dcrat | c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212

Analysis

max time kernel
147s
max time network
142s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 11:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
Size

1.3MB
MD5

27ae919b3be2d7828dfd0c8b33360306
SHA1

a83ac006784190638f718f27ea6cb9763c67fdef
SHA256

c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212
SHA512

94c1f8ef256c811bd4049592c347becc709f339fad0ddb947c2460b3e1595479855c039b91b48f90d3559c527e504887a56e8d4ed0c3b2b9c3195754dee774c7
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2712	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2576	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2296	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2664	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2796	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2592	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1848	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1948	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1876	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2036	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1140	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2784	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2120	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1536	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2760	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	696	2760	schtasks.exe	35

DCRat payload 5 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000018c44-9.dat	dcrat
behavioral1/memory/1744-13-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/1200-92-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/1320-625-0x00000000003A0000-0x00000000004B0000-memory.dmp	dcrat
behavioral1/memory/2216-685-0x0000000001150000-0x0000000001260000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1120	powershell.exe
1008	powershell.exe
1528	powershell.exe
1700	powershell.exe
1612	powershell.exe
2388	powershell.exe
1512	powershell.exe
1804	powershell.exe
1320	powershell.exe
864	powershell.exe
1736	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1744	DllCommonsvc.exe
1200	WmiPrvSE.exe
1872	WmiPrvSE.exe
1672	WmiPrvSE.exe
3056	WmiPrvSE.exe
352	WmiPrvSE.exe
2816	WmiPrvSE.exe
2240	WmiPrvSE.exe
1536	WmiPrvSE.exe
1280	WmiPrvSE.exe
1320	WmiPrvSE.exe
2216	WmiPrvSE.exe
1624	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2072	cmd.exe
2072	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
35	raw.githubusercontent.com
4	raw.githubusercontent.com
22	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com
19	raw.githubusercontent.com
25	raw.githubusercontent.com
39	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Common Files\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Common Files\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\Google\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Google\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\sppsvc.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\0a1fd5f707cd16	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
696	schtasks.exe
1852	schtasks.exe
2868	schtasks.exe
1624	schtasks.exe
1016	schtasks.exe
2840	schtasks.exe
2612	schtasks.exe
2036	schtasks.exe
2664	schtasks.exe
2592	schtasks.exe
2200	schtasks.exe
1536	schtasks.exe
1656	schtasks.exe
2712	schtasks.exe
544	schtasks.exe
1140	schtasks.exe
2120	schtasks.exe
2796	schtasks.exe
1876	schtasks.exe
1872	schtasks.exe
1948	schtasks.exe
2784	schtasks.exe
2900	schtasks.exe
2576	schtasks.exe
2296	schtasks.exe
2564	schtasks.exe
1636	schtasks.exe
1848	schtasks.exe
1548	schtasks.exe
948	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1744	DllCommonsvc.exe
1528	powershell.exe
1120	powershell.exe
1804	powershell.exe
1512	powershell.exe
1008	powershell.exe
1320	powershell.exe
864	powershell.exe
2388	powershell.exe
1700	powershell.exe
1612	powershell.exe
1736	powershell.exe
1200	WmiPrvSE.exe
1872	WmiPrvSE.exe
1672	WmiPrvSE.exe
3056	WmiPrvSE.exe
352	WmiPrvSE.exe
2816	WmiPrvSE.exe
2240	WmiPrvSE.exe
1536	WmiPrvSE.exe
1280	WmiPrvSE.exe
1320	WmiPrvSE.exe
2216	WmiPrvSE.exe
1624	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	DllCommonsvc.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1120	powershell.exe
Token: SeDebugPrivilege	1804	powershell.exe
Token: SeDebugPrivilege	1512	powershell.exe
Token: SeDebugPrivilege	1008	powershell.exe
Token: SeDebugPrivilege	1320	powershell.exe
Token: SeDebugPrivilege	864	powershell.exe
Token: SeDebugPrivilege	2388	powershell.exe
Token: SeDebugPrivilege	1700	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	1200	WmiPrvSE.exe
Token: SeDebugPrivilege	1872	WmiPrvSE.exe
Token: SeDebugPrivilege	1672	WmiPrvSE.exe
Token: SeDebugPrivilege	3056	WmiPrvSE.exe
Token: SeDebugPrivilege	352	WmiPrvSE.exe
Token: SeDebugPrivilege	2816	WmiPrvSE.exe
Token: SeDebugPrivilege	2240	WmiPrvSE.exe
Token: SeDebugPrivilege	1536	WmiPrvSE.exe
Token: SeDebugPrivilege	1280	WmiPrvSE.exe
Token: SeDebugPrivilege	1320	WmiPrvSE.exe
Token: SeDebugPrivilege	2216	WmiPrvSE.exe
Token: SeDebugPrivilege	1624	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 584 wrote to memory of 2284	584	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe	31
PID 584 wrote to memory of 2284	584	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe	31
PID 584 wrote to memory of 2284	584	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe	31
PID 584 wrote to memory of 2284	584	JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe	31
PID 2284 wrote to memory of 2072	2284	WScript.exe	32
PID 2284 wrote to memory of 2072	2284	WScript.exe	32
PID 2284 wrote to memory of 2072	2284	WScript.exe	32
PID 2284 wrote to memory of 2072	2284	WScript.exe	32
PID 2072 wrote to memory of 1744	2072	cmd.exe	34
PID 2072 wrote to memory of 1744	2072	cmd.exe	34
PID 2072 wrote to memory of 1744	2072	cmd.exe	34
PID 2072 wrote to memory of 1744	2072	cmd.exe	34
PID 1744 wrote to memory of 1512	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 1512	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 1512	1744	DllCommonsvc.exe	66
PID 1744 wrote to memory of 1804	1744	DllCommonsvc.exe	67
PID 1744 wrote to memory of 1804	1744	DllCommonsvc.exe	67
PID 1744 wrote to memory of 1804	1744	DllCommonsvc.exe	67
PID 1744 wrote to memory of 1320	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 1320	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 1320	1744	DllCommonsvc.exe	69
PID 1744 wrote to memory of 2388	1744	DllCommonsvc.exe	72
PID 1744 wrote to memory of 2388	1744	DllCommonsvc.exe	72
PID 1744 wrote to memory of 2388	1744	DllCommonsvc.exe	72
PID 1744 wrote to memory of 1528	1744	DllCommonsvc.exe	73
PID 1744 wrote to memory of 1528	1744	DllCommonsvc.exe	73
PID 1744 wrote to memory of 1528	1744	DllCommonsvc.exe	73
PID 1744 wrote to memory of 1612	1744	DllCommonsvc.exe	74
PID 1744 wrote to memory of 1612	1744	DllCommonsvc.exe	74
PID 1744 wrote to memory of 1612	1744	DllCommonsvc.exe	74
PID 1744 wrote to memory of 1700	1744	DllCommonsvc.exe	75
PID 1744 wrote to memory of 1700	1744	DllCommonsvc.exe	75
PID 1744 wrote to memory of 1700	1744	DllCommonsvc.exe	75
PID 1744 wrote to memory of 1120	1744	DllCommonsvc.exe	76
PID 1744 wrote to memory of 1120	1744	DllCommonsvc.exe	76
PID 1744 wrote to memory of 1120	1744	DllCommonsvc.exe	76
PID 1744 wrote to memory of 864	1744	DllCommonsvc.exe	78
PID 1744 wrote to memory of 864	1744	DllCommonsvc.exe	78
PID 1744 wrote to memory of 864	1744	DllCommonsvc.exe	78
PID 1744 wrote to memory of 1008	1744	DllCommonsvc.exe	80
PID 1744 wrote to memory of 1008	1744	DllCommonsvc.exe	80
PID 1744 wrote to memory of 1008	1744	DllCommonsvc.exe	80
PID 1744 wrote to memory of 1736	1744	DllCommonsvc.exe	83
PID 1744 wrote to memory of 1736	1744	DllCommonsvc.exe	83
PID 1744 wrote to memory of 1736	1744	DllCommonsvc.exe	83
PID 1744 wrote to memory of 2724	1744	DllCommonsvc.exe	88
PID 1744 wrote to memory of 2724	1744	DllCommonsvc.exe	88
PID 1744 wrote to memory of 2724	1744	DllCommonsvc.exe	88
PID 2724 wrote to memory of 592	2724	cmd.exe	90
PID 2724 wrote to memory of 592	2724	cmd.exe	90
PID 2724 wrote to memory of 592	2724	cmd.exe	90
PID 2724 wrote to memory of 1200	2724	cmd.exe	91
PID 2724 wrote to memory of 1200	2724	cmd.exe	91
PID 2724 wrote to memory of 1200	2724	cmd.exe	91
PID 1200 wrote to memory of 1500	1200	WmiPrvSE.exe	92
PID 1200 wrote to memory of 1500	1200	WmiPrvSE.exe	92
PID 1200 wrote to memory of 1500	1200	WmiPrvSE.exe	92
PID 1500 wrote to memory of 2488	1500	cmd.exe	94
PID 1500 wrote to memory of 2488	1500	cmd.exe	94
PID 1500 wrote to memory of 2488	1500	cmd.exe	94
PID 1500 wrote to memory of 1872	1500	cmd.exe	95
PID 1500 wrote to memory of 1872	1500	cmd.exe	95
PID 1500 wrote to memory of 1872	1500	cmd.exe	95
PID 1872 wrote to memory of 776	1872	WmiPrvSE.exe	96

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c49ae43744b5b34c18046dc122830b451f6f9b54f3c06ce883ea180e4a526212.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:584
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2284
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2072
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1744
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1512
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2388
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Common Files\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Google\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1700
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1120
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Music\Sample Music\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1008
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CDpK3Juhao.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2724
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:592
      - C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1200
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1500
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2488
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
        9⤵
        
        PID:776
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:816
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        11⤵
        
        PID:840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1544
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat"
        13⤵
        
        PID:2996
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2516
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat"
        15⤵
        
        PID:2368
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2164
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2816
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat"
        17⤵
        
        PID:1612
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2696
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2240
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat"
        19⤵
        
        PID:1752
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1504
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat"
        21⤵
        
        PID:2220
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2364
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1280
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat"
        23⤵
        
        PID:2444
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1292
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1320
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat"
        25⤵
        
        PID:1184
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:1548
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        26⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat"
        27⤵
        
        PID:2052
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        28⤵
        
        PID:2144
        
        C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe
        
        "C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe"
        28⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Users\Public\Favorites\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\Public\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\Public\Favorites\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2664

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2796

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1848

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1876

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Common Files\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:948

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files\Google\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Program Files\Google\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 12 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Music\Sample Music\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2120

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 10 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Portable Devices\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:696

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cad6a33fc96c2134c4195255faac410f

SHA1
539ecd8f1350dead223fd2b08ede83c61d65f381

SHA256
b4e3804b6d63a9647318abe9f307b01692f2661e4fbe679fd90223f5cbf02e7a

SHA512
7af43ccf9f82774ec46322bf20042344b33cae43f45d0aa47e5c498bfcf65b694467faf686734c4c85e2b3e0f7a81f3d5d1494999f78436d13470e656a9d6585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
000ba5222dd7320a4a66b219e3f91779

SHA1
80df5f182c5a8d1831195c59591c9e5075518bf3

SHA256
9e195434bad4ed49de6b2df0d8629185078d126c423c3a8270e5294e75ceeca3

SHA512
c7cc6eafb70b2864301806fb1e1e7d7fc062565f043d67b67787b8d7ad575e1140664a303339c60116fe9619e14dd9c2acc2b4f2f57782786db55b23302a7b2e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0cc351c396f99356e46583bdf2b9aedf

SHA1
8c717fe510d5dbff2e98959c0c461d3af8810dd9

SHA256
59b9ae059de602b7fdd21800d812ff3f1631e6828904aef7bc6114b9e268b33c

SHA512
1f7640d8f5bbd56fb302a0227ec3c91d01b1cee2acb14c96003faf89a558526bb45a66492d903713365b386a83f66e249c2eacb973582b03b2b47e53a5e397d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
550593edb28f08e91fcf5b8ee99c644a

SHA1
8d6bd22177f4549b8b652b459fe752aa2847bdcd

SHA256
e5ce7e6a0e3ab7512b28e652f03e23ddd1f808902e93f89a925281c2283d936f

SHA512
bed45e52ccdaae35f61de842f4eac551fc978a4256142d8bad0ffe2834f7dc9ed4d3438b905a23b4dbe0bc48d09b515b396fbdcbfe7fb661a7ced0b47840789c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c1995fdb95be07b9c51cd51d44b270a

SHA1
de09679610adbb4b557d094fad9fb6dbac79ecca

SHA256
c042ae10e0ab2dc35ccb8146444076b09f63bdf14acafe4e670c4322a26fbffa

SHA512
cfef016ba38b7870edd8313d3c83b17a823c9bd51f5e15b1e5a80529c284b960d7da4575bc4302374223992d3f038085ce2ad0cf1d2ad4f7c29c1d11999d81ee

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d943ed89f76192a26bfbae5b58c4b873

SHA1
1b079879b021ef315cd32aa701dea221b5c07095

SHA256
a01c6b18ec5f6fc21e6ea9ba0d699f564a4a07b0549ce849725204b78cc982d5

SHA512
df8f59db0f2dcf1589384370bc6558fb165953a4b0ca967f879cc15d34cd719331e903cb7fbd0409ba3849ad3d275bff55805943dd8eaeecf6df998574fac639

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7cc6fb071dda688a9b6aff1e141a5799

SHA1
5b83871642aebdbf485b8ea7b4571348bcd7ce86

SHA256
b6d04bcf66e180f31407c8512a663009d12ebfac0658aa423ef0d7bea2b3a790

SHA512
c449515bc048d6073c5f89fbbafad9c16170056e2394be10480776c58a53f57f37944b883f71d2f8fc87d9d25b1537b885085d9933d629020d5f4ec958fffc57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cc69e050b3b067ab4283c87dace5714b

SHA1
c9f53d1758c8e2f6fef74340fcbb993472dfd288

SHA256
09e626a54acbdbb9aabf248d2e9c56c097306eef021b077d73d71abc7d968056

SHA512
ddfee9bb86151f245e106a99205ba80e17ef771df6106b22b4f56d80c493c444c18c31f1903592776f657c033489bceb893df6ca8c02da7698b3d6d73d67d5d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
96cf50a5f4cd57cfc25bebfc4515b2e9

SHA1
7680c15315752f1819a9eb8bea97fbd002820167

SHA256
6747f82155f160216c5807241803809401ae578fcad34325fc3032582e21fb0a

SHA512
f3dc2a0a62fcdfe989029f362b31ef4b71f7cd0918dd24e0394ec5e7de82f7661dee688969abab2da54fbfe23441cb2d9753b3a8b37ba5d7406d84c6357bb8bf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8c4041cc7a5387c8c51e48d60489030d

SHA1
e698739d7e667f798bf4a0631138418d24a33e02

SHA256
a38b891115107957205589534eb5a35e92e0ea4b54e8aed831b0fe6dcc43704e

SHA512
434bf78803403836e18563268dbcc810300e9dc030784b3c28261c0373dd600f6dceefcbad006332313e59cd6acf0d5b8964ec2d330b7750fc31e696bc0652ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

Filesize
226B

MD5
eb98e3da3d9c2c5b2f2b865aec7df225

SHA1
fdb6596e9b088c4c13128d0addc34e1aa7a6589b

SHA256
263a82eac11e48134292ed6c25e3608c0e87abec0dcfc0366a1d8d216d124c55

SHA512
d31f68f8ec65d9798b2253db9d40c349faa0df1608757b9809a293e2b181c120b493dbe01efc2767ab93398e6a16381728ac8cf3fc47f9b1ca224218127c314c

Download Submit
C:\Users\Admin\AppData\Local\Temp\BAWHCtE00Z.bat

Filesize
226B

MD5
72ba5af8d31f0a6c4a5ceda5980a68f2

SHA1
6ec237e7a261d1b965bbf3c46e974f9e7ff9644b

SHA256
6783af152eeb7cf64c5911b856d617d7a2a7388437626de3f6f5ba52fbaf1e02

SHA512
90b2c3b21eea2da980d7714fa017a0b1e41811ff592d45ea9ec6cda177e9cd9ef6ca59fe3794737d58c3a8343c13e40d9953a4a5a677e644555c3fdbbdf27944

Download Submit
C:\Users\Admin\AppData\Local\Temp\CDpK3Juhao.bat

Filesize
226B

MD5
ff1d71269001d8df6e8362e8874439de

SHA1
a083a110a8975d06378386868259df255fa5884b

SHA256
fd762f986e1f5ed297a502e558745708118e0a2bb5374c27de9a557bbe16ea6c

SHA512
b38036c07002e8fc118d9203a612d5bf8f35e7893ee62a9bbaea09e13529abb76205bc7e9cd46f85ca6b7396289d686c2f090a255f2f19a534d11f6988af7119

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1C68.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TDlQnvRVvY.bat

Filesize
226B

MD5
45aeec20403ef40ec6903c1f726c61c8

SHA1
c56b79eef15e6636462e657153874f45a580d15f

SHA256
391f8e24b1864c45650fc8493903ceda937d0be75f130bb20ac5fd0f4a126630

SHA512
3cc51509c6ce9609c9a556f2caeb9ebca9b5cf92bc8f91bcabdd17377119e335970352d4c1dcc28822eb1298c8f03ab090572fe3c943c102fcb65dd5bf87874c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1C9A.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
226B

MD5
8c7f25f0b21bd5870921784044666ef3

SHA1
c299efa512d020b6f64d5a6af328968338488c37

SHA256
2021a22016d60207756735dadf9288f5ed48ae6d32d2378cdd475acf9aabef3d

SHA512
2932eea2d84ed2eefdeec9be73b3fd4f47f6922bafdb2d3ff214e3d6cb126cf10fb45ce662842de0971b0df6127bb80a7e5f0ce8e5c32f7055dce46c62260b6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ys8lvSze9b.bat

Filesize
226B

MD5
7dab719c3d3a64a38b57090061ef47c3

SHA1
1edd5cd0dca7a896c879d23a82417f282d6b0ebe

SHA256
cbaa1c98ee70323cda3e087e7193da9f35458cfccf995a8530663c13261f4296

SHA512
26eb4336d0525e45530fb4f7ac85ee519596747b84370d697518a453d47639ddfe06797e7b2e63f56f1b4e8b1fa83e02826e0fe83ed041cefeb63831f2f01ca6

Download Submit
C:\Users\Admin\AppData\Local\Temp\be8zRZs4e0.bat

Filesize
226B

MD5
dcf45a9290245624c943fdb7ed11a0c7

SHA1
a7719c272887dee1f19e4176598f45a02deb59e8

SHA256
fcbf8d957a544c06ac3f30b1365eac76d6bbb50cd8454bc03a214bb21ea3ce68

SHA512
19a1bd9be5919b96a535acb457230820d3c304b3825a3d1d3d59bb0a5f4798effb556e8a36f66d320c20b1ba0d9490b6165ba0245036782951e438a5e29acc5f

Download Submit
C:\Users\Admin\AppData\Local\Temp\gQkyN2upze.bat

Filesize
226B

MD5
7e5f908a3a4197f8dd7d337ff2e6514b

SHA1
c3e1dd8ad59b575cc86cbe595ccf4f294df681f9

SHA256
f70d94f736ad04933b52e34aecfdee7d83ac54b4a7be03719699d74c43894495

SHA512
babc65a5a7402b47b7e0c6bc33a7fac7f8f7ba969cee36b887b4a21e3e2793ec54b5e83dfe1ed2f31f250dd994b8594b4af9a5308dfed4bcd32b5e35d2d2e79b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hC9SSnetfo.bat

Filesize
226B

MD5
72571a0a9d2588eaff1e6500c7de37e3

SHA1
94a853857e3f7632999e9a3bbb2c8ccd94dd0fae

SHA256
eb6bd21293212f5386d615c3fbcfd689f8d59fea88869297da2c25d3036730b7

SHA512
078dcfb7126d965a9c2a005eea2f8f7b57f37ea76d9abc4877ceffa2485c91c2622b7be66065b9163db4c5ddbb86c40de1fd4a8e276e8f38c2a5e6925cc6f1fc

Download Submit
C:\Users\Admin\AppData\Local\Temp\hbGxgnDDQj.bat

Filesize
226B

MD5
2e568c0afd1f185ab35bed211cf6d2d2

SHA1
df81741626ac14a30b3aea1bae3b0020ac3a1c91

SHA256
212d9770c2e2923e7a35f8eaa05fb6bf04e9cb3656f411ddc3d526d0ec9a1fe9

SHA512
9cf44da26faa4207317f704478d2fcaa99696ad6f374217e6d12a8ba16f0ecd381850b2e4b4ce150afa15b64fcb142e56937f2bacf6d2e8f240ff3ec668e80e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\q2cXKRfm9B.bat

Filesize
226B

MD5
295510fa1302a6072f5a5f9fdaa66bc2

SHA1
73c228565bbef9c316fa901b8b19cc03eb94ba4b

SHA256
8b574127bbdea84e569e9cb14af3b0a6c8915b694700e57316091c2f3dcab08f

SHA512
0630afd3d085b94b3ddefe1b4f8dc176a72b51eefb846fd43b00ce3f96a8c7e0d8887e7dfd70e3e69d73d326b68361ea863275361aa56c1fe152d8b28045c1ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\voEVGuhWUp.bat

Filesize
226B

MD5
7cb0c184bcdf3dff2583615de7d450e3

SHA1
4690dbb7ac8c6cf6ab27754739fb70a4e66ddbd2

SHA256
928c103471ed97264ba745e6920e994b59abe614529f61128cffe2673473ec9a

SHA512
c4dc6e31e32c0fa344370e65d89abfdff8516a9ec4f29e448edfc183a72a93e4273113b83b5326f9182652d72230f1295d67095821e9f5019c8ccf5f77a3297f

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4477c8f1b0a3bcc0cfb232bebf452542

SHA1
da9a86ae29fa084241e4c6de88eaff35dd7acd4b

SHA256
78bf67c32acab2837ecd40633ce99c1a60041db0c82cb220f7dbb695ee5b5166

SHA512
811de4fb64f858ae533ef59ee4f5877a94d95bbc6479a8c5f2a2656e052ef493819375641890d33b6898c723500d590ae0528e9ded12d88a74d4562490b03a33

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1200-92-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download
memory/1200-93-0x0000000000630000-0x0000000000642000-memory.dmp

Filesize
72KB

Download
memory/1320-625-0x00000000003A0000-0x00000000004B0000-memory.dmp

Filesize
1.1MB

Download
memory/1528-60-0x000000001B640000-0x000000001B922000-memory.dmp

Filesize
2.9MB

Download
memory/1528-68-0x0000000001D10000-0x0000000001D18000-memory.dmp

Filesize
32KB

Download
memory/1624-746-0x0000000000290000-0x00000000002A2000-memory.dmp

Filesize
72KB

Download
memory/1744-15-0x00000000001F0000-0x00000000001FC000-memory.dmp

Filesize
48KB

Download
memory/1744-16-0x00000000001E0000-0x00000000001EC000-memory.dmp

Filesize
48KB

Download
memory/1744-17-0x0000000000200000-0x000000000020C000-memory.dmp

Filesize
48KB

Download
memory/1744-14-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/1744-13-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/2216-685-0x0000000001150000-0x0000000001260000-memory.dmp

Filesize
1.1MB

Download
memory/2216-686-0x00000000003C0000-0x00000000003D2000-memory.dmp

Filesize
72KB

Download
memory/2816-388-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download