dcrat | 621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8

Analysis

max time kernel
143s
max time network
139s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 09:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8.exe
Size

1.3MB
MD5

7b1665d6e5a4ce946c41b3d25755528a
SHA1

b97cc550f41a8362944374b980ea9681bc7770e8
SHA256

621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8
SHA512

091c978eb2e2bfc43550e0a3c79c9959055c88dae92b0e05fdf01efc7449292ed8e54ee565065dc34257fa429b7b448f2ba2b795f3ff32c43443c994c0d69fc7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2776	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2264	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	880	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	748	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	744	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2948	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2916	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2348	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	852	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	884	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1524	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2168	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1436	2168	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000015dc0-9.dat	dcrat
behavioral1/memory/340-13-0x0000000000C20000-0x0000000000D30000-memory.dmp	dcrat
behavioral1/memory/2412-74-0x0000000000A90000-0x0000000000BA0000-memory.dmp	dcrat
behavioral1/memory/1436-174-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/2992-234-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2800-294-0x0000000001290000-0x00000000013A0000-memory.dmp	dcrat
behavioral1/memory/2640-532-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2456-592-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/2612-653-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2000	powershell.exe
2020	powershell.exe
2928	powershell.exe
652	powershell.exe
1716	powershell.exe
1448	powershell.exe
736	powershell.exe
3016	powershell.exe
2252	powershell.exe
1600	powershell.exe
2908	powershell.exe
892	powershell.exe
1680	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
340	DllCommonsvc.exe
2412	taskhost.exe
1436	taskhost.exe
2992	taskhost.exe
2800	taskhost.exe
2496	taskhost.exe
2272	taskhost.exe
340	taskhost.exe
2640	taskhost.exe
2456	taskhost.exe
2612	taskhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2180	cmd.exe
2180	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
16	raw.githubusercontent.com
30	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files\Internet Explorer\en-US\0a1fd5f707cd16	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Internet Explorer\en-US\sppsvc.exe	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Panther\setup.exe\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Panther\setup.exe\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\Help\Windows\fr-FR\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Help\Windows\fr-FR\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\Panther\setup.exe\explorer.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2264	schtasks.exe
2596	schtasks.exe
2448	schtasks.exe
2780	schtasks.exe
744	schtasks.exe
2948	schtasks.exe
1436	schtasks.exe
2640	schtasks.exe
880	schtasks.exe
1624	schtasks.exe
1524	schtasks.exe
2544	schtasks.exe
884	schtasks.exe
2800	schtasks.exe
2904	schtasks.exe
1636	schtasks.exe
1804	schtasks.exe
1764	schtasks.exe
2348	schtasks.exe
2776	schtasks.exe
2956	schtasks.exe
2916	schtasks.exe
2288	schtasks.exe
852	schtasks.exe
2968	schtasks.exe
2224	schtasks.exe
2804	schtasks.exe
2316	schtasks.exe
1396	schtasks.exe
2972	schtasks.exe
1960	schtasks.exe
2612	schtasks.exe
748	schtasks.exe
2856	schtasks.exe
3052	schtasks.exe
2064	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
340	DllCommonsvc.exe
2928	powershell.exe
2252	powershell.exe
1448	powershell.exe
2020	powershell.exe
1680	powershell.exe
2000	powershell.exe
1600	powershell.exe
736	powershell.exe
652	powershell.exe
892	powershell.exe
3016	powershell.exe
1716	powershell.exe
2908	powershell.exe
2412	taskhost.exe
1436	taskhost.exe
2992	taskhost.exe
2800	taskhost.exe
2496	taskhost.exe
2272	taskhost.exe
340	taskhost.exe
2640	taskhost.exe
2456	taskhost.exe
2612	taskhost.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	340	DllCommonsvc.exe
Token: SeDebugPrivilege	2928	powershell.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	1448	powershell.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	1680	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	1600	powershell.exe
Token: SeDebugPrivilege	736	powershell.exe
Token: SeDebugPrivilege	652	powershell.exe
Token: SeDebugPrivilege	892	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1716	powershell.exe
Token: SeDebugPrivilege	2908	powershell.exe
Token: SeDebugPrivilege	2412	taskhost.exe
Token: SeDebugPrivilege	1436	taskhost.exe
Token: SeDebugPrivilege	2992	taskhost.exe
Token: SeDebugPrivilege	2800	taskhost.exe
Token: SeDebugPrivilege	2496	taskhost.exe
Token: SeDebugPrivilege	2272	taskhost.exe
Token: SeDebugPrivilege	340	taskhost.exe
Token: SeDebugPrivilege	2640	taskhost.exe
Token: SeDebugPrivilege	2456	taskhost.exe
Token: SeDebugPrivilege	2612	taskhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 2272	2524	JaffaCakes118_621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8.exe	30
PID 2524 wrote to memory of 2272	2524	JaffaCakes118_621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8.exe	30
PID 2524 wrote to memory of 2272	2524	JaffaCakes118_621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8.exe	30
PID 2524 wrote to memory of 2272	2524	JaffaCakes118_621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8.exe	30
PID 2272 wrote to memory of 2180	2272	WScript.exe	31
PID 2272 wrote to memory of 2180	2272	WScript.exe	31
PID 2272 wrote to memory of 2180	2272	WScript.exe	31
PID 2272 wrote to memory of 2180	2272	WScript.exe	31
PID 2180 wrote to memory of 340	2180	cmd.exe	33
PID 2180 wrote to memory of 340	2180	cmd.exe	33
PID 2180 wrote to memory of 340	2180	cmd.exe	33
PID 2180 wrote to memory of 340	2180	cmd.exe	33
PID 340 wrote to memory of 3016	340	DllCommonsvc.exe	71
PID 340 wrote to memory of 3016	340	DllCommonsvc.exe	71
PID 340 wrote to memory of 3016	340	DllCommonsvc.exe	71
PID 340 wrote to memory of 2000	340	DllCommonsvc.exe	72
PID 340 wrote to memory of 2000	340	DllCommonsvc.exe	72
PID 340 wrote to memory of 2000	340	DllCommonsvc.exe	72
PID 340 wrote to memory of 2252	340	DllCommonsvc.exe	73
PID 340 wrote to memory of 2252	340	DllCommonsvc.exe	73
PID 340 wrote to memory of 2252	340	DllCommonsvc.exe	73
PID 340 wrote to memory of 1600	340	DllCommonsvc.exe	74
PID 340 wrote to memory of 1600	340	DllCommonsvc.exe	74
PID 340 wrote to memory of 1600	340	DllCommonsvc.exe	74
PID 340 wrote to memory of 2908	340	DllCommonsvc.exe	75
PID 340 wrote to memory of 2908	340	DllCommonsvc.exe	75
PID 340 wrote to memory of 2908	340	DllCommonsvc.exe	75
PID 340 wrote to memory of 2020	340	DllCommonsvc.exe	76
PID 340 wrote to memory of 2020	340	DllCommonsvc.exe	76
PID 340 wrote to memory of 2020	340	DllCommonsvc.exe	76
PID 340 wrote to memory of 2928	340	DllCommonsvc.exe	77
PID 340 wrote to memory of 2928	340	DllCommonsvc.exe	77
PID 340 wrote to memory of 2928	340	DllCommonsvc.exe	77
PID 340 wrote to memory of 892	340	DllCommonsvc.exe	78
PID 340 wrote to memory of 892	340	DllCommonsvc.exe	78
PID 340 wrote to memory of 892	340	DllCommonsvc.exe	78
PID 340 wrote to memory of 652	340	DllCommonsvc.exe	79
PID 340 wrote to memory of 652	340	DllCommonsvc.exe	79
PID 340 wrote to memory of 652	340	DllCommonsvc.exe	79
PID 340 wrote to memory of 1680	340	DllCommonsvc.exe	80
PID 340 wrote to memory of 1680	340	DllCommonsvc.exe	80
PID 340 wrote to memory of 1680	340	DllCommonsvc.exe	80
PID 340 wrote to memory of 1448	340	DllCommonsvc.exe	81
PID 340 wrote to memory of 1448	340	DllCommonsvc.exe	81
PID 340 wrote to memory of 1448	340	DllCommonsvc.exe	81
PID 340 wrote to memory of 1716	340	DllCommonsvc.exe	82
PID 340 wrote to memory of 1716	340	DllCommonsvc.exe	82
PID 340 wrote to memory of 1716	340	DllCommonsvc.exe	82
PID 340 wrote to memory of 736	340	DllCommonsvc.exe	83
PID 340 wrote to memory of 736	340	DllCommonsvc.exe	83
PID 340 wrote to memory of 736	340	DllCommonsvc.exe	83
PID 340 wrote to memory of 2412	340	DllCommonsvc.exe	97
PID 340 wrote to memory of 2412	340	DllCommonsvc.exe	97
PID 340 wrote to memory of 2412	340	DllCommonsvc.exe	97
PID 2412 wrote to memory of 2900	2412	taskhost.exe	100
PID 2412 wrote to memory of 2900	2412	taskhost.exe	100
PID 2412 wrote to memory of 2900	2412	taskhost.exe	100
PID 2900 wrote to memory of 1636	2900	cmd.exe	102
PID 2900 wrote to memory of 1636	2900	cmd.exe	102
PID 2900 wrote to memory of 1636	2900	cmd.exe	102
PID 2900 wrote to memory of 1436	2900	cmd.exe	103
PID 2900 wrote to memory of 1436	2900	cmd.exe	103
PID 2900 wrote to memory of 1436	2900	cmd.exe	103
PID 1436 wrote to memory of 1772	1436	taskhost.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_621df625130e5405ff9a9b7683990eafc1bfed600cc4c01bda245c41273191a8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2272
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2180
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:340
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Panther\setup.exe\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Desktop\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2252
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Local Settings\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\Windows\fr-FR\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2020
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2928
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:892
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1448
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1716
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:736
    - - C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2412
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2900
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1636
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat"
        8⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1984
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat"
        10⤵
        
        PID:2176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1176
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat"
        12⤵
        
        PID:2012
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1152
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat"
        14⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2344
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat"
        16⤵
        
        PID:1420
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2596
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:340
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        18⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2236
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat"
        20⤵
        
        PID:2276
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2460
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat"
        22⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:3016
        
        C:\Windows\Help\Windows\fr-FR\taskhost.exe
        
        "C:\Windows\Help\Windows\fr-FR\taskhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Windows\Panther\setup.exe\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Panther\setup.exe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Windows\Panther\setup.exe\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2776

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Public\Desktop\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2640

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Desktop\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\Local Settings\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:880

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:748

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Windows\Help\Windows\fr-FR\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Help\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Windows\Help\Windows\fr-FR\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\providercommon\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\providercommon\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2348

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Reference Assemblies\Microsoft\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1524

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 12 /tr "'C:\Program Files\Internet Explorer\en-US\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
362ade5ce6662e28651f7c1588ec21ac

SHA1
e9cfc0ff7650d36f34057dcc9b0a34f02db629f9

SHA256
3c366b8c91f86fcfa515d54a8662f3db2e97221e5843d367c337b97faadcfdf0

SHA512
834dd6ddcf2090840bf04ff8348100b0899788c60b90e1400a2fda42e5ccc14e42da444c04bf757defd72be82edb25b437f948c63420f5aa9b9eaccdd042508b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c22e0d19d633fd909f8bc9bce26b7e3c

SHA1
619b54aaea51b37319167dc359ab8fa26f0ffaa8

SHA256
716d697996b7f20e5e4110f906d53e209151c020f1bfc276e7e336bbd05d739b

SHA512
88ddd8766f0e5d544a8c30e339409064ece2473551fe37ea6c65f59f21e9cac88815a9e2047ae123dc592c122a90739f83c3033084485a755d714805c6c7f8f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46dd4eea98c2fb3f9be8553a692db1e7

SHA1
939ecf983dc222cda0a144df58d324e02b7804c4

SHA256
de90975aa2b7b837ddd59056dd938e53fb69865a047426ea6f726a7fd958deff

SHA512
e3107e109a57a4b20b92c4378edb415818caec9da8efa3ae63dbe5b4bf88a6ec198ce2f7600643ba977facea2b8288699798ef7545a25dc9e476bf2e21983f6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
55edbfaa056ace02eeb0f0499f721449

SHA1
2f94b8e0bf2a36488bf763f26ff43023000db5c3

SHA256
22ef1f63f2cb7541786e233213aa8f692002c1e01a04b52c77f879eb69e1ff6a

SHA512
5812b0a84aecedc1b0d65250572f13ae8b91b589ecddd83efdd7c6506413ff7cbe04cf52ce85983c4271e15dc3bd1b0b47f773900df3ff739b98e2d55aea5674

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cedb6e55aa2537491fdabc4b1205c8b5

SHA1
fb5c118fd6976f4fe3d1266e853a5d822c969f88

SHA256
2d7eebb046ae61fab02d930c118a5022db6ceb87069a81392a5b46df9632729e

SHA512
333cbecdd52f55bde50ac1c4ec13ec07aa0c421b1990e1fd945728e5f90b94551cb76e0b10e6c40099d42ffe0a4d3b3bd863fffd209497b43e6bb4afd24bba84

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a26ef2120dc153b34f9988e77730f52

SHA1
2055870275b1b5385e73c96613f3e7c35c28d2cc

SHA256
0ef7403ddfa4362c43fbb17cf4a1f1081437e95b83a97ced2164d124021dc1d4

SHA512
b0085eb318b7288f4ccbc27ac153cce34797c67981abb9d388ba474a44b60faec280d41e568bea4624b577b594f45ccba828ab674fe021dfac5619a045580da9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
deb62dbc838181acda7acb6160477248

SHA1
976b56d33eb01905089797e1ca7990ef8bc8ccd9

SHA256
c452d34e2900b328e2d9015a2360a7d2498291941c5b849f616c01cb7d03e6a2

SHA512
d9f4847c737b0430dfb075f2aaabeb081b82a8534aec678521933a09b261499032dcb060955aca5b9f1933b67c4d4e77a825da7236d61b1b311a0b8f5640eef2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
58968fb21024f6ab49373a478ca6a556

SHA1
040fe8229ac7ff7572fd0da812b92a9b358f9bf8

SHA256
f98276f5dd298fd380bfc668e6523b4172bc3a4f27aea51d1a2b3278027d37ab

SHA512
3c92c3fa35374213dd3b09ef8832744d20139cef57c149f8e8005469ce305b7de8c4fb7ef1e944d1ae110d8c6ad3e288e96ec15ec38e253e3ad2c682c93fb15a

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
207B

MD5
d0653d0190896c03aa38887ecd4e2bf1

SHA1
a8ba71e3f5d83687476ed1e5d0db0d2d691d3945

SHA256
675758160b49c60fe278766569d561901dbb023b6c25975edd51da12cda051b1

SHA512
c29889ed96f162ffb8b69a95125cd06e0e21d34d7dc5b4e926ebe3eb072c0f87223a6217b2923fd37b48a9d7027606f5219e04b9c2a3336c828ebdb443dcdec6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3Fb5uY85DH.bat

Filesize
207B

MD5
7e14dc928612c1457327dec3b02b990c

SHA1
43a65c85bb8976ed6e89c5b441550535cd2ad6a7

SHA256
9524e71f1a93bcc843cd0d92363dca742dc47ced3f341dc34e288bdc94ada084

SHA512
e5e34365c6fa352d8520ebc8bb33b41a6ca403ba70641ad9a7509cd70a852359533ef091945ccebe089e77d28615f484c375138ccb91d3988221b14fff0d88a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\3IH1xDWFpP.bat

Filesize
207B

MD5
1f856289ff38fbd416141951943c0aad

SHA1
c93c968ae37feb4d3b0bd6acf1b447d6288a9f6d

SHA256
13cf54497b0f73837cb442a8b8c832604183539924ef8c39046046ed0b91cd32

SHA512
70f8d36a0cb6f0a27de524d908ff26f673e88c8e46f7e5461f5f24513d76aad936c97c9df874cbc517470e3ebab124028ef0790bf1fd2dcf4773d31e3904727a

Download Submit
C:\Users\Admin\AppData\Local\Temp\42uKfvaRom.bat

Filesize
207B

MD5
b5c32f100f24735c82638034a5be4cda

SHA1
d4581664d83fbb74fdbdce6454673c7b8fc5715f

SHA256
f9f2a15520f34e4e8fdcc36c9e2b0d768ca91025cf547461f5e9b20a18ab84cc

SHA512
13bcb552d8872896631c3dc5d0a3c8801982757167fb632618a485164bf29239fdada5fcf5dc75f7938837f7058fb33a29a7828e52825c290c638b1d9bad50af

Download Submit
C:\Users\Admin\AppData\Local\Temp\9minE9DcLk.bat

Filesize
207B

MD5
e47446b39c536f3e3f8e283ba9151c7b

SHA1
037bb3e1672138bd3a283f160ce69055fb77a1ba

SHA256
d951467480ab0d641e1036e55c1731e6dbcde6bb4ef328954ab70f2329c44f10

SHA512
7829b79f7d80cc37f4951fab8a7610a160a99c0cd60d6bc21f4071c801ad9d9c570b75ce44777652f17b4bf6b100f816b1b020e35cd33f07fa07e7659815f1f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabFB90.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CooinIVsng.bat

Filesize
207B

MD5
26c82b1ca2dac9d8c99c1a99831746c9

SHA1
4126232029e794f3cba5a55467b31bc8bea139bb

SHA256
777ea3a2faa3f021a5059349bed6591744b60f06d1838ed9abd87d7d81eacd22

SHA512
660ae84f0285e01acf3ccc12b79e294d5207e076c9e4bae9636b5751b94b81a0bcfba99e4d43c3a2a8cd8d1b76c962de6e49e715d67cc64f7a7c123af31b5e70

Download Submit
C:\Users\Admin\AppData\Local\Temp\F4MZx53eLu.bat

Filesize
207B

MD5
2255700382588ef6c2df67b99b7c5ae5

SHA1
fc800b7eb22da45cbe9a12cad38fe7c6c3d1f05b

SHA256
18622b7f25ad1664f2fa47ed3ead36dc129bf7a41488dada25b167bce3dea578

SHA512
42d526ae010068e30ad9b7a96e03ce447c377da3b8b5b330808426582f619008fb1455599a3a0694a8c48ac07ee2ef4d6a9a8d6bc70ebf4190d80b646d2bc1fd

Download Submit
C:\Users\Admin\AppData\Local\Temp\PliZKNaLvF.bat

Filesize
207B

MD5
2bb99aa89197523f4a23054bf71d7ade

SHA1
a0471e5bef5ae6d8e5f356f1d56618d88726063e

SHA256
99fcdbba1492d7144cc731d373c6335aba829a5476f2215b076610bd1aa670b4

SHA512
f0625c1698974a3ad1a17ddf05bac916dd2a0b02cf133c4105cac25340381649ef086591e935a43655af88739af704ee394e5e001c894b42b1079103c9c814d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarFBA3.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UyITBGB0nG.bat

Filesize
207B

MD5
63aec9dfc43ec8a5eb5c6e02ea9056b5

SHA1
9d15b56118b4c9a52c081c77ac55e3134f49f31c

SHA256
92f416426cc7b3ee63725762b15846e07c2cd8b4b98aeabeb3188d1391947882

SHA512
4f8bcb89609013c5664eb832c2a8cc00935ebce42a4b5ac1a5f5ebf0da71b1df70fe0dec600b4976c6b78c0702e730da1ab422191d7ae1f5ff7fce384222cb32

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b7aef145821c8309a970c363ed0873fb

SHA1
09ac4fa1abf01d3dfd68938bbbcad3bee90f5761

SHA256
c5235c52dea09cc1317415bfa2543a3112c030383f2a48d98eaa2b55763c18ce

SHA512
53adcc9ab2a62f289dd8b45082b5dc2cc1e1a7672861ab1dc2eca7b224058400b5e1949ae258f50d3bd2062cdf1ce6882cdaaac48adae13ff453bb89c302f6a3

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/340-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/340-13-0x0000000000C20000-0x0000000000D30000-memory.dmp

Filesize
1.1MB

Download
memory/340-14-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/340-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/340-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/1436-174-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2412-74-0x0000000000A90000-0x0000000000BA0000-memory.dmp

Filesize
1.1MB

Download
memory/2412-115-0x0000000000260000-0x0000000000272000-memory.dmp

Filesize
72KB

Download
memory/2456-593-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2456-592-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/2612-653-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2612-654-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/2640-532-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2800-294-0x0000000001290000-0x00000000013A0000-memory.dmp

Filesize
1.1MB

Download
memory/2800-295-0x0000000000B50000-0x0000000000B62000-memory.dmp

Filesize
72KB

Download
memory/2928-60-0x000000001B610000-0x000000001B8F2000-memory.dmp

Filesize
2.9MB

Download
memory/2928-63-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2992-234-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download