dcrat | eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc.exe
Size

1.3MB
MD5

3d3b0182f334b3df45658691d1d1e770
SHA1

e02b8540ff0973b7d9305b7ebf16c2c3da5e4773
SHA256

eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc
SHA512

cc4caf0ca19da001c0fbbfab728492e88580b63c9203eb2e1425c3f59031b1f1e2ba94902e9438551bd3867344fb9824d3a00f6cba4d908185203a910ddd8ede
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	888	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2812	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1936	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2928	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2268	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1864	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1824	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2856	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2180	2856	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000019030-12.dat	dcrat
behavioral1/memory/1056-13-0x0000000001080000-0x0000000001190000-memory.dmp	dcrat
behavioral1/memory/760-108-0x0000000000820000-0x0000000000930000-memory.dmp	dcrat
behavioral1/memory/2360-168-0x0000000000D70000-0x0000000000E80000-memory.dmp	dcrat
behavioral1/memory/2192-289-0x00000000011C0000-0x00000000012D0000-memory.dmp	dcrat
behavioral1/memory/1916-349-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/2180-409-0x0000000000370000-0x0000000000480000-memory.dmp	dcrat
behavioral1/memory/1408-469-0x0000000000BC0000-0x0000000000CD0000-memory.dmp	dcrat
behavioral1/memory/924-588-0x00000000013C0000-0x00000000014D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1748	powershell.exe
1764	powershell.exe
620	powershell.exe
2432	powershell.exe
2460	powershell.exe
1268	powershell.exe
1652	powershell.exe
912	powershell.exe
964	powershell.exe
996	powershell.exe
1316	powershell.exe
1700	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
1056	DllCommonsvc.exe
760	Idle.exe
2360	Idle.exe
2920	Idle.exe
2192	Idle.exe
1916	Idle.exe
2180	Idle.exe
1408	Idle.exe
1628	Idle.exe
924	Idle.exe
2168	Idle.exe
1984	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
3052	cmd.exe
3052	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
31	raw.githubusercontent.com
34	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
13	raw.githubusercontent.com
17	raw.githubusercontent.com
20	raw.githubusercontent.com
24	raw.githubusercontent.com
27	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\conhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\088424020bedd6	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Uninstall Information\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Defender\de-DE\6cb0b6c459d5d3	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\CSC\v2.0.6\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\sppsvc.exe	DllCommonsvc.exe
File created	C:\Windows\tracing\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2260	schtasks.exe
1936	schtasks.exe
2316	schtasks.exe
2268	schtasks.exe
1864	schtasks.exe
2556	schtasks.exe
1212	schtasks.exe
2600	schtasks.exe
2628	schtasks.exe
1976	schtasks.exe
2212	schtasks.exe
1804	schtasks.exe
2732	schtasks.exe
2812	schtasks.exe
3016	schtasks.exe
2912	schtasks.exe
1824	schtasks.exe
888	schtasks.exe
1644	schtasks.exe
2892	schtasks.exe
3032	schtasks.exe
2576	schtasks.exe
1584	schtasks.exe
1628	schtasks.exe
2740	schtasks.exe
3036	schtasks.exe
1540	schtasks.exe
2900	schtasks.exe
2928	schtasks.exe
584	schtasks.exe
704	schtasks.exe
2180	schtasks.exe
2604	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
1056	DllCommonsvc.exe
1056	DllCommonsvc.exe
1056	DllCommonsvc.exe
1056	DllCommonsvc.exe
1056	DllCommonsvc.exe
2460	powershell.exe
912	powershell.exe
2432	powershell.exe
1748	powershell.exe
1316	powershell.exe
1268	powershell.exe
620	powershell.exe
1764	powershell.exe
1652	powershell.exe
964	powershell.exe
1700	powershell.exe
996	powershell.exe
760	Idle.exe
2360	Idle.exe
2920	Idle.exe
2192	Idle.exe
1916	Idle.exe
2180	Idle.exe
1408	Idle.exe
1628	Idle.exe
924	Idle.exe
2168	Idle.exe
1984	Idle.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1056	DllCommonsvc.exe
Token: SeDebugPrivilege	2460	powershell.exe
Token: SeDebugPrivilege	912	powershell.exe
Token: SeDebugPrivilege	2432	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	620	powershell.exe
Token: SeDebugPrivilege	1764	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	964	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	996	powershell.exe
Token: SeDebugPrivilege	760	Idle.exe
Token: SeDebugPrivilege	2360	Idle.exe
Token: SeDebugPrivilege	2920	Idle.exe
Token: SeDebugPrivilege	2192	Idle.exe
Token: SeDebugPrivilege	1916	Idle.exe
Token: SeDebugPrivilege	2180	Idle.exe
Token: SeDebugPrivilege	1408	Idle.exe
Token: SeDebugPrivilege	1628	Idle.exe
Token: SeDebugPrivilege	924	Idle.exe
Token: SeDebugPrivilege	2168	Idle.exe
Token: SeDebugPrivilege	1984	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 2328	2364	JaffaCakes118_eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc.exe	30
PID 2364 wrote to memory of 2328	2364	JaffaCakes118_eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc.exe	30
PID 2364 wrote to memory of 2328	2364	JaffaCakes118_eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc.exe	30
PID 2364 wrote to memory of 2328	2364	JaffaCakes118_eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc.exe	30
PID 2328 wrote to memory of 3052	2328	WScript.exe	32
PID 2328 wrote to memory of 3052	2328	WScript.exe	32
PID 2328 wrote to memory of 3052	2328	WScript.exe	32
PID 2328 wrote to memory of 3052	2328	WScript.exe	32
PID 3052 wrote to memory of 1056	3052	cmd.exe	34
PID 3052 wrote to memory of 1056	3052	cmd.exe	34
PID 3052 wrote to memory of 1056	3052	cmd.exe	34
PID 3052 wrote to memory of 1056	3052	cmd.exe	34
PID 1056 wrote to memory of 2432	1056	DllCommonsvc.exe	69
PID 1056 wrote to memory of 2432	1056	DllCommonsvc.exe	69
PID 1056 wrote to memory of 2432	1056	DllCommonsvc.exe	69
PID 1056 wrote to memory of 1316	1056	DllCommonsvc.exe	70
PID 1056 wrote to memory of 1316	1056	DllCommonsvc.exe	70
PID 1056 wrote to memory of 1316	1056	DllCommonsvc.exe	70
PID 1056 wrote to memory of 1700	1056	DllCommonsvc.exe	71
PID 1056 wrote to memory of 1700	1056	DllCommonsvc.exe	71
PID 1056 wrote to memory of 1700	1056	DllCommonsvc.exe	71
PID 1056 wrote to memory of 2460	1056	DllCommonsvc.exe	72
PID 1056 wrote to memory of 2460	1056	DllCommonsvc.exe	72
PID 1056 wrote to memory of 2460	1056	DllCommonsvc.exe	72
PID 1056 wrote to memory of 1748	1056	DllCommonsvc.exe	73
PID 1056 wrote to memory of 1748	1056	DllCommonsvc.exe	73
PID 1056 wrote to memory of 1748	1056	DllCommonsvc.exe	73
PID 1056 wrote to memory of 1268	1056	DllCommonsvc.exe	74
PID 1056 wrote to memory of 1268	1056	DllCommonsvc.exe	74
PID 1056 wrote to memory of 1268	1056	DllCommonsvc.exe	74
PID 1056 wrote to memory of 1652	1056	DllCommonsvc.exe	75
PID 1056 wrote to memory of 1652	1056	DllCommonsvc.exe	75
PID 1056 wrote to memory of 1652	1056	DllCommonsvc.exe	75
PID 1056 wrote to memory of 912	1056	DllCommonsvc.exe	76
PID 1056 wrote to memory of 912	1056	DllCommonsvc.exe	76
PID 1056 wrote to memory of 912	1056	DllCommonsvc.exe	76
PID 1056 wrote to memory of 964	1056	DllCommonsvc.exe	77
PID 1056 wrote to memory of 964	1056	DllCommonsvc.exe	77
PID 1056 wrote to memory of 964	1056	DllCommonsvc.exe	77
PID 1056 wrote to memory of 1764	1056	DllCommonsvc.exe	78
PID 1056 wrote to memory of 1764	1056	DllCommonsvc.exe	78
PID 1056 wrote to memory of 1764	1056	DllCommonsvc.exe	78
PID 1056 wrote to memory of 996	1056	DllCommonsvc.exe	79
PID 1056 wrote to memory of 996	1056	DllCommonsvc.exe	79
PID 1056 wrote to memory of 996	1056	DllCommonsvc.exe	79
PID 1056 wrote to memory of 620	1056	DllCommonsvc.exe	80
PID 1056 wrote to memory of 620	1056	DllCommonsvc.exe	80
PID 1056 wrote to memory of 620	1056	DllCommonsvc.exe	80
PID 1056 wrote to memory of 2192	1056	DllCommonsvc.exe	87
PID 1056 wrote to memory of 2192	1056	DllCommonsvc.exe	87
PID 1056 wrote to memory of 2192	1056	DllCommonsvc.exe	87
PID 2192 wrote to memory of 3008	2192	cmd.exe	95
PID 2192 wrote to memory of 3008	2192	cmd.exe	95
PID 2192 wrote to memory of 3008	2192	cmd.exe	95
PID 2192 wrote to memory of 760	2192	cmd.exe	96
PID 2192 wrote to memory of 760	2192	cmd.exe	96
PID 2192 wrote to memory of 760	2192	cmd.exe	96
PID 760 wrote to memory of 2436	760	Idle.exe	97
PID 760 wrote to memory of 2436	760	Idle.exe	97
PID 760 wrote to memory of 2436	760	Idle.exe	97
PID 2436 wrote to memory of 2152	2436	cmd.exe	99
PID 2436 wrote to memory of 2152	2436	cmd.exe	99
PID 2436 wrote to memory of 2152	2436	cmd.exe	99
PID 2436 wrote to memory of 2360	2436	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_eee61469a83f623353e9d7446bc3930aecde4a5ea222b1415ec566c6998466cc.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2328
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3052
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2432
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1748
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\tracing\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Uninstall Information\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:964
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1764
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:620
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9MCfWrWUsN.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2192
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3008
      - C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2152
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat"
        9⤵
        
        PID:780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1340
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2920
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat"
        11⤵
        
        PID:408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:900
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2192
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat"
        13⤵
        
        PID:1992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1380
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat"
        15⤵
        
        PID:1936
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1168
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2180
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat"
        17⤵
        
        PID:756
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2252
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat"
        19⤵
        
        PID:692
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2672
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1628
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        21⤵
        
        PID:1764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2152
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat"
        23⤵
        
        PID:2636
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2732
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat"
        25⤵
        
        PID:328
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:3044
        
        C:\MSOCache\All Users\Idle.exe
        
        "C:\MSOCache\All Users\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2732

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Default\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\Microsoft\Framework\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2812

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 6 /tr "'C:\Users\Default User\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Windows\tracing\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\Windows\tracing\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2892

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\Users\Public\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Users\Public\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 7 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Uninstall Information\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Recovery\1b8b1de2-69f6-11ef-9774-62cb582c238c\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Defender\de-DE\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2180

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
31214c0c127a03de639ed65de7d145e2

SHA1
1a63cf9983568214835fbecf5acd1abb0236c981

SHA256
6b370a04e8e1632b6e3e81897017b389c618fb527938ace2968e0624f0071d15

SHA512
07e603510f1ff396e3bcfafd9d79db72c98cd328b01a4012cebe4e181f58fa52d65941ac1e49ee2394a23f820603bc82cb5bfce7605b1d100caef7b72bfa3bed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0b5c0989814cdf10735d6cff6d3a88a

SHA1
3b075381cd343b77db576c045c3006c3b668683a

SHA256
6515acaff2b1fff9934e6812a2d44e41c31968f84519d273a6b169363e93f865

SHA512
8e0bf297cb7b6120a1581b6d8b4bf6cb264fa1c62f6bb07c8c9dd52bde944acba6dfb0e161b33b77ce5e2bb224ba24faa12c0448857f9be4a0f638f638fe862b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7b5fcb6da97854cb521cfcf1b50506e2

SHA1
c343168537057ef578275626f5e6d84d8bc68b81

SHA256
7fce393a06a75aa6b42cb005358000eeb63a23f39638fefe073653093a66e0cf

SHA512
5f7280c63db2de0d04f0e77bad7554e1073e4c5d3b98f819982ff37331d0293f3a709ed315cadc9137ec2dd439f184ede71d7171ba67838d3fe224e7c82af485

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e1be25b410d6954f0e6dab0a4c5d862

SHA1
7a0d3a3db870e0e2c6cd4e7f3778c0b66ba151ea

SHA256
28dddcd806ca3d73fd78d0bb3af7e20ab84f6cc972b7ec18a2622bd645918dbc

SHA512
88433812d4b7cf05ea4dd973a88b38c29b7571fd62c4996341674873c37df5b23177b862c44fd6dbb04079004b92be6a1f8e1af7df776d6ce5cc6a8adc4570fa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bf87981467fafa3a59b561f2137df66

SHA1
6fc8543b2371d3ed99eec228e34b67256bab746b

SHA256
bc52ff8462853ad86d6e689e188c3170b948f07709c57151dc6f244e18adeafa

SHA512
a1d9be9599a89b44491f9420d1adaefe832ec25ddb65fe43aba4f937ae25fbe6b0ca2c2cbd6dd7497abdbe0f3e679dab24456a25eed9403e3e18efc2ad537672

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b8bfaf3b5eff314d684937c8bb42a5b8

SHA1
2927aacaee85bce2dd2c527135536c8e7c437dd0

SHA256
302778623cee68e55a3d1e71686af33beabcc9eed1107f860e6905dc1e6cc64f

SHA512
05bd919000b98d2ead717c9b6c5b9865026bc081c3b6bc60e5e18ae3578c5b47aa54c52a1dd5d8cbc2de5884dfc7d64ccd46266eb96d92531b6fd60ee6f4909c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f001622eb14d495810b598bf9fee274

SHA1
7c54cb6f6c4ba2faff1df565453ba5293257e386

SHA256
5cc0dc491c69f8b68825a170bac11b9a69bffc4227d610bbc9b16dcfb9348a55

SHA512
23aa3651e6948ee2a16a2c57e0e724e693770eef6c58493385f3ab7bae44b55d6d838c87b6e65bafda1a6576851bc3b8acfc6d49d9f08556eb586cec19fd9c0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e234431eb749d922a7d206af6ad439eb

SHA1
3c3dcc80fa4c4a7aa9f2b3437f1bec5bcdcce01a

SHA256
5badd4e80392fa304686908baec208b51d6770e2936068516fb8b0808d01438f

SHA512
fe490698eede4a47f5ad2abdc4102b2de9161e630638926e3b56486195c9b57fd8864e2774373cbed59f1fcbf1aeec0938d1b7e55f5272637dc4e1b911a82b82

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff504d0c028e3b6986ce6ac21e8c0b1d

SHA1
1798b4a4b016c97c66941fb348605fe7cff15ad6

SHA256
53ae510546e7d245f60150b85fbc9899bfe5551832ac1e84bd17fc87d2691b8c

SHA512
88365d48f89b4f5726cda5e3556dad23da36ac5f8c0800d1ff19f098338247f64fbb8058a8f0d8f47c91f9c787004d63148759b284b98ec28c56ca6a5feefaf1

Download Submit
C:\Users\Admin\AppData\Local\Temp\0ZxjVk2zv8.bat

Filesize
195B

MD5
5b60c019dee9f0871fb5ae466772486f

SHA1
2e11f313879144d8cd57a6fbb1319842a744107c

SHA256
1ff4fae1734f6d174e553e03cb992fe2b97dc3fcd6793661d47fa5ee29a0501c

SHA512
1dbfd82c16c5395857ce4816e71d916b988380e0f763168c2ebc615737577ba9ad968ef30c02cfee65b6a1233909b1a4f607fa8238c9d3d0ddb016ba01ec8dfa

Download Submit
C:\Users\Admin\AppData\Local\Temp\4NR89d4K3E.bat

Filesize
195B

MD5
da1fc211a76e30cdc28106bb92653a20

SHA1
b804231cbadeedd2e2b2e6168636ebead9573df3

SHA256
7e1d04f1425189daa63deab98342c41613ce5c6ca37fc0c6fe15b7328a0c8d3f

SHA512
4fe7fd5f5895e18ee5a201c1d1e540eb15b2330a5e7189d765a76eb836211282cc8c061953d5bdfb64902543481d956a781633c2f3b9082c1477839fcf275196

Download Submit
C:\Users\Admin\AppData\Local\Temp\5bc4V3lt5Q.bat

Filesize
195B

MD5
46dd498708fa4a7b8d9632215bfc5a9d

SHA1
9d94538eb42b4faa187080bf213b3779222bcdac

SHA256
4d8753685c42717313da0838eae59badb012e93b104915402d4dd7b92db9791c

SHA512
2be07e8406485f32176aecd22d9b05345af059d8506eace2bf0fa776d22584b2bf2acda488952f1f7f0500c38b214e9a0747e9deaadcda0ed3353fe2f0183292

Download Submit
C:\Users\Admin\AppData\Local\Temp\7etkz3INVn.bat

Filesize
195B

MD5
e683f504e626dbba49c2f125868858c1

SHA1
713b14f96f540ee0e9cff2c2432a31d8b19136e3

SHA256
896a7d53592b09818e6d617db0740ffec240009cb2da45c344f1d252659d4ec5

SHA512
903f1e8c09f8e4b031e2f9cd79966cd9742f95e3f5953352343399346ffccab8e0f0325fe69feeb329441990c906ae53cc8eb822eac43caf8158e9d944bb4d72

Download Submit
C:\Users\Admin\AppData\Local\Temp\9MCfWrWUsN.bat

Filesize
195B

MD5
3797da8d8e8f53b24dcc0ec11f705ed9

SHA1
4f18889263ccf1713042e5dd67ec558ab63e5d37

SHA256
69378dbfdd2c6109af895ab251405397e32670058a9fbc9100a3b8141ffd209f

SHA512
d2e2740e227eeabc27e63832cf9c5ebee8a1483657ad987abb327dc09f8a70e575b95150f0712b2e2761f94b7eba6955957cc0d5a1fb3641d959807a7fca7231

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabD0D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EzJh52oHEl.bat

Filesize
195B

MD5
552d9e42a4db2cc3e5cc12574bd27e86

SHA1
75a3f39cdd3f6e94b64e0a61a9b37345282d579b

SHA256
c973fe8246a55ede87415b0ff2179bbee4768205f24b0ef3bd2215aa89a9f424

SHA512
6a648e8343e5b7aa32bea1dbecfbaf503625f7ba96bea49b1c94f3ca659d21cb23e3f91f0b13dd904cf05e36c90666a707e493f8162fce96c3239faead875c3e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarD2F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dgWvFyiHB2.bat

Filesize
195B

MD5
55db8cf7592bd48514b3e6233e3c59c1

SHA1
31a27491286ab5ba862903ff6ce1902562ebac14

SHA256
755247627aefd6a2752446790509bc18ce19c0e33db771a408a643024393df5c

SHA512
c502e599e5021ed786ea6d114185792010685b04d7898901fa18edf772e56b31dafa73d35bf601c3d49c0fb50467f30204f57e0fdd2654ed5f1df4732edd4728

Download Submit
C:\Users\Admin\AppData\Local\Temp\eKnLpNzAx9.bat

Filesize
195B

MD5
7a482d3274773f89448eeaf062713209

SHA1
8de4d55067c32371a1bacf5143fc55f3127a3a2a

SHA256
06f26aa10ba8145a9871fd7916d2b8c30a25c8c681eeb97cca78f2dee7315ac6

SHA512
30a15198343ea091cfa25f5661f412c995820286dd8bad7513b66c09122674d329e2bf5eb2da7420a4f924b573579322e10ee72f0b9b2690c6fb05f845d92b4f

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjtq3MYUh4.bat

Filesize
195B

MD5
ac8d3dba2817ceea3a10811497321c8c

SHA1
9f199f21fa45c54c6c139c913a8e9b2b4267ffff

SHA256
71735723def0d8664f3d0a71bffcb1dcd49d53f798f09d3fb8a3244e95f392dc

SHA512
3d28021e58ae1611c5349a327b821e0862813d11f2f0d1bf41a8a215607d66f6e2d69ada174cb2aeac180001b31212b2677c921667a3c44c0bab036802e1c89a

Download Submit
C:\Users\Admin\AppData\Local\Temp\kNGCBu7dv8.bat

Filesize
195B

MD5
94cb208d0d57a706b186699c25d6cc98

SHA1
1a4a485d0a8ecd524451165a219c9eb7c1b4e3c5

SHA256
3362de82792dcda13eb744eb784a6955ee614dc083d15dbacf3f660f5add6cad

SHA512
e84fbda486e37f1792ec49fd2b411eadbf9fff263df2562ae802fdb49dc8f5f2032c817960f8af6f682d14879cdf7ff34da1d3210d1def8e630f7a74456aa645

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
195B

MD5
9ce09d91547cb20a857989021354c24a

SHA1
04803a9b904a08673bba35ce41bdd22819bb033b

SHA256
df35affdd1d00953ce6a5ce3adf1201fe0f1ea4e0fa4aac9409db337524bfc10

SHA512
1ad910cf92d09c5f921c0a27b638582e3b5cbce6b02165a010e6761fbe5852d0b4339ae1f1c595dc8f8e0096a01c53464421bb9f7b921ccde991574d03fa4dd5

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\O8BZK20P4T452V5H0E5Q.temp

Filesize
7KB

MD5
1cb0c125b91b1770c9285eaac3884c34

SHA1
f15b7e390ad3d73068501ffbfaa43bf0dc2f4298

SHA256
7043c59319d4f77e45f5834b1b2a83e46a7176eeeccf8e490f1973e700ac107c

SHA512
d9c32479eb2ec40e2090d33c8da0a8cc243fdd28d12141e0d7ea4c8396b3c3cbc0b05637935e9a3c213c7924d58cf01126c6ae26a4106d62282e095e0e8498b4

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/760-109-0x00000000001C0000-0x00000000001D2000-memory.dmp

Filesize
72KB

Download
memory/760-108-0x0000000000820000-0x0000000000930000-memory.dmp

Filesize
1.1MB

Download
memory/924-588-0x00000000013C0000-0x00000000014D0000-memory.dmp

Filesize
1.1MB

Download
memory/1056-13-0x0000000001080000-0x0000000001190000-memory.dmp

Filesize
1.1MB

Download
memory/1056-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/1056-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/1056-16-0x00000000004F0000-0x00000000004FC000-memory.dmp

Filesize
48KB

Download
memory/1056-17-0x0000000000500000-0x000000000050C000-memory.dmp

Filesize
48KB

Download
memory/1408-469-0x0000000000BC0000-0x0000000000CD0000-memory.dmp

Filesize
1.1MB

Download
memory/1916-349-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/2180-409-0x0000000000370000-0x0000000000480000-memory.dmp

Filesize
1.1MB

Download
memory/2192-289-0x00000000011C0000-0x00000000012D0000-memory.dmp

Filesize
1.1MB

Download
memory/2360-169-0x00000000009F0000-0x0000000000A02000-memory.dmp

Filesize
72KB

Download
memory/2360-168-0x0000000000D70000-0x0000000000E80000-memory.dmp

Filesize
1.1MB

Download
memory/2460-70-0x0000000002A60000-0x0000000002A68000-memory.dmp

Filesize
32KB

Download
memory/2460-66-0x000000001B6F0000-0x000000001B9D2000-memory.dmp

Filesize
2.9MB

Download
memory/2920-229-0x0000000000510000-0x0000000000522000-memory.dmp

Filesize
72KB

Download