dcrat | aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982

Analysis

max time kernel
146s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982.exe
Size

1.3MB
MD5

91d1c2e4e9871b6bfa20dac73b5fcb7f
SHA1

5c2f61192a9d6644b745e6092df52c751d2486df
SHA256

aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982
SHA512

a070a9dacfb9ea5da6a300b67880104a5fc4219a9393311ca15c89670f76ef97d12bd9e17ceb6de2effd57d8cda71852ae1d02872198511d7b0b318aa99af4a6
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2196	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1228	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1420	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1160	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2304	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1500	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	824	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2244	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2088	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2584	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1124	2584	schtasks.exe	35

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000700000001707f-12.dat	dcrat
behavioral1/memory/2836-13-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat
behavioral1/memory/2128-101-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1448-219-0x0000000000030000-0x0000000000140000-memory.dmp	dcrat
behavioral1/memory/2652-280-0x0000000000960000-0x0000000000A70000-memory.dmp	dcrat
behavioral1/memory/1944-340-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/824-400-0x0000000001250000-0x0000000001360000-memory.dmp	dcrat
behavioral1/memory/1480-460-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/940-521-0x00000000001B0000-0x00000000002C0000-memory.dmp	dcrat
behavioral1/memory/692-581-0x00000000000C0000-0x00000000001D0000-memory.dmp	dcrat
behavioral1/memory/2488-641-0x00000000012A0000-0x00000000013B0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2448	powershell.exe
2956	powershell.exe
1460	powershell.exe
968	powershell.exe
340	powershell.exe
1656	powershell.exe
1848	powershell.exe
1316	powershell.exe
1804	powershell.exe
332	powershell.exe
1484	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2836	DllCommonsvc.exe
2128	taskhost.exe
2604	taskhost.exe
1448	taskhost.exe
2652	taskhost.exe
1944	taskhost.exe
824	taskhost.exe
1480	taskhost.exe
940	taskhost.exe
692	taskhost.exe
2488	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2288	cmd.exe
2288	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
20	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com
37	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\de-DE\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\wininit.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\CrashReports\56085415360792	DllCommonsvc.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\Migration\WTR\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\Migration\WTR\lsm.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Migration\WTR\lsm.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2304	schtasks.exe
2008	schtasks.exe
1668	schtasks.exe
2144	schtasks.exe
2856	schtasks.exe
1160	schtasks.exe
824	schtasks.exe
2244	schtasks.exe
2228	schtasks.exe
2552	schtasks.exe
668	schtasks.exe
2088	schtasks.exe
3056	schtasks.exe
1420	schtasks.exe
1592	schtasks.exe
1500	schtasks.exe
2168	schtasks.exe
1124	schtasks.exe
2580	schtasks.exe
2784	schtasks.exe
1608	schtasks.exe
1520	schtasks.exe
2196	schtasks.exe
1228	schtasks.exe
1988	schtasks.exe
2192	schtasks.exe
2988	schtasks.exe
2664	schtasks.exe
476	schtasks.exe
1224	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2836	DllCommonsvc.exe
2836	DllCommonsvc.exe
2836	DllCommonsvc.exe
1316	powershell.exe
2956	powershell.exe
332	powershell.exe
1656	powershell.exe
1460	powershell.exe
1484	powershell.exe
1804	powershell.exe
2448	powershell.exe
968	powershell.exe
340	powershell.exe
1848	powershell.exe
2128	taskhost.exe
2604	taskhost.exe
1448	taskhost.exe
2652	taskhost.exe
1944	taskhost.exe
824	taskhost.exe
1480	taskhost.exe
940	taskhost.exe
692	taskhost.exe
2488	taskhost.exe

Suspicious use of AdjustPrivilegeToken 22 IoCs

description	pid	Process
Token: SeDebugPrivilege	2836	DllCommonsvc.exe
Token: SeDebugPrivilege	1316	powershell.exe
Token: SeDebugPrivilege	2956	powershell.exe
Token: SeDebugPrivilege	332	powershell.exe
Token: SeDebugPrivilege	1656	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	1484	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	2448	powershell.exe
Token: SeDebugPrivilege	968	powershell.exe
Token: SeDebugPrivilege	340	powershell.exe
Token: SeDebugPrivilege	1848	powershell.exe
Token: SeDebugPrivilege	2128	taskhost.exe
Token: SeDebugPrivilege	2604	taskhost.exe
Token: SeDebugPrivilege	1448	taskhost.exe
Token: SeDebugPrivilege	2652	taskhost.exe
Token: SeDebugPrivilege	1944	taskhost.exe
Token: SeDebugPrivilege	824	taskhost.exe
Token: SeDebugPrivilege	1480	taskhost.exe
Token: SeDebugPrivilege	940	taskhost.exe
Token: SeDebugPrivilege	692	taskhost.exe
Token: SeDebugPrivilege	2488	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2844 wrote to memory of 2756	2844	JaffaCakes118_aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982.exe	31
PID 2844 wrote to memory of 2756	2844	JaffaCakes118_aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982.exe	31
PID 2844 wrote to memory of 2756	2844	JaffaCakes118_aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982.exe	31
PID 2844 wrote to memory of 2756	2844	JaffaCakes118_aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982.exe	31
PID 2756 wrote to memory of 2288	2756	WScript.exe	32
PID 2756 wrote to memory of 2288	2756	WScript.exe	32
PID 2756 wrote to memory of 2288	2756	WScript.exe	32
PID 2756 wrote to memory of 2288	2756	WScript.exe	32
PID 2288 wrote to memory of 2836	2288	cmd.exe	34
PID 2288 wrote to memory of 2836	2288	cmd.exe	34
PID 2288 wrote to memory of 2836	2288	cmd.exe	34
PID 2288 wrote to memory of 2836	2288	cmd.exe	34
PID 2836 wrote to memory of 340	2836	DllCommonsvc.exe	66
PID 2836 wrote to memory of 340	2836	DllCommonsvc.exe	66
PID 2836 wrote to memory of 340	2836	DllCommonsvc.exe	66
PID 2836 wrote to memory of 968	2836	DllCommonsvc.exe	67
PID 2836 wrote to memory of 968	2836	DllCommonsvc.exe	67
PID 2836 wrote to memory of 968	2836	DllCommonsvc.exe	67
PID 2836 wrote to memory of 1316	2836	DllCommonsvc.exe	68
PID 2836 wrote to memory of 1316	2836	DllCommonsvc.exe	68
PID 2836 wrote to memory of 1316	2836	DllCommonsvc.exe	68
PID 2836 wrote to memory of 1804	2836	DllCommonsvc.exe	69
PID 2836 wrote to memory of 1804	2836	DllCommonsvc.exe	69
PID 2836 wrote to memory of 1804	2836	DllCommonsvc.exe	69
PID 2836 wrote to memory of 1656	2836	DllCommonsvc.exe	70
PID 2836 wrote to memory of 1656	2836	DllCommonsvc.exe	70
PID 2836 wrote to memory of 1656	2836	DllCommonsvc.exe	70
PID 2836 wrote to memory of 1848	2836	DllCommonsvc.exe	71
PID 2836 wrote to memory of 1848	2836	DllCommonsvc.exe	71
PID 2836 wrote to memory of 1848	2836	DllCommonsvc.exe	71
PID 2836 wrote to memory of 332	2836	DllCommonsvc.exe	72
PID 2836 wrote to memory of 332	2836	DllCommonsvc.exe	72
PID 2836 wrote to memory of 332	2836	DllCommonsvc.exe	72
PID 2836 wrote to memory of 2448	2836	DllCommonsvc.exe	73
PID 2836 wrote to memory of 2448	2836	DllCommonsvc.exe	73
PID 2836 wrote to memory of 2448	2836	DllCommonsvc.exe	73
PID 2836 wrote to memory of 1460	2836	DllCommonsvc.exe	74
PID 2836 wrote to memory of 1460	2836	DllCommonsvc.exe	74
PID 2836 wrote to memory of 1460	2836	DllCommonsvc.exe	74
PID 2836 wrote to memory of 2956	2836	DllCommonsvc.exe	75
PID 2836 wrote to memory of 2956	2836	DllCommonsvc.exe	75
PID 2836 wrote to memory of 2956	2836	DllCommonsvc.exe	75
PID 2836 wrote to memory of 1484	2836	DllCommonsvc.exe	76
PID 2836 wrote to memory of 1484	2836	DllCommonsvc.exe	76
PID 2836 wrote to memory of 1484	2836	DllCommonsvc.exe	76
PID 2836 wrote to memory of 1752	2836	DllCommonsvc.exe	88
PID 2836 wrote to memory of 1752	2836	DllCommonsvc.exe	88
PID 2836 wrote to memory of 1752	2836	DllCommonsvc.exe	88
PID 1752 wrote to memory of 3056	1752	cmd.exe	90
PID 1752 wrote to memory of 3056	1752	cmd.exe	90
PID 1752 wrote to memory of 3056	1752	cmd.exe	90
PID 1752 wrote to memory of 2128	1752	cmd.exe	91
PID 1752 wrote to memory of 2128	1752	cmd.exe	91
PID 1752 wrote to memory of 2128	1752	cmd.exe	91
PID 2128 wrote to memory of 2708	2128	taskhost.exe	92
PID 2128 wrote to memory of 2708	2128	taskhost.exe	92
PID 2128 wrote to memory of 2708	2128	taskhost.exe	92
PID 2708 wrote to memory of 2716	2708	cmd.exe	94
PID 2708 wrote to memory of 2716	2708	cmd.exe	94
PID 2708 wrote to memory of 2716	2708	cmd.exe	94
PID 2708 wrote to memory of 2604	2708	cmd.exe	95
PID 2708 wrote to memory of 2604	2708	cmd.exe	95
PID 2708 wrote to memory of 2604	2708	cmd.exe	95
PID 2604 wrote to memory of 2440	2604	taskhost.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_aea0ec49a8ad1c0c147128a5fdb28fe3f33482d48c371a749549f2fa61050982.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2844
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2288
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Migration\WTR\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:968
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1316
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\CrashReports\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1656
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1848
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:332
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gh5mXN4FmE.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1752
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:3056
      - C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2708
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2716
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat"
        9⤵
        
        PID:2440
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1988
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat"
        11⤵
        
        PID:1684
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2408
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2652
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat"
        13⤵
        
        PID:1240
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2840
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat"
        15⤵
        
        PID:2816
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:1500
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat"
        17⤵
        
        PID:2188
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:3060
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat"
        19⤵
        
        PID:1872
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1792
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat"
        21⤵
        
        PID:2180
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:1028
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:692
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat"
        23⤵
        
        PID:2788
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1672
        
        C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe
        
        "C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        25⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 11 /tr "'C:\Windows\Migration\WTR\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Migration\WTR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Windows\Migration\WTR\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Media Player\de-DE\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1420

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Google\CrashReports\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1160

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\CrashReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2304

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\CrashReports\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:476

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1608

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1520

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1500

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 12 /tr "'C:\Recovery\209d6542-69f6-11ef-b491-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2088

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1124

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51a6c6a274236b83857fff2dd9c7e121

SHA1
b7837f72cddf76eae7daa1e4ab8d2f43d414c302

SHA256
c1b3dcff3de1f9c4a30a56befda86b5ba5fca75a21fdd07d0633c9ab99e4aff8

SHA512
2affb0b75686953b0418f6321548149469912055da6adb8933c3a97b2decab8fbba02706df4e6676a2b58debeafc0601398e0d6c40b95be0de8bbd5a3477d3f7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d5e7eea5b02de6ad9c42f1bdb3b3de8a

SHA1
8520dedcf1cd2fa01ebd20406f3646c804adcc58

SHA256
51b8979fa24398a2d310fd162debcc200cbdaa5df3968610461a3480879eb3f8

SHA512
23fdb68d2620dab06d8d12d267808ec1aa83c00508667bc937d5868d237f91525a382ed0f50405bc0b8716b518092e0aa4c3b25a72079f67070ecfb91b9f18e4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6abe058a3af9a855a4b56ee5ff31f500

SHA1
1b97d3b2d6e21af8ae40c6151f5281a0359f8e01

SHA256
015be780763ad933c02f40a6b298ec635a6d2da777949fd5e70d27a3a4c1b30a

SHA512
ba2ebdaeceee3d7b4b3cc46cf8826c304435ae742060a0e6cfdc60379a229369cc16038d9b135e17abd65e8c54006e1f79b268b43aaf6df1000ef961e0cece5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b759c1b38f49ce015c149e6c55806715

SHA1
1af87c6b83810f29cd1b5f5b41c472ad402c4f1a

SHA256
7ae4082161693adb1427038e01a63f43d4ed2845949b111f88049e3747bf5c98

SHA512
a7fc6c9d36c4f23028c2e7630c684ec468e5d9014ab6fcda8118efb8d9c9682b93947484c120c2e9c0071fb23a8395b7c64dad812a87b865bdb806d421dce7b8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c056484b1e09a7b3adba132834f3d31c

SHA1
8ead31c633f962bc92a2b9cddb3f8d6699aa0f8c

SHA256
c681df5930b90292361c5e1bc9c7377722c3c02f7b56cf56249ed49c3d45cad4

SHA512
9bc6a0755aad4287d8ec3c0368071b247fbd94c633a860b6ff738744e33f856e47c6a99cdcbb8d847d6475c03e6ac437742a6647fe39d8ed192c442534ce82b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cefa670da39b06347f4ac133aad480fa

SHA1
5b70b8b86765cd3e9a97ddeb0709e3a5885f42ee

SHA256
bdad1cc3523ea24bf770b143a77e501a5d406477562042e101e166b5dd3ba43b

SHA512
042edd1e6de17ccadb485c1771a4d8c32e221f59ae40c905d32f6bed23376511e6f883251bbc76a0421fbaa43879bb351faa09d3ab7d5ecae280ce045c2f0c49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4277ecc21f4b8ae19f450e4d006d17fe

SHA1
b2609c36e259a7e385b46bf4da22985b1700b054

SHA256
8543e76761cb6dde7de4684f3f912806f7020fb32d0ce6fe08274ee5e944c089

SHA512
c6e763ef02a6253ccc6d6c1192aaccdb61a718a94e6bd7135c1762dccc2335c53912b42d29c6ce7505edb4c320ea978b3bc0a1169a780e869b5c9e4c7f67b05b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f321a309379aec138f7f5ae2fd8ac6a

SHA1
f574fe76f329cb5be4d7b7a5e9625ca374e8e844

SHA256
910a9cc2a1535422626d4222085280465b3383d0e918c08a1c417170566c5edb

SHA512
3ff47fe485c45e236798d616377a4b9927a807b8a4d0893223f45e5e99ad5f35925a9a07e8d475c46818dbdfcd89058f378c6783940a34af43dcd57fc0dddac0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
610078e106ddf4e15df66aa843ca6558

SHA1
66b1bda315f2ac35f42cbf9052a0923564396777

SHA256
1c8e45b6759321a14f4770d635929b11733ed4ba40d2c7554cd1b3201f840cbf

SHA512
3b74fda980e762991df445e3415ce7cd7947f483d14d1a1597ea344a9c2d6612c4b8171eb87e5e21eca7ac718cf34c4dbfd22c85ba96073c987b84c44891b000

Download Submit
C:\Users\Admin\AppData\Local\Temp\4JlC5zfAS6.bat

Filesize
226B

MD5
0026419d6da954ee582195a8fe4962aa

SHA1
dca261f551e3caf3801589295a20d950fe97d3c9

SHA256
4a71797777f2e26b9e30e98c96a83c2bd0626d4a1ecd30c92b8d09ed6b40fdfa

SHA512
cca26b2fbefed6a9806ae4c6e299f9915030ccac7906b0b44970fd361bdf51535321680a412f73db1a285c18e497fc96c9ad2b0d34670088dcaa79468b76ab44

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2B37.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\GW80Ek08hx.bat

Filesize
226B

MD5
cebd2a95b236040e1ba20f87b7dce210

SHA1
614e5a2acff7c2ebdde678eec88bb9fc7757469f

SHA256
7b1c837becb2e98757e8e7317f125f2ec68d5a28667d416f049b391c1b790682

SHA512
84ff6cd99ff69f3d6a11cd6dda68bf549c98c09eeb29bcb48a2ff3566736558c63cd65b468fa3c638c359730ed39f8cc0b5af58b43e61882a5d7ec29fab7d401

Download Submit
C:\Users\Admin\AppData\Local\Temp\HcCr6nEVp7.bat

Filesize
226B

MD5
75a3f5b75fbe64c39fb1f44865745a57

SHA1
981db0b4456de07d073d7f92f048955c438f0db8

SHA256
1be1877504f8aa0678c2898ad0e0931c5a3eb2ff1223249dcb8ecf8f086f8320

SHA512
94f58daf3a3cc36088498248ded38b467f1db53476c2a6fb83b9ea48bc40bf5f176802f99b483538208365d9854ac5445543e625bda70f6796bcad97b01913c6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Kq4mDwN7mD.bat

Filesize
226B

MD5
ff609936422b299431034595b6d588b5

SHA1
9ba0bd517198158886a59006615d39b9cd1d4ac8

SHA256
7f730e64bed5efe1e9d70c6e47f2c7800ec3fd53d71acbcc40457e97437f4d76

SHA512
1eae7b62bfcd9c55068f33a846776b9fd7b03c5b9e93fbc3d3a7179bac69eccd1241fd570e3eb01c23f6e890fb0546f3fd691f5ebeb8c1e7e7bec240e0cab6a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\NADK710Kqv.bat

Filesize
226B

MD5
ad2a7dfafd8336d5ae14a497a6c1a48d

SHA1
000f13161bde4eaa2f38dcb617a6098a7be07b42

SHA256
ac30ee75cadc3fb5db08056750e7ddd4df3313fefe429fa98b4d6030a8a2d77e

SHA512
fc564dc6e197c94b5cbf37bdbce21e574997c5c4013b4f474b0c233cf18d5e1b4a60d7713dd21e29ee60991e449a8d403c3c62b5d89f885134ebc36ce106dc51

Download Submit
C:\Users\Admin\AppData\Local\Temp\Q0tVgmHuxR.bat

Filesize
226B

MD5
646e092c8ce9ace28475307277a588d0

SHA1
4f237cf1e41987a32f51b509a51a631aecc726fa

SHA256
37d510350cd9de9e2f6741c01473acfebcd6af10f7dc2ab007da88e1a3843d44

SHA512
1e0500c39d52b6fc9e895b723aad825598253ff590ce258d5b91b18f7a72a97dca6b1abe911e7e344c43bc418d66b3e97b8ab9bf761de31214719895b09b52df

Download Submit
C:\Users\Admin\AppData\Local\Temp\RId7nS4uU7.bat

Filesize
226B

MD5
0f5a704a7c4baf67b199bb034a5c637f

SHA1
e63ea9538b1c13a4ed987fbf116e5fe23f3fb705

SHA256
c7cf886cb9dd60b31be20580afb8f00d76a2063a8f6307acb11b9cf211912a8c

SHA512
d00f81101c540ea371e18dd24c8f57ee28da4f32d312aee15d7c2b37f4f0a9646447b1e0e195b7779d4cef8ea62fb04aaf31757f75863c456dcc349e329f5d4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2B4A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Zi7wkUpBKE.bat

Filesize
226B

MD5
34f737dfb255650c0cb1a3f6a4348776

SHA1
43ed75fa8b790a458b74e457c566d701fa0acde2

SHA256
491b229f8a15cccdf4c06bdbf289fe093747762f36e2d5b0e48c3facf737bc2a

SHA512
b1c2dc53cc06800f62a6955350fe31bb97312ebf2788edfab00e6507e1a55a6f497b1667627872fde38a9c7f70446e199a13800843b45571e2ef3dbae3462b86

Download Submit
C:\Users\Admin\AppData\Local\Temp\gh5mXN4FmE.bat

Filesize
226B

MD5
b54f72836a57f195334c07df5373952b

SHA1
2f59c1da7da360f7dae75e8069c7de5bd2eb783a

SHA256
c00ed0bac0a5fa7133e0b71a56241716e78beba34bc9a5f151eacfaf5c96c7a4

SHA512
368fc1af98ca4cc12a76389c4e141d1c36721ae8a7ee59444f086790293bda7695f08e9d355a5381a1a27953530c7cdad26a32ec246ff61905cc48efda1ee577

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
226B

MD5
6cb19f7e5aa22aa3e2b09db5de7d498f

SHA1
c127f0c3a9ae03542479f472a2ef1c081953a404

SHA256
59d96e1fe1cbb32c402b0a043cf900d63402c2cbdc726ea2657dd6fbb9c7ceda

SHA512
f75730d34d9f9db0e3e30c34afbb54f21d09b9d987abb99a7c6e6597b8fc96a0d03f2440610c6a59e7e5e57ef8c1fce01520b82355fcbdafa4f737958562c317

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRcBAgH7Mb.bat

Filesize
226B

MD5
53465beb66cae24506f4c92ee49e36d3

SHA1
5b04d3601f5ddaf64bf162d10cc059f2858e4656

SHA256
9e2870c5c87fe94408c84d0f291a6ed8d1bcb0b5b7769440452f17c0fd9f3f11

SHA512
0fff529bad9cb38f9db7e96fd950beadb41359d2eca1e0bb550340e46d19c81ecdc776b302647da69ae966bf784c0642de730d171fe5432f91083a14874a083c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
865881ebdc44b009a149dae227c86b35

SHA1
433ebfe14a3e1ed69deaadbea6dd9d12a264b40d

SHA256
21987e4b25e4e5bfecccd754a18bca1802985c41b0ce2225967930a530f0b5a3

SHA512
2c96f01648da2c85c566416624198c25b22e02d320012a886d423dea22b3a0b7d028fb7621ed44a6bc8cfe909b374fb0d7b7e0fe8f6e0acc3291aa263eb80f1e

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/692-581-0x00000000000C0000-0x00000000001D0000-memory.dmp

Filesize
1.1MB

Download
memory/824-400-0x0000000001250000-0x0000000001360000-memory.dmp

Filesize
1.1MB

Download
memory/940-521-0x00000000001B0000-0x00000000002C0000-memory.dmp

Filesize
1.1MB

Download
memory/1316-69-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1448-219-0x0000000000030000-0x0000000000140000-memory.dmp

Filesize
1.1MB

Download
memory/1448-220-0x0000000000460000-0x0000000000472000-memory.dmp

Filesize
72KB

Download
memory/1480-460-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/1480-461-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/1656-60-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/1944-340-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/2128-101-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2488-641-0x00000000012A0000-0x00000000013B0000-memory.dmp

Filesize
1.1MB

Download
memory/2652-280-0x0000000000960000-0x0000000000A70000-memory.dmp

Filesize
1.1MB

Download
memory/2836-14-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2836-13-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2836-17-0x0000000000380000-0x000000000038C000-memory.dmp

Filesize
48KB

Download
memory/2836-15-0x0000000000370000-0x000000000037C000-memory.dmp

Filesize
48KB

Download
memory/2836-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download