dcrat | 9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 07:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0.exe
Size

1.3MB
MD5

461fb8255200ab8336d5350f89c8b328
SHA1

dcb7d7c3d50b7eee1d7efa19d1c27fb4703bc96a
SHA256

9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0
SHA512

011341b8887515d522be15262a7180b8ecdaffb07e9dccf8ee005a29c1aa0a527d605ebaf59c538e370edfee8a6e040f2eb94ff86cc77a62ee9774cbd791e108
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2772	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	340	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1268	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2060	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1796	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2136	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1628	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3060	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2796	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	704	2796	schtasks.exe	35

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001921d-9.dat	dcrat
behavioral1/memory/3048-13-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat
behavioral1/memory/1396-46-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat
behavioral1/memory/2188-285-0x0000000000130000-0x0000000000240000-memory.dmp	dcrat
behavioral1/memory/2676-345-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/696-405-0x0000000001300000-0x0000000001410000-memory.dmp	dcrat
behavioral1/memory/340-465-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/1576-526-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/2972-586-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/1808-646-0x0000000000F80000-0x0000000001090000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
576	powershell.exe
1680	powershell.exe
1160	powershell.exe
1760	powershell.exe
2864	powershell.exe
1480	powershell.exe
1612	powershell.exe
1508	powershell.exe
2704	powershell.exe
844	powershell.exe
2624	powershell.exe
2392	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
3048	DllCommonsvc.exe
1396	spoolsv.exe
2084	spoolsv.exe
1204	spoolsv.exe
2188	spoolsv.exe
2676	spoolsv.exe
696	spoolsv.exe
340	spoolsv.exe
1576	spoolsv.exe
2972	spoolsv.exe
1808	spoolsv.exe
3056	spoolsv.exe
1964	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
3016	cmd.exe
3016	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
38	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
12	raw.githubusercontent.com
25	raw.githubusercontent.com
32	raw.githubusercontent.com
42	raw.githubusercontent.com
9	raw.githubusercontent.com
15	raw.githubusercontent.com
18	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\csrss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Internet Explorer\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\de-DE\886983d96e3d3e	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2548	schtasks.exe
1924	schtasks.exe
2628	schtasks.exe
704	schtasks.exe
2456	schtasks.exe
2260	schtasks.exe
1268	schtasks.exe
2480	schtasks.exe
1628	schtasks.exe
2400	schtasks.exe
2440	schtasks.exe
2060	schtasks.exe
1796	schtasks.exe
2136	schtasks.exe
2404	schtasks.exe
2984	schtasks.exe
2836	schtasks.exe
3060	schtasks.exe
1332	schtasks.exe
2816	schtasks.exe
2832	schtasks.exe
2772	schtasks.exe
1968	schtasks.exe
2340	schtasks.exe
2872	schtasks.exe
1228	schtasks.exe
2700	schtasks.exe
340	schtasks.exe
1420	schtasks.exe
1656	schtasks.exe
1748	schtasks.exe
1528	schtasks.exe
1904	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
3048	DllCommonsvc.exe
1480	powershell.exe
2704	powershell.exe
1760	powershell.exe
1508	powershell.exe
844	powershell.exe
2864	powershell.exe
1160	powershell.exe
2624	powershell.exe
1680	powershell.exe
1396	spoolsv.exe
1612	powershell.exe
576	powershell.exe
2392	powershell.exe
2084	spoolsv.exe
1204	spoolsv.exe
2188	spoolsv.exe
2676	spoolsv.exe
696	spoolsv.exe
340	spoolsv.exe
1576	spoolsv.exe
2972	spoolsv.exe
1808	spoolsv.exe
3056	spoolsv.exe
1964	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	3048	DllCommonsvc.exe
Token: SeDebugPrivilege	1396	spoolsv.exe
Token: SeDebugPrivilege	1480	powershell.exe
Token: SeDebugPrivilege	2704	powershell.exe
Token: SeDebugPrivilege	1760	powershell.exe
Token: SeDebugPrivilege	1508	powershell.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	1160	powershell.exe
Token: SeDebugPrivilege	2624	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	576	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2084	spoolsv.exe
Token: SeDebugPrivilege	1204	spoolsv.exe
Token: SeDebugPrivilege	2188	spoolsv.exe
Token: SeDebugPrivilege	2676	spoolsv.exe
Token: SeDebugPrivilege	696	spoolsv.exe
Token: SeDebugPrivilege	340	spoolsv.exe
Token: SeDebugPrivilege	1576	spoolsv.exe
Token: SeDebugPrivilege	2972	spoolsv.exe
Token: SeDebugPrivilege	1808	spoolsv.exe
Token: SeDebugPrivilege	3056	spoolsv.exe
Token: SeDebugPrivilege	1964	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2052 wrote to memory of 2484	2052	JaffaCakes118_9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0.exe	30
PID 2052 wrote to memory of 2484	2052	JaffaCakes118_9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0.exe	30
PID 2052 wrote to memory of 2484	2052	JaffaCakes118_9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0.exe	30
PID 2052 wrote to memory of 2484	2052	JaffaCakes118_9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0.exe	30
PID 2484 wrote to memory of 3016	2484	WScript.exe	31
PID 2484 wrote to memory of 3016	2484	WScript.exe	31
PID 2484 wrote to memory of 3016	2484	WScript.exe	31
PID 2484 wrote to memory of 3016	2484	WScript.exe	31
PID 3016 wrote to memory of 3048	3016	cmd.exe	33
PID 3016 wrote to memory of 3048	3016	cmd.exe	33
PID 3016 wrote to memory of 3048	3016	cmd.exe	33
PID 3016 wrote to memory of 3048	3016	cmd.exe	33
PID 3048 wrote to memory of 1760	3048	DllCommonsvc.exe	69
PID 3048 wrote to memory of 1760	3048	DllCommonsvc.exe	69
PID 3048 wrote to memory of 1760	3048	DllCommonsvc.exe	69
PID 3048 wrote to memory of 844	3048	DllCommonsvc.exe	70
PID 3048 wrote to memory of 844	3048	DllCommonsvc.exe	70
PID 3048 wrote to memory of 844	3048	DllCommonsvc.exe	70
PID 3048 wrote to memory of 2704	3048	DllCommonsvc.exe	71
PID 3048 wrote to memory of 2704	3048	DllCommonsvc.exe	71
PID 3048 wrote to memory of 2704	3048	DllCommonsvc.exe	71
PID 3048 wrote to memory of 1160	3048	DllCommonsvc.exe	72
PID 3048 wrote to memory of 1160	3048	DllCommonsvc.exe	72
PID 3048 wrote to memory of 1160	3048	DllCommonsvc.exe	72
PID 3048 wrote to memory of 1680	3048	DllCommonsvc.exe	73
PID 3048 wrote to memory of 1680	3048	DllCommonsvc.exe	73
PID 3048 wrote to memory of 1680	3048	DllCommonsvc.exe	73
PID 3048 wrote to memory of 1508	3048	DllCommonsvc.exe	75
PID 3048 wrote to memory of 1508	3048	DllCommonsvc.exe	75
PID 3048 wrote to memory of 1508	3048	DllCommonsvc.exe	75
PID 3048 wrote to memory of 576	3048	DllCommonsvc.exe	77
PID 3048 wrote to memory of 576	3048	DllCommonsvc.exe	77
PID 3048 wrote to memory of 576	3048	DllCommonsvc.exe	77
PID 3048 wrote to memory of 1480	3048	DllCommonsvc.exe	78
PID 3048 wrote to memory of 1480	3048	DllCommonsvc.exe	78
PID 3048 wrote to memory of 1480	3048	DllCommonsvc.exe	78
PID 3048 wrote to memory of 1612	3048	DllCommonsvc.exe	79
PID 3048 wrote to memory of 1612	3048	DllCommonsvc.exe	79
PID 3048 wrote to memory of 1612	3048	DllCommonsvc.exe	79
PID 3048 wrote to memory of 2392	3048	DllCommonsvc.exe	80
PID 3048 wrote to memory of 2392	3048	DllCommonsvc.exe	80
PID 3048 wrote to memory of 2392	3048	DllCommonsvc.exe	80
PID 3048 wrote to memory of 2624	3048	DllCommonsvc.exe	81
PID 3048 wrote to memory of 2624	3048	DllCommonsvc.exe	81
PID 3048 wrote to memory of 2624	3048	DllCommonsvc.exe	81
PID 3048 wrote to memory of 2864	3048	DllCommonsvc.exe	82
PID 3048 wrote to memory of 2864	3048	DllCommonsvc.exe	82
PID 3048 wrote to memory of 2864	3048	DllCommonsvc.exe	82
PID 3048 wrote to memory of 1396	3048	DllCommonsvc.exe	93
PID 3048 wrote to memory of 1396	3048	DllCommonsvc.exe	93
PID 3048 wrote to memory of 1396	3048	DllCommonsvc.exe	93
PID 1396 wrote to memory of 2420	1396	spoolsv.exe	94
PID 1396 wrote to memory of 2420	1396	spoolsv.exe	94
PID 1396 wrote to memory of 2420	1396	spoolsv.exe	94
PID 2420 wrote to memory of 1228	2420	cmd.exe	96
PID 2420 wrote to memory of 1228	2420	cmd.exe	96
PID 2420 wrote to memory of 1228	2420	cmd.exe	96
PID 2420 wrote to memory of 2084	2420	cmd.exe	97
PID 2420 wrote to memory of 2084	2420	cmd.exe	97
PID 2420 wrote to memory of 2084	2420	cmd.exe	97
PID 2084 wrote to memory of 1452	2084	spoolsv.exe	98
PID 2084 wrote to memory of 1452	2084	spoolsv.exe	98
PID 2084 wrote to memory of 1452	2084	spoolsv.exe	98
PID 1452 wrote to memory of 1508	1452	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9f47eef23e4f542b4c672681668e882239d88258dbf4efee1a246cbc607f34f0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2052
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2484
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3016
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:3048
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1760
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1160
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:576
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2864
    - - C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1396
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1228
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1508
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat"
        10⤵
        
        PID:1984
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1592
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2188
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat"
        12⤵
        
        PID:2280
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1556
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"
        14⤵
        
        PID:2456
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1920
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        16⤵
        
        PID:2004
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2332
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat"
        18⤵
        
        PID:2356
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1548
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat"
        20⤵
        
        PID:904
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2788
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2972
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat"
        22⤵
        
        PID:1264
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3020
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1808
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat"
        24⤵
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2804
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat"
        26⤵
        
        PID:2860
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2848
        
        C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe
        
        "C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat"
        28⤵
        
        PID:2452
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        29⤵
        
        PID:2272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Internet Explorer\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2984

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2260

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1268

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2136

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3060

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1332

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:704

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8d30c45a65b7bbf6a12d641b0566d9a5

SHA1
299189f8d6921f740450bd00518e1ad02d5c6ed2

SHA256
efa1c0be45433258ba2028a8d3aed564d990abbcff60fdc92ccc2163aebb83f4

SHA512
c91c1978b85fb227f262ec9144a7c6117ecb1f121d9b50c5ab93625b39afef038f3f6f612c6f8a725ea4d966b23ef5b08bd76604000d5bd39259fa8b3fc88d89

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
acb24c8b53fb72d8e55cfc1ba247f09d

SHA1
5052706c80fb0199c5bd6e40da98b1a96a86a1fa

SHA256
430155281e89101ef4d135670881d6c7e74605ada1f25ec3991fedc36854659a

SHA512
8fcfd4a273c3c19776423ae64cff8ed7e187c5383908bfe572b589b5a45de9345236fec502030741a31da233e7e3a89865b1edf30572326b6a0547c1bae6bb0c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
758cb511c8b14a81e37a222832ce2d7d

SHA1
6a2bcaae3e9317d25d9b83f995f72a6b99ce7925

SHA256
88c804f2f46083e397201048528220cb0b55ab6c7b5e750622134976d3816874

SHA512
84af160ae4921dc40b9d1d1d1459183e0837867d8b866c9723ad45536d5e23d443eeec81cdcdf4b765dcbaa2c45fa478b9ca6016f1a1b98de23332e9c04c581e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
daeec3204b2cbf25bc3bf4e939643b89

SHA1
8d43bfd23b2db2e6bb73e2e79a06528641f5b617

SHA256
2114c1b4e2280ff163b00e39959d8f1bc163d148e80cb17362ed6bf8484a1e58

SHA512
3d75ef4fbb9fa4251695dd8813edd49fce6eb125634f962db702d74b47513e76f6b0bc1c86b3c47a37fb1a3c3cde39a628bedf6509311ea6864c07d9559b1242

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e13a226a91d835e34f03d33b9c7d4d47

SHA1
f589b40cdefde42060a88654c43de2ed554d2563

SHA256
f6d17b11c09533b6759b7b457c6c2067b51607e0ea74fa59739b154443d05c2c

SHA512
c24da11cf689c47c4d1df778b8e3bee020bdfbcdd17a0a2222ef3f0f9852b218726442d706fe54587e93aad1fc7bbe3f1a9a3a8fc99d1161fce554e7019ae021

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3395b83bbc0e1612482ab254fe5cf37f

SHA1
4adf3a089b6ecb7c90510fe5a1675707020c7ef4

SHA256
e8950a5cd86a2064a0440cf30204c4201c290093e59c08d9b61aa09d91c3efaf

SHA512
c067605a80103944f8de602903f3e62982b6f8605580337c648885d31ecb883215b660162162dbc21380a9855e290458d306d3eeb82109b44a5d07edb7cbf3df

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ad187a3239f8af5cffa1e05833e6f20c

SHA1
e2b58a9a21149c17be67e7f16d3bc135d49e5183

SHA256
3e374597f9210e9f9752f014681e105aae5bb995da210996e7716ab5f206d53d

SHA512
b4e2f1c6bdee9453a23bc510d33ef05fcc582737e9682afbea81544d4a796cb10cc7a05e93edafa43f3cd0bffa991e55b93a8949714ab1124d1745b6f7c11a72

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87c00319750962bc87c1bf570e697e3c

SHA1
a1ae0e93626f8ce065f2c49005aa751e71702783

SHA256
410872244375ad8a90aaf30f32e08852918839eae5aa8db0b375f04e019c66b8

SHA512
e0eceadaa4ab42e2f7faa46b3c8923e1274ec6b726e11bc33526eb479c9c1d228f1538d3a3eb59482f81a4739b54edfd9577f61b8b5d4688456243309d5c9920

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cc02ba6cd6a672341ab1ab4a7bdabc5

SHA1
2ae172d61315c31e39b0bbc7c6b8ee28039dacfc

SHA256
86b7e4d741fcf510dc2bbbda28ac79008ead25ae018888a202b5fe556d54acb3

SHA512
bf5f4e01a8a214a1548288a9469aedcf2c58f25551b98d66c45570bd38b8e4637762b122882dfee25cc731d0789b55f2da514e005895c17102564bef6d634d8e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
09dc4d5fcb715e62b653285ac9e72d0c

SHA1
4819286fbfcade222728daca33226830eed68cb7

SHA256
48fbf29558a967e4184c3e736ec3710f82b17f4227087c5650cab550c9fa9cf0

SHA512
c765ed0cbb37c751065c8b2f5b596e6e3bb64693092495f8b6ebdd0f160c9c2de384099b99c54365ad842e53b64fe20d43d0aacee03dbe1ecb8fdbf163ecb1af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f1153390672e7d8f8a29ea7847d25914

SHA1
9fb9ef9be5583ddffac47df3445d085bbdfde018

SHA256
d6620f70588623ba0eb2c1123d6ad5f43c3b1f216acaf8eda641b244559a718f

SHA512
726b6e08c5eceb04e46538aa19213d67befdfd7bb3975257b70e47396c94edd596e863553343b2025501ce04a79b237ecc5d67bf76dc6837eb7f25ea33add0ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\5DPJyftqFq.bat

Filesize
225B

MD5
28c3e818a2e44d5634569c2da48578ad

SHA1
b0b658a9173dd9f3809a912a078bf4908bbf04db

SHA256
f5a11b70efa781eecbf6810bafc7e31e7f5617a7af00b4f81470fb707a83c216

SHA512
6c52a8b5f83fe671d0408b68d342d7f6b4355d15d09a4ffd47ba59fbe0b672d80d036b13c5d7705e946360d69def6034e5d8311a4ffe96ce013bd4489343b677

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat

Filesize
225B

MD5
363c821ec691514c2af98b8be93c8543

SHA1
42b01861140fa084af11f8fad6f426f11edcd33e

SHA256
1200f707b3068eb358f548c90b204bc70a6448806228be7ae479b347fe6250e0

SHA512
fbafc6ed64a9548035187cecef8b1aa98cdf8c7b66464780e2ed5907d695c900c6e0e9ea4d5d72934853723f6ca9368f27ce90deb153436d5b11d5cdcd7cda91

Download Submit
C:\Users\Admin\AppData\Local\Temp\AJeLhFiBvb.bat

Filesize
225B

MD5
a109e9d2aa318577331e473c500049b5

SHA1
c36cea0959823e3493339dbcb9bfd5cfc1972324

SHA256
c514682d23792c88e8175663747f39cbda96b5d0e3bab56b70a028389e275f34

SHA512
b421d64eb3f4ba7610588502f540c1aabce7ddc43f230e893ab2533fc0e181a9f9c6dde030d0622940f72cb88b86852662207e2b3466c27e05cfd21b68c5dc74

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ay7XDWEJg9.bat

Filesize
225B

MD5
946f62b22c73bdc9d41c2f764c803b23

SHA1
267cc3756b8595f203a8c8a04f1bf23b814d5817

SHA256
aa794ff70d81af25f3ed18ba50a957a13db548d9f9a47009ff32e9598f3d96c7

SHA512
3228f80212dcd86234381894a441c83e29021a102309ee14b55518b67e5929d527c372f3cfe39ba29878e07e3799e6d6827a5da335a0b2f9ef67f5d0bf2fdc58

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
225B

MD5
319a1418df59e0e9e9f11fe354f636dc

SHA1
7df93da9aa4f1d8bdc31789785523dd1a187234d

SHA256
9338d5963376c6a3bab1effaf06444f11a5d7a86ed446196fa10fed7d247c156

SHA512
18cc9cc0c52deba7d70ed96856edddf1ac3350ae3a77adfef999990b855c4a07b0cb73a5afc4f9fdf33567f566387c4adb9585681bcbea00dd6e119b8017fa6a

Download Submit
C:\Users\Admin\AppData\Local\Temp\C0VS1u4WCC.bat

Filesize
225B

MD5
c82e667e8f735cd16160d2316526e54e

SHA1
d7806b8b564d4e120aa3b71705ffb2bf3b81d4b8

SHA256
cbdff30e449d0da037d4ea01e7162fd09ff4b138571dfcc70a2af6a6a956595c

SHA512
73e123b35a0ee5095917c877efa568dfb11f3d542414e51226e7209c40c4d9751b3e98732d40d15a7a5aadb0907e526f7d5bd0615e62b2e2492c0e75b5ef3ff1

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabEC25.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\PeSwWR6joe.bat

Filesize
225B

MD5
a64f1c702647a8fba1bbf7e7e0ac058f

SHA1
6c043b4f092ee2d05d0aa1f852da5fa488e89c4a

SHA256
bd879cc4bf24d0b5f21265a77ef727215a937bb9cb4d1bae36caaf4f4b2f5e79

SHA512
37b6c36ce809520155ce859b8f90b7d81ad186261eea053f4d2d4ee83a6f990ce121e7040c44ea3c4a01a53bc5e2cb79d3e047a1cdb5bd56eebcc4e64d12b9c3

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarEC57.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dFeEewS5jL.bat

Filesize
225B

MD5
bb2042630439df7f532c6f23ada91f80

SHA1
17c14ac0a999a8599d7cd1810f90adc9dae2044a

SHA256
c426bfd6d053f409dc65dd6365c437bbde7986fdadc28381003e0a18afa61a86

SHA512
bdba2e46f732931291b75ca4428e74dc792e81b78495d86bd49920228a1ad8a196c3ddd9290a51d6a89fb56d65625a36d46a5d4bd97c36e904ade3dce1495d4b

Download Submit
C:\Users\Admin\AppData\Local\Temp\lHo4kC1bcD.bat

Filesize
225B

MD5
084cbd75ec52ff1d68547b2f7177509c

SHA1
a4e30e8ccaf892c21a2b96d12c3075a993a7bb4d

SHA256
94e9f0de57adc80c8fb09fd3938233a4d7d628ef538d3fecd3025585cba821f1

SHA512
e87550e93d7f9513d25150ed7111d201311e1e0ff727899ce8c807d12135054be3c62b7383759d1e34c80c31c8cfa4848af8aecb0a917af21484238c1f4f6c98

Download Submit
C:\Users\Admin\AppData\Local\Temp\s5uDoSCHZY.bat

Filesize
225B

MD5
f4d9100cd0549f5fd1002a1277b6f97a

SHA1
9bbc29c10c4d86c594a9d3b9d0e2eb9860710a1b

SHA256
667fe51de43782395cecfd5f2c6a6152613fdd903b3c3527c8eb8a9b071a0ad5

SHA512
03c5a34f7e46af742581375a36db1b94cc9b54961c75cb02d637d79120bde241e716446040fb3b7eaeddf78d42521974f9593eb27b06136d33eea649ade2cb09

Download Submit
C:\Users\Admin\AppData\Local\Temp\tpXWVAFTZv.bat

Filesize
225B

MD5
6adc8d030b83cfebc775dd376250a2b9

SHA1
fec776d7e4550bfae6ac72bde07768fdf5276ba2

SHA256
48cdf351fafa58b6602fee92e8359e313410f69b5397f6a1851197b759105fc1

SHA512
6233fa49b5a9df54fc3320eabdc08a2f35f8866e192742ffcee87a87a827cbb2830dfe43140fb61937b09cb60e6df2ba02f3017a9b3ff48052ec2f5de67cdba7

Download Submit
C:\Users\Admin\AppData\Local\Temp\v65NgynF79.bat

Filesize
225B

MD5
72ef5695174d5ed76e88bb4b8aba40a7

SHA1
37828c28b8d28d565b3b0cced3e59ada80f433c3

SHA256
7d6fe5d4732f6132ceff48c1e1bafd0cb84226b4f40bc945d7d84ad9cbb67483

SHA512
d979c5a09e6bc9285b1a852b2652528728c309259b45b56745e31c7ff15d1c4a8f7074de53b9843cdaf561e0e8edb5dceb33fe1c23084b4f5a6b01b3faffd13c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
da220475d06bd19a9c4537f8d25b4435

SHA1
e7ff5c6e1d47b84db37edb185d7efa0bb7128b0f

SHA256
d96e679664cb6000eff68dfacbecea11f7074cb17a48a0c826d83240330f039d

SHA512
b7f16e4cc66e03df813f80a49868ffc0b3f9a2367bcfc9899261159f69ad9229c4b5c5750f04ef533f796b2b40d4fa3397cc75ff5ff3510debdb379e9ac4d89e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/340-465-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/340-466-0x0000000000250000-0x0000000000262000-memory.dmp

Filesize
72KB

Download
memory/696-405-0x0000000001300000-0x0000000001410000-memory.dmp

Filesize
1.1MB

Download
memory/1396-87-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/1396-46-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/1480-86-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/1480-88-0x0000000001D70000-0x0000000001D78000-memory.dmp

Filesize
32KB

Download
memory/1576-526-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/1808-646-0x0000000000F80000-0x0000000001090000-memory.dmp

Filesize
1.1MB

Download
memory/1964-766-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2188-285-0x0000000000130000-0x0000000000240000-memory.dmp

Filesize
1.1MB

Download
memory/2676-345-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/2972-586-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/3048-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/3048-13-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/3048-15-0x0000000000560000-0x000000000056C000-memory.dmp

Filesize
48KB

Download
memory/3048-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/3048-17-0x0000000000580000-0x000000000058C000-memory.dmp

Filesize
48KB

Download
memory/3056-706-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download