dcrat | 146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590

Analysis

max time kernel
148s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 09:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590.exe
Size

1.3MB
MD5

21708944ab1241ca95ea8824c6061118
SHA1

818eb5ae936d17b7fe8d671fa93506210a132fc8
SHA256

146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590
SHA512

03d779767dd45769b0a22ecf8a625f58bbaba3eddc4321968858ccaa8c8f8824037bf5ed545c174bf5d0aecd7c2f5ec6809b22085e67d9ff6f37b331ac6b0e49
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3056	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3044	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	752	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2884	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	556	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	904	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1196	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2216	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2324	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	912	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	272	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	868	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2560	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2560	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d47-12.dat	dcrat
behavioral1/memory/2868-13-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat
behavioral1/memory/1044-115-0x00000000008D0000-0x00000000009E0000-memory.dmp	dcrat
behavioral1/memory/2084-234-0x0000000000E00000-0x0000000000F10000-memory.dmp	dcrat
behavioral1/memory/2080-413-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/2596-473-0x0000000000A10000-0x0000000000B20000-memory.dmp	dcrat
behavioral1/memory/2580-534-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2896-594-0x0000000000380000-0x0000000000490000-memory.dmp	dcrat
behavioral1/memory/2128-654-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2400-714-0x0000000000390000-0x00000000004A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
3012	powershell.exe
1648	powershell.exe
1728	powershell.exe
1780	powershell.exe
2124	powershell.exe
1856	powershell.exe
1148	powershell.exe
572	powershell.exe
840	powershell.exe
1608	powershell.exe
1468	powershell.exe
1688	powershell.exe
1644	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2868	DllCommonsvc.exe
1044	Idle.exe
1908	Idle.exe
2084	Idle.exe
1556	Idle.exe
1096	Idle.exe
2080	Idle.exe
2596	Idle.exe
2580	Idle.exe
2896	Idle.exe
2128	Idle.exe
2400	Idle.exe

Loads dropped DLL 2 IoCs

pid	Process
2956	cmd.exe
2956	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
37	raw.githubusercontent.com
41	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
30	raw.githubusercontent.com
34	raw.githubusercontent.com

Drops file in Program Files directory 13 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Sidebar\es-ES\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\es-ES\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Sync Framework\5940a34987c991	DllCommonsvc.exe
File created	C:\Program Files\Windows Sidebar\es-ES\smss.exe	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\PLA\Reports\de-DE\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\PLA\Reports\de-DE\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\smss.exe	DllCommonsvc.exe
File created	C:\Windows\AppCompat\Programs\69ddcba757bf72	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1192	schtasks.exe
2976	schtasks.exe
2896	schtasks.exe
912	schtasks.exe
2884	schtasks.exe
2168	schtasks.exe
1528	schtasks.exe
752	schtasks.exe
2940	schtasks.exe
2616	schtasks.exe
2064	schtasks.exe
272	schtasks.exe
1576	schtasks.exe
2484	schtasks.exe
556	schtasks.exe
2460	schtasks.exe
2728	schtasks.exe
1948	schtasks.exe
1680	schtasks.exe
3044	schtasks.exe
2888	schtasks.exe
3056	schtasks.exe
1196	schtasks.exe
1636	schtasks.exe
3008	schtasks.exe
580	schtasks.exe
2116	schtasks.exe
868	schtasks.exe
2936	schtasks.exe
904	schtasks.exe
668	schtasks.exe
2216	schtasks.exe
2324	schtasks.exe
1244	schtasks.exe
1860	schtasks.exe
2624	schtasks.exe

Suspicious behavior: EnumeratesProcesses 27 IoCs

pid	Process
2868	DllCommonsvc.exe
2868	DllCommonsvc.exe
2868	DllCommonsvc.exe
2124	powershell.exe
3012	powershell.exe
1780	powershell.exe
1648	powershell.exe
1608	powershell.exe
840	powershell.exe
1148	powershell.exe
1728	powershell.exe
572	powershell.exe
1644	powershell.exe
1468	powershell.exe
1688	powershell.exe
1856	powershell.exe
1044	Idle.exe
1908	Idle.exe
2084	Idle.exe
1556	Idle.exe
1096	Idle.exe
2080	Idle.exe
2596	Idle.exe
2580	Idle.exe
2896	Idle.exe
2128	Idle.exe
2400	Idle.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2868	DllCommonsvc.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	3012	powershell.exe
Token: SeDebugPrivilege	1780	powershell.exe
Token: SeDebugPrivilege	1648	powershell.exe
Token: SeDebugPrivilege	1608	powershell.exe
Token: SeDebugPrivilege	840	powershell.exe
Token: SeDebugPrivilege	1148	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	572	powershell.exe
Token: SeDebugPrivilege	1644	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1688	powershell.exe
Token: SeDebugPrivilege	1856	powershell.exe
Token: SeDebugPrivilege	1044	Idle.exe
Token: SeDebugPrivilege	1908	Idle.exe
Token: SeDebugPrivilege	2084	Idle.exe
Token: SeDebugPrivilege	1556	Idle.exe
Token: SeDebugPrivilege	1096	Idle.exe
Token: SeDebugPrivilege	2080	Idle.exe
Token: SeDebugPrivilege	2596	Idle.exe
Token: SeDebugPrivilege	2580	Idle.exe
Token: SeDebugPrivilege	2896	Idle.exe
Token: SeDebugPrivilege	2128	Idle.exe
Token: SeDebugPrivilege	2400	Idle.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2856 wrote to memory of 2808	2856	JaffaCakes118_146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590.exe	30
PID 2856 wrote to memory of 2808	2856	JaffaCakes118_146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590.exe	30
PID 2856 wrote to memory of 2808	2856	JaffaCakes118_146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590.exe	30
PID 2856 wrote to memory of 2808	2856	JaffaCakes118_146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590.exe	30
PID 2808 wrote to memory of 2956	2808	WScript.exe	31
PID 2808 wrote to memory of 2956	2808	WScript.exe	31
PID 2808 wrote to memory of 2956	2808	WScript.exe	31
PID 2808 wrote to memory of 2956	2808	WScript.exe	31
PID 2956 wrote to memory of 2868	2956	cmd.exe	33
PID 2956 wrote to memory of 2868	2956	cmd.exe	33
PID 2956 wrote to memory of 2868	2956	cmd.exe	33
PID 2956 wrote to memory of 2868	2956	cmd.exe	33
PID 2868 wrote to memory of 1608	2868	DllCommonsvc.exe	71
PID 2868 wrote to memory of 1608	2868	DllCommonsvc.exe	71
PID 2868 wrote to memory of 1608	2868	DllCommonsvc.exe	71
PID 2868 wrote to memory of 1648	2868	DllCommonsvc.exe	72
PID 2868 wrote to memory of 1648	2868	DllCommonsvc.exe	72
PID 2868 wrote to memory of 1648	2868	DllCommonsvc.exe	72
PID 2868 wrote to memory of 1468	2868	DllCommonsvc.exe	73
PID 2868 wrote to memory of 1468	2868	DllCommonsvc.exe	73
PID 2868 wrote to memory of 1468	2868	DllCommonsvc.exe	73
PID 2868 wrote to memory of 1688	2868	DllCommonsvc.exe	74
PID 2868 wrote to memory of 1688	2868	DllCommonsvc.exe	74
PID 2868 wrote to memory of 1688	2868	DllCommonsvc.exe	74
PID 2868 wrote to memory of 3012	2868	DllCommonsvc.exe	75
PID 2868 wrote to memory of 3012	2868	DllCommonsvc.exe	75
PID 2868 wrote to memory of 3012	2868	DllCommonsvc.exe	75
PID 2868 wrote to memory of 1644	2868	DllCommonsvc.exe	76
PID 2868 wrote to memory of 1644	2868	DllCommonsvc.exe	76
PID 2868 wrote to memory of 1644	2868	DllCommonsvc.exe	76
PID 2868 wrote to memory of 1148	2868	DllCommonsvc.exe	77
PID 2868 wrote to memory of 1148	2868	DllCommonsvc.exe	77
PID 2868 wrote to memory of 1148	2868	DllCommonsvc.exe	77
PID 2868 wrote to memory of 1856	2868	DllCommonsvc.exe	78
PID 2868 wrote to memory of 1856	2868	DllCommonsvc.exe	78
PID 2868 wrote to memory of 1856	2868	DllCommonsvc.exe	78
PID 2868 wrote to memory of 2124	2868	DllCommonsvc.exe	79
PID 2868 wrote to memory of 2124	2868	DllCommonsvc.exe	79
PID 2868 wrote to memory of 2124	2868	DllCommonsvc.exe	79
PID 2868 wrote to memory of 1728	2868	DllCommonsvc.exe	80
PID 2868 wrote to memory of 1728	2868	DllCommonsvc.exe	80
PID 2868 wrote to memory of 1728	2868	DllCommonsvc.exe	80
PID 2868 wrote to memory of 1780	2868	DllCommonsvc.exe	81
PID 2868 wrote to memory of 1780	2868	DllCommonsvc.exe	81
PID 2868 wrote to memory of 1780	2868	DllCommonsvc.exe	81
PID 2868 wrote to memory of 840	2868	DllCommonsvc.exe	82
PID 2868 wrote to memory of 840	2868	DllCommonsvc.exe	82
PID 2868 wrote to memory of 840	2868	DllCommonsvc.exe	82
PID 2868 wrote to memory of 572	2868	DllCommonsvc.exe	83
PID 2868 wrote to memory of 572	2868	DllCommonsvc.exe	83
PID 2868 wrote to memory of 572	2868	DllCommonsvc.exe	83
PID 2868 wrote to memory of 2088	2868	DllCommonsvc.exe	91
PID 2868 wrote to memory of 2088	2868	DllCommonsvc.exe	91
PID 2868 wrote to memory of 2088	2868	DllCommonsvc.exe	91
PID 2088 wrote to memory of 1920	2088	cmd.exe	99
PID 2088 wrote to memory of 1920	2088	cmd.exe	99
PID 2088 wrote to memory of 1920	2088	cmd.exe	99
PID 2088 wrote to memory of 1044	2088	cmd.exe	100
PID 2088 wrote to memory of 1044	2088	cmd.exe	100
PID 2088 wrote to memory of 1044	2088	cmd.exe	100
PID 1044 wrote to memory of 444	1044	Idle.exe	101
PID 1044 wrote to memory of 444	1044	Idle.exe	101
PID 1044 wrote to memory of 444	1044	Idle.exe	101
PID 444 wrote to memory of 2704	444	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_146b15f015631c10319e59deae230dcf1b5150935298da7345988866c0311590.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2856
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2956
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\es-ES\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1688
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1644
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1856
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\PLA\Reports\de-DE\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\AppCompat\Programs\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:572
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ff07vRqd3h.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2088
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1920
      - C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1044
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2704
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1908
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat"
        9⤵
        
        PID:1780
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2120
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat"
        11⤵
        
        PID:1772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2432
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat"
        13⤵
        
        PID:1528
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1436
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat"
        15⤵
        
        PID:1076
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2008
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2080
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat"
        17⤵
        
        PID:2208
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1856
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat"
        19⤵
        
        PID:2828
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:776
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat"
        21⤵
        
        PID:2512
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2460
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat"
        23⤵
        
        PID:2680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1464
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat"
        25⤵
        
        PID:1200
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2748
        
        C:\providercommon\Idle.exe
        
        "C:\providercommon\Idle.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat"
        27⤵
        
        PID:2212
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2864

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3044

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Sidebar\es-ES\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\providercommon\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2460

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2884

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\providercommon\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows Sidebar\Shared Gadgets\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Common Files\microsoft shared\VSTO\10.0\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Mozilla Maintenance Service\logs\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 7 /tr "'C:\providercommon\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\providercommon\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1196

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Sync Framework\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2216

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2324

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 5 /tr "'C:\Windows\PLA\Reports\de-DE\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\PLA\Reports\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:272

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 8 /tr "'C:\Windows\PLA\Reports\de-DE\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Windows\AppCompat\Programs\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Windows\AppCompat\Programs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 12 /tr "'C:\Windows\AppCompat\Programs\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Users\Default User\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1860

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2026e6545eae4b5476e65b7839c723e1

SHA1
c693417a1da7403f7ae3781c41d8a836c9917fe5

SHA256
0d931567a3d736a03b67b7fb6ceb652d48afb84329c17702bee3308e24d9b96b

SHA512
b842d86e7b4b23e482baf7ddaeb1eab04a7b3aa6f563cd4ecbaf99d50f023fcc30a4c4d51dd1b1160ecde692adcaca4acde30bef03f4659003b57c1eb7168639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
214339e10fc258ff21b57a9d3e2d12ba

SHA1
ce822deb44bc470a2e31124a94446bac69da1a9c

SHA256
031aac48d9a3a8fc365086831330722b507d35dbca2c8465a5c7217cf8a0c99c

SHA512
468da6b4e0e9cd002f724568ef357d9a49dcad0c9ec96d366803026de6fc81b2d980f0d56261d0a9ecc8525b75292b1f1e3a521186a8cdc0206d277f0f8a9b71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
081b6622078f4f659236265b28726cd6

SHA1
ce9d9d69be71f0f34418f0a167f15378b5adb54c

SHA256
c5c68b3668b46e6f0a72e62ff1031598d9ec34d6f1be3f5a06017727149dffa1

SHA512
0268ebe8a4ca07ecaaaa73e0528f68c39c83000af51afe1a98368e454e20a933ef6dc175e252fabfec15f0976195e82a627a428af61b993e3187f044f5923c37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c3bfceebd860aa7ec71225057efc2928

SHA1
c4b099bf9a5cbdbaea1ee560c41bf4854c219341

SHA256
a6697fb273ae08ecab98a83ef972db9721ca2f38a5c6c3aed32f27e5c21d4ab9

SHA512
be93935671fe80d92eb3214e62f703d5faff7730e2c9f7f3016492415b4871ca1586f5b48afdcdad4d80d6b8f68a2e8697d9f5878cd6a9a8b7b23096f0323488

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3421ebed06022809dc8f3b04d2ce7316

SHA1
ba3b1d66977b6a4302b6eb9d76b4eedddbbaabea

SHA256
bdf0fdef3cf826aeaa4eca79abf038af82258a2ed78b6e62ee40d28a9e10b433

SHA512
614372f5b24f247766695d916e447e9acf252c6d3970d12da968b5ce042e0eb0dadc383f75fdf75c024adb2f9cbcecf87d6e83d28e0377f4d2f089c18464aeb6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a399b29ae1ab226c9dc0298d4d19bfc0

SHA1
c349386ac6b69994cd21d634f672ce36be8dd61a

SHA256
4696abf1fd18ed7e212bab3e8ce67a8b9840dfdd7840a22643f6fa866c513174

SHA512
7cd0b51a668ff66b017c623c5f7f49d01c583df47ac12828b33f4f9c0d1f77b712c0ecae389b65db9db6ddc9d0a67ce68eca1291e7272efcd6c95bc1f01f03a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67404c2219607177cb4273c7956afb68

SHA1
a3f3fcd30fb7c166b72da35f5571889cedb014f7

SHA256
842d9c91eab3a1179dd8e4209edb40165d5938bf2f60254e7deeb9cf6c875476

SHA512
3d672064f2ecc8549ae08abbae83ecdd69814d30d6fa6a351261a1791e23698a03fa0a7eb454676559c85f5969a1fac27d07b44c6525c26853ffa473421f6ef7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6150213c3861feb0f206da48c6c67610

SHA1
c4ae6b56a14caeb48d21afe24f7ea5a91d74fc21

SHA256
6903bc3f1acd1f59836e9f16c59903465173aa49340f868426d72c9543c27558

SHA512
89d59304c15abc505aa60cf8a1bef8861c0e96d34c8b78d74af924740b40379e4d0c2e9aa03ade7026ccdf26aff63d43b4cd5e30bd8c1bd2b4feae845d654054

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dcfe136b1e6384c15313c1dd6964388b

SHA1
339e3a584208cf396cca4e690f988f1055134565

SHA256
b1a32cecfa5fea90f8b1cfe55867faeba8a8b01799bf282b85b8a0cfef3a4552

SHA512
0f1b5a1987805c4c90b3e6d81a4e74305f5857080d3569e9e4f974cdb9c55bf93cb1132ed7134768018de584cff1811e59a58fbf4147e8f15cf7bc4bd6bd0722

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
74daacb265583cfd2983a7630d86209b

SHA1
ecfc610b6b9133212aabfc834cc19834935c6542

SHA256
1351f3f8c88d7ed6566e21e799c37f440bdc2a205603f4d14c04c5cb9f66417d

SHA512
e56869e14300da8cc5f29f8860bae72c88067989592254135d9150736224c78c6058b81d91c2d5b4920549bdfc6019a38b960db22ab8363c4a699de30e16d1bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\19YD2Vui68.bat

Filesize
191B

MD5
007f03eda2803047a9438c4aa343482e

SHA1
4ebea0719caa7a74669c5e6d94705327fab14cf5

SHA256
d5a6920af1c12857f4a7784c506670f5eaa59732f55497500976ee49cfce7806

SHA512
b8e1b80d741aaaaa84985da480a2df6b541a3d28d46f522949125cb37c4fbceefd43cf384401f960bd732e4061cc4eeb405f03611564262c25122f04e811c838

Download Submit
C:\Users\Admin\AppData\Local\Temp\410ZzJtAuR.bat

Filesize
191B

MD5
39abc75bc8db575615a5338d0b92f498

SHA1
6c7fab235384bac2f5b516368aa6c7e89eba417c

SHA256
1e10644c72e12461de5abf8fd7d4e2e234fcf33eff38470bfc2afab33c923dcf

SHA512
d432cc70d688956018e9f03a9ff74cef70af2deee882b14eee9c53c57da94fadec175263f2b3bfc804f3886d46240d6d62679ec14ec5d3cd595acb1fa31c3ef5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5eI0Zh92hY.bat

Filesize
191B

MD5
4bfc12c1bd0c322b7e851accefc1cbdf

SHA1
b11d2dc5fcea60ae4f6b47690f965871644c1b3e

SHA256
776ea13c446ac2ea329558c02715831b44c5a8c5ccd482a2770c85fb5a4f9155

SHA512
d070253b7c246342a0a04d2bd00c32f72b9a6181b3589672fac48038bc910e79ea155783f1ef88c7c4f9fced404fdd9d6d814e546ae159023907000580d42a4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\6n1oUPmZQq.bat

Filesize
191B

MD5
ef9bf0f6f207dea0ecea3f9380ba161b

SHA1
f5f2c587380371a0ef74f952d2656915975aba13

SHA256
74b93b209c607924485980ac17aad594018cf1bd81282bd3abe30c2e6435a19f

SHA512
6c2f8f4e66dd5dcd6a7673925d08e2b42f93b6644ba934504b41d4327547f216923ee4766f88a2f0d7f833ded0999429dff4349c2bd15ed32736ef4b4b12049d

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ouYA2TrKB.bat

Filesize
191B

MD5
faec546ee3852643703e861428a55b6a

SHA1
b8debc0cf1601c8c135c735c09a7c38cf045ef7d

SHA256
474918ee52688f2944a1c66abc8fb0a8c2c876ebf4c0e8bba1ae6596448bae08

SHA512
c9562eb301c840b88b64e5b63bb878a39cd536e0ded73ebd3a384dae9d1115e4646a2ccf8316ebeead67bafcef032ccdc99ff9da95561716b537b5b2873cb6f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab9A10.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RaUzDWAd8R.bat

Filesize
191B

MD5
573ef15dab66e385c78f3b07c34e3a21

SHA1
4b5979d21a784797ea62f7f6c56dfa68ad171b99

SHA256
32f25ba96130e70d9ff7e1f210eb8a242413b2212e5a23087ee781b7ef8dcb61

SHA512
f5cbb14092db75e78bcaf8e844187affb7c86cc587d05108c79edbbd9c175310358d88286c1fdab88719523c55f579a6f0703dac3ed48b1925bdcdb882e0deb1

Download Submit
C:\Users\Admin\AppData\Local\Temp\TEfATY8not.bat

Filesize
191B

MD5
fd45c2f83e4c0e23f5861f30681ec97c

SHA1
92dc15caa94453df3631e6c7f5ffc93f1301c168

SHA256
24f56c598cc8a1833864c0ddb485eb064ef35bdb9d207e8bd1f72f85193a2948

SHA512
715c9a299c36847d10adf72f1859ef2bae4feee6d0ac54bb531dbb61f53650a637c5aeb979d17a12df72227cb62bb97a28955f37d2cc98780f525b8777b9be6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar9A22.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VCTPXfsZqS.bat

Filesize
191B

MD5
c8e006a7bfab126e26ce72692c13b962

SHA1
7d685088f1daa6e7879cb8b4fcb24621353e800a

SHA256
aa43c173b89c31bb57cd13c9bcfb1fa9175f07a01a2d240f439724f6fbeadf42

SHA512
36db2a4e868dbcb6ea1b8a5528a6198ffd0884137d00e60c8da700311f0925fceb7f3387ffd6fb57d1283b77b831672da7cc6f16b15ccf7f98fd805f96d1fb7b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ff07vRqd3h.bat

Filesize
191B

MD5
0942dcc4425dd36567c3bdcce1eef5ea

SHA1
f105f7acf75a17320145357051e449c181ab8fa2

SHA256
789d0f3bf8c73ec3b4fd3a20a721ed1e6688494a238fa1d30349a9666da89f17

SHA512
c2d2c9b447b0ee99a254adfa41bb02c81b863cfbc9ddbf7039fa5754f3c89da0d8f9a1b2b4197473b9aa35059e00df88487e446c1369d51ae8bea711d48f2a9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\iOYCRAfa0D.bat

Filesize
191B

MD5
421e1caa1676e0b935abf09144362d68

SHA1
3b324f50158b0b1ef065a0697b72752498227c6b

SHA256
7c69db4e85646ac849c4ac51906b0ea43d3db9971fe2dd6610b048728eb90482

SHA512
35a01816b3a7f3e7f88f63a3f884c831fa63cc9411e62132d9880c89eb0b4584b6c0575ef2661e06a6661dfec9b9a56ea2ca3f087ccbff4001cc0013bc8b76d4

Download Submit
C:\Users\Admin\AppData\Local\Temp\rcE1qBYVKA.bat

Filesize
191B

MD5
360f9180fa7ba627b38e56f0195c4233

SHA1
7ce10935cf40e1bc38e41313f9478643adeb7fde

SHA256
7bf405efc0441fc662acff43aa682aa98882cc1ad6babd83ca73c8652385721f

SHA512
ebcd34ca95f20ba0d3f8b577020f6a8d39bd658b55102545a5599781c5e0596ea01f56cc8e78eb2a56baf56365e5fe05eef001e26136c8214d609fa93f5e30f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\yNYzWO1Iaj.bat

Filesize
191B

MD5
2a642854fed924d6cd2f5462410dfde7

SHA1
8febc6a5ac1c15ec03c8b8c7156af2dce3c63e5f

SHA256
6a215956fb43f75406f0a83d7a6f3bc22b820c03b0b27d6677df919bcac8f393

SHA512
3ccbc88d1830a78f51ea2867baae893265bd2fe59118c6ed7c17ba8af1e4ad79d4b2054a0625a1140b862c682a1ae8404d39fb87748f50593db5a9da64b60304

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4dc1b49a4526a73a8922775c15abafef

SHA1
87c961c83d7df1eb230a2185abc11797f175e056

SHA256
a3e2155082f6a8361115b87d47255e35c752fc9f8959d811ccc8a8ab808499f1

SHA512
c7b9e9c1ead4e516e75f65c81b59ee101e4ff1e7a962f988242718041450a3488df48c374596c07494fb81780480669f7f2956a1085f540379c5c1e3761bc2cb

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1044-116-0x0000000000430000-0x0000000000442000-memory.dmp

Filesize
72KB

Download
memory/1044-115-0x00000000008D0000-0x00000000009E0000-memory.dmp

Filesize
1.1MB

Download
memory/2080-413-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/2084-234-0x0000000000E00000-0x0000000000F10000-memory.dmp

Filesize
1.1MB

Download
memory/2084-235-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2124-55-0x000000001B690000-0x000000001B972000-memory.dmp

Filesize
2.9MB

Download
memory/2124-56-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2128-654-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download
memory/2400-714-0x0000000000390000-0x00000000004A0000-memory.dmp

Filesize
1.1MB

Download
memory/2580-534-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2596-474-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2596-473-0x0000000000A10000-0x0000000000B20000-memory.dmp

Filesize
1.1MB

Download
memory/2868-17-0x0000000000550000-0x000000000055C000-memory.dmp

Filesize
48KB

Download
memory/2868-16-0x0000000000250000-0x000000000025C000-memory.dmp

Filesize
48KB

Download
memory/2868-15-0x0000000000260000-0x000000000026C000-memory.dmp

Filesize
48KB

Download
memory/2868-14-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2868-13-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/2896-594-0x0000000000380000-0x0000000000490000-memory.dmp

Filesize
1.1MB

Download