193e60c069a1ed4e73a4d5ab

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f4598446f66ea366e0317f98156a45f

SHA1
80538a4899710ff0556a41744b157ed459b5bdf8

SHA256
f8537959f29bbfdb3fca1c94dd560a65ea45b756719323e34a67aa7ee662d4ac

SHA512
3005a237b804492e11f5dedf24202e78c462cb7faac7f2374bf7eb2100f03954dc93746a0e92c3f8d2090cb1a9ed34618a9be699b9c6c11211adb6cdb5c1e8e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6d433d3d6e78274fa0de6d906906a4e

SHA1
7c7dd42bdd21af1933f798d5829573ee7bf4718a

SHA256
3990b0139bd854d11839388ecfcc40cb2c7f973b74a90b8460b1f870c51e25af

SHA512
21f31ac8d8cb6a021da4530dbea833eb366928d6de3d98a75eaa1455188e5d1957b206b5e7ba320f9546e25b2c92d7ab1ef25f4e50c11d258e1cc95ad68b58bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
105fde421cb3cc75c744e5700ee27579

SHA1
9f17bf784719e1c7eaaa3969739df1728d81d03e

SHA256
1aaad72127cdadee6ab67a9d12fbc77f69d5860249bbe8a4b9c9144e2518a4a6

SHA512
fecd8abdbd407db5d967a264c767e5b90d287999b087214618f28a2616a8c702e584be5cb1a5199d0e501a446283479ab4172a9601147ec3ea5816fa5ef48d50

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
220B

MD5
8dab88d3fa89508424b61c733275e3f6

SHA1
2ffab1c56abec66a9f3df6f1b36183bb05ee4f3b

SHA256
337c49e8641d3df0512876753ed01649284a36b142c1cbb68a22672cc6fe9504

SHA512
8b037ec0d488b9ad88239981a1a2ef8cdf407984f62df37db1c2a1642d55231659c3cb84f31afa37ac33c7de3590be9f64a3447d90916be05be14d4e07aa08eb

Download Submit
C:\Users\Admin\AppData\Local\Temp\7FnFm4j3ls.bat

Filesize
220B

MD5
1bdd83af81959a0ddfb3cae229bfcbf7

SHA1
28f00036d921a892f19bc35feab4d079a22fc016

SHA256
e00036882dae4da8207f56996746ea4b2c07c03370c87c308033f36a03e68594

SHA512
e4f8533989c90be742c658c5c96a02d81427bf8d3e1218e5ec38ab8c74b09cdec695899fd3e5a225c8138291a6474bbd11ff03e49d36a5bb2e54f2a243770d3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8xeM6k5O3T.bat

Filesize
220B

MD5
6d951518010b008355fa5b9e4185c34f

SHA1
2779f83bf8c64220785076423d1f98e5a870d389

SHA256
69b65ef437859cf0d5a9de713d14958a0a7b21eaf1b2feae56cba144e603ef02

SHA512
f688d46b0a4f1c43bacd3554e3e62ac3f27d12193df3c17779e7537416cbdb0cebcd1d71403672d65477d3dac9e4a1eb6ab85308277ded86bfd10ba1caa3821a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9j3rBUpSkc.bat

Filesize
220B

MD5
78cb29d9160e5e77881bc57af885c551

SHA1
82fc0d509ea74cb26823dc56387f0f4717f6ed6e

SHA256
8b4d3b2b65fc44f8b422d92fdebe4914c7d11dde9122a5bd7893cee60bd3ee49

SHA512
4cb5516f9e95aba97a25cd50fe9c03d8309a404fd9593b13f72d62d3cdd02267b4b72a61dd797209103ba85c7986197d2a4235285651ee6e28e681eeab55b4b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC62E.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ljju5cbnZy.bat

Filesize
220B

MD5
26a11fa5eff6bd6ea61b77cc9a8f419b

SHA1
2ed890fa7975e8a60351c37465455d09e12c2bea

SHA256
c9eacf0d9882332f2135d65f04ace0d3b73c939096c28865c315b3bb1193f30b

SHA512
a7a23cbef1645640cc5bd80921761c9cdd78f3ff1a0fa94848c35b938c8cbbd8a8a32ec2f03368a6a7f79177338e976918fa528430ddaf8d6f0bdcfe847a6208

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat

Filesize
220B

MD5
3d4166861970d1c8e372f7fd122340c1

SHA1
3c179ed71988886e95026c99373cf5dba62908a1

SHA256
0559e265784c9c14005d097c7d2973232fc61b503c86d2930b4907ecab7e79cc

SHA512
d63c24cebb94c3b976b138f371ab87c921f261b270ad22052e3c4ff81a3100ac7d0215eff880269690965db5cc8fb3ffdc07f521ccd769ddda438aac001aefa2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ph8sa6VtQm.bat

Filesize
220B

MD5
37a2c723c1ad8136a46608fc66cd1430

SHA1
c3fc705888eed7b0107cbb8f887ece7c2c664599

SHA256
5986c7522ab6a315e856582830b0a362fdc01ddf7d85547f53b47a4c252a6dfc

SHA512
6fe46dc30375b472c3a5eeca872179ac0f7afc4e36755145534b77feffc45b3895337294fbf00d7f9a6fe173d44ce5c023e8546b1e340db9a6277a3b7f5acf34

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC650.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\niOj6yjqzp.bat

Filesize
220B

MD5
ceae41853d99a0902a5d65d7673d1462

SHA1
fbbfba074adeec8b59e78dfd15d83e4ad691ab4b

SHA256
1b5e333a3e95712dca9c03427f4dd0224279e6ff23e11a494901fe838b4d94fe

SHA512
8ecf9f00cfee737b52dd91a620e3c0d43359ff9c0dd5e423d43b2ad696804247b5601740d07a67c4555c7e9fd0762124c87ff2b096edb5db002e0514b9bb617d

Download Submit
C:\Users\Admin\AppData\Local\Temp\uMS4yFj28m.bat

Filesize
220B

MD5
636c9eefa4d2b55e32e7a86ec583f7d4

SHA1
8c4043f9cf0b869b86e049c2f61354d8a725b8d8

SHA256
51fabc04ab233b2177a963042ffef59d7195dfaf1698ff0101db75b914483a6d

SHA512
d56c722f691c90700749982801b3262647d478f2d78c5caaa894be794e6fff408d1cf8f83c3d63e5d3a5d7dc973475db9a0b2b29eafa4ec08a8c7ab6f400b6f0

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
220B

MD5
c98d8f66f18a7bd58e09e5ac3fe0b366

SHA1
52b217f9e659a65ed80bc29eed01e3f38ae945f1

SHA256
04d54aed0e9f67a0cab6fbf661b802ce7ac2ce9a25eefa26c5a56374aa20a886

SHA512
b6428cac32e586bae46823cb1d5e9d22af77b62dea18dd4ef314d4eac0a61932863cdd8c13bb991f8e895a4d43ae0706c2823f23000aca2f8241b1f9933fe64a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\FBU231WLQ9KJX4XP14L9.temp

Filesize
7KB

MD5
74e75b9852531e465a94cd833ea435a5

SHA1
cf0ed34418697309c837ae14de630ff4b991b4ee

SHA256
447076a900c6f64dfb08e063dbaafeca384cc12b1e43776da01854e04b0a750f

SHA512
c66cef4fa13ccb5236e524a8a35ebfe60a758ffe1a0ef6df151c06880a517ad753dabccbea3b11b48e0963a06830edd36f63e11ce8ad7826ae6b95a29e8a4c86

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1540-228-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/1584-408-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2008-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/2008-16-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2008-15-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/2008-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2008-13-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/2032-707-0x0000000001100000-0x0000000001210000-memory.dmp

Filesize
1.1MB

Download
memory/2032-708-0x0000000000530000-0x0000000000542000-memory.dmp

Filesize
72KB

Download
memory/2100-468-0x0000000001050000-0x0000000001160000-memory.dmp

Filesize
1.1MB

Download
memory/2148-67-0x00000000027E0000-0x00000000027E8000-memory.dmp

Filesize
32KB

Download
memory/2148-66-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2296-168-0x0000000000280000-0x0000000000292000-memory.dmp

Filesize
72KB

Download
memory/2296-167-0x0000000000290000-0x00000000003A0000-memory.dmp

Filesize
1.1MB

Download
memory/2344-647-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2696-348-0x0000000000300000-0x0000000000312000-memory.dmp

Filesize
72KB

Download
memory/2696-347-0x0000000000FB0000-0x00000000010C0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-587-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/3056-108-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/3056-73-0x0000000000F10000-0x0000000001020000-memory.dmp

Filesize
1.1MB

Download