dcrat | 2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52

Analysis

max time kernel
148s
max time network
151s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52.exe
Size

1.3MB
MD5

9eaa7fb9e12d1d750a4cef87b5ac1c2b
SHA1

ddd8d8060ed453dd2664103013b6a1aaa3b586c4
SHA256

2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52
SHA512

69d8cf7a10a6e9426ead30bbc6798ae737df0ea86eddca6c97776e804c0e1d824adc43aa4c6878d1002dff5b221050bcbd23145f21c979f7a1feb001f5d1f711
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 39 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2824	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2648	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2552	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2384	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1244	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2752	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2360	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1944	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1064	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1740	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	932	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	612	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2496	2668	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2668	schtasks.exe	35

DCRat payload 12 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001706d-9.dat	dcrat
behavioral1/memory/2208-13-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2324-66-0x0000000000910000-0x0000000000A20000-memory.dmp	dcrat
behavioral1/memory/2748-177-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/380-237-0x00000000002A0000-0x00000000003B0000-memory.dmp	dcrat
behavioral1/memory/2764-297-0x0000000000B20000-0x0000000000C30000-memory.dmp	dcrat
behavioral1/memory/2396-357-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2732-417-0x0000000001000000-0x0000000001110000-memory.dmp	dcrat
behavioral1/memory/1608-536-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/2956-597-0x00000000010B0000-0x00000000011C0000-memory.dmp	dcrat
behavioral1/memory/904-657-0x0000000000340000-0x0000000000450000-memory.dmp	dcrat
behavioral1/memory/872-717-0x0000000001170000-0x0000000001280000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 14 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1724	powershell.exe
1684	powershell.exe
872	powershell.exe
2632	powershell.exe
2236	powershell.exe
1528	powershell.exe
2056	powershell.exe
2488	powershell.exe
2168	powershell.exe
1732	powershell.exe
2776	powershell.exe
904	powershell.exe
1056	powershell.exe
2392	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2208	DllCommonsvc.exe
2324	lsass.exe
2748	lsass.exe
380	lsass.exe
2764	lsass.exe
2396	lsass.exe
2732	lsass.exe
2992	lsass.exe
1608	lsass.exe
2956	lsass.exe
904	lsass.exe
872	lsass.exe

Loads dropped DLL 2 IoCs

pid	Process
2856	cmd.exe
2856	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
26	raw.githubusercontent.com
36	raw.githubusercontent.com
4	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
32	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\ebf1f9fa8afd6d	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\101b941d020240	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 39 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1968	schtasks.exe
1572	schtasks.exe
1276	schtasks.exe
1244	schtasks.exe
1692	schtasks.exe
1944	schtasks.exe
2976	schtasks.exe
1336	schtasks.exe
2824	schtasks.exe
3032	schtasks.exe
2428	schtasks.exe
3000	schtasks.exe
1964	schtasks.exe
612	schtasks.exe
2552	schtasks.exe
2360	schtasks.exe
1156	schtasks.exe
1916	schtasks.exe
932	schtasks.exe
1396	schtasks.exe
2496	schtasks.exe
2648	schtasks.exe
2440	schtasks.exe
108	schtasks.exe
2140	schtasks.exe
2096	schtasks.exe
2768	schtasks.exe
2924	schtasks.exe
1624	schtasks.exe
2604	schtasks.exe
1296	schtasks.exe
2384	schtasks.exe
1472	schtasks.exe
2752	schtasks.exe
2600	schtasks.exe
1484	schtasks.exe
1740	schtasks.exe
1064	schtasks.exe
2396	schtasks.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2208	DllCommonsvc.exe
2776	powershell.exe
2632	powershell.exe
2236	powershell.exe
2392	powershell.exe
2488	powershell.exe
1684	powershell.exe
2168	powershell.exe
1724	powershell.exe
904	powershell.exe
2056	powershell.exe
1056	powershell.exe
872	powershell.exe
1732	powershell.exe
1528	powershell.exe
2324	lsass.exe
2748	lsass.exe
380	lsass.exe
2764	lsass.exe
2396	lsass.exe
2732	lsass.exe
2992	lsass.exe
1608	lsass.exe
2956	lsass.exe
904	lsass.exe
872	lsass.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	DllCommonsvc.exe
Token: SeDebugPrivilege	2776	powershell.exe
Token: SeDebugPrivilege	2632	powershell.exe
Token: SeDebugPrivilege	2236	powershell.exe
Token: SeDebugPrivilege	2392	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1684	powershell.exe
Token: SeDebugPrivilege	2168	powershell.exe
Token: SeDebugPrivilege	1724	powershell.exe
Token: SeDebugPrivilege	904	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1056	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	2324	lsass.exe
Token: SeDebugPrivilege	2748	lsass.exe
Token: SeDebugPrivilege	380	lsass.exe
Token: SeDebugPrivilege	2764	lsass.exe
Token: SeDebugPrivilege	2396	lsass.exe
Token: SeDebugPrivilege	2732	lsass.exe
Token: SeDebugPrivilege	2992	lsass.exe
Token: SeDebugPrivilege	1608	lsass.exe
Token: SeDebugPrivilege	2956	lsass.exe
Token: SeDebugPrivilege	904	lsass.exe
Token: SeDebugPrivilege	872	lsass.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1768 wrote to memory of 1224	1768	JaffaCakes118_2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52.exe	31
PID 1768 wrote to memory of 1224	1768	JaffaCakes118_2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52.exe	31
PID 1768 wrote to memory of 1224	1768	JaffaCakes118_2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52.exe	31
PID 1768 wrote to memory of 1224	1768	JaffaCakes118_2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52.exe	31
PID 1224 wrote to memory of 2856	1224	WScript.exe	32
PID 1224 wrote to memory of 2856	1224	WScript.exe	32
PID 1224 wrote to memory of 2856	1224	WScript.exe	32
PID 1224 wrote to memory of 2856	1224	WScript.exe	32
PID 2856 wrote to memory of 2208	2856	cmd.exe	34
PID 2856 wrote to memory of 2208	2856	cmd.exe	34
PID 2856 wrote to memory of 2208	2856	cmd.exe	34
PID 2856 wrote to memory of 2208	2856	cmd.exe	34
PID 2208 wrote to memory of 2776	2208	DllCommonsvc.exe	75
PID 2208 wrote to memory of 2776	2208	DllCommonsvc.exe	75
PID 2208 wrote to memory of 2776	2208	DllCommonsvc.exe	75
PID 2208 wrote to memory of 2632	2208	DllCommonsvc.exe	77
PID 2208 wrote to memory of 2632	2208	DllCommonsvc.exe	77
PID 2208 wrote to memory of 2632	2208	DllCommonsvc.exe	77
PID 2208 wrote to memory of 2236	2208	DllCommonsvc.exe	79
PID 2208 wrote to memory of 2236	2208	DllCommonsvc.exe	79
PID 2208 wrote to memory of 2236	2208	DllCommonsvc.exe	79
PID 2208 wrote to memory of 1056	2208	DllCommonsvc.exe	80
PID 2208 wrote to memory of 1056	2208	DllCommonsvc.exe	80
PID 2208 wrote to memory of 1056	2208	DllCommonsvc.exe	80
PID 2208 wrote to memory of 1724	2208	DllCommonsvc.exe	82
PID 2208 wrote to memory of 1724	2208	DllCommonsvc.exe	82
PID 2208 wrote to memory of 1724	2208	DllCommonsvc.exe	82
PID 2208 wrote to memory of 2056	2208	DllCommonsvc.exe	83
PID 2208 wrote to memory of 2056	2208	DllCommonsvc.exe	83
PID 2208 wrote to memory of 2056	2208	DllCommonsvc.exe	83
PID 2208 wrote to memory of 904	2208	DllCommonsvc.exe	84
PID 2208 wrote to memory of 904	2208	DllCommonsvc.exe	84
PID 2208 wrote to memory of 904	2208	DllCommonsvc.exe	84
PID 2208 wrote to memory of 1528	2208	DllCommonsvc.exe	85
PID 2208 wrote to memory of 1528	2208	DllCommonsvc.exe	85
PID 2208 wrote to memory of 1528	2208	DllCommonsvc.exe	85
PID 2208 wrote to memory of 872	2208	DllCommonsvc.exe	87
PID 2208 wrote to memory of 872	2208	DllCommonsvc.exe	87
PID 2208 wrote to memory of 872	2208	DllCommonsvc.exe	87
PID 2208 wrote to memory of 2488	2208	DllCommonsvc.exe	88
PID 2208 wrote to memory of 2488	2208	DllCommonsvc.exe	88
PID 2208 wrote to memory of 2488	2208	DllCommonsvc.exe	88
PID 2208 wrote to memory of 1732	2208	DllCommonsvc.exe	89
PID 2208 wrote to memory of 1732	2208	DllCommonsvc.exe	89
PID 2208 wrote to memory of 1732	2208	DllCommonsvc.exe	89
PID 2208 wrote to memory of 2392	2208	DllCommonsvc.exe	91
PID 2208 wrote to memory of 2392	2208	DllCommonsvc.exe	91
PID 2208 wrote to memory of 2392	2208	DllCommonsvc.exe	91
PID 2208 wrote to memory of 2168	2208	DllCommonsvc.exe	92
PID 2208 wrote to memory of 2168	2208	DllCommonsvc.exe	92
PID 2208 wrote to memory of 2168	2208	DllCommonsvc.exe	92
PID 2208 wrote to memory of 1684	2208	DllCommonsvc.exe	93
PID 2208 wrote to memory of 1684	2208	DllCommonsvc.exe	93
PID 2208 wrote to memory of 1684	2208	DllCommonsvc.exe	93
PID 2208 wrote to memory of 2324	2208	DllCommonsvc.exe	99
PID 2208 wrote to memory of 2324	2208	DllCommonsvc.exe	99
PID 2208 wrote to memory of 2324	2208	DllCommonsvc.exe	99
PID 2324 wrote to memory of 2364	2324	lsass.exe	104
PID 2324 wrote to memory of 2364	2324	lsass.exe	104
PID 2324 wrote to memory of 2364	2324	lsass.exe	104
PID 2364 wrote to memory of 2980	2364	cmd.exe	106
PID 2364 wrote to memory of 2980	2364	cmd.exe	106
PID 2364 wrote to memory of 2980	2364	cmd.exe	106
PID 2364 wrote to memory of 2748	2364	cmd.exe	107

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2fdebcdb2fff41badf9105c6639f19bc63190ce098ccb36c325db04e3cb9ca52.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1768
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1224
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2856
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\NetHood\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1528
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2168
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1684
    - - C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2324
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2364
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2980
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2748
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat"
        8⤵
        
        PID:1988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1700
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:380
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat"
        10⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2500
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
        12⤵
        
        PID:2484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2592
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2396
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat"
        14⤵
        
        PID:536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2064
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat"
        16⤵
        
        PID:884
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2004
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        18⤵
        
        PID:1664
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1512
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat"
        20⤵
        
        PID:2316
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1716
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat"
        22⤵
        
        PID:1484
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1268
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat"
        24⤵
        
        PID:832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2780
        
        C:\providercommon\lsass.exe
        
        "C:\providercommon\lsass.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2824

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Users\Default\NetHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 9 /tr "'C:\Users\Default\NetHood\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3032

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2648

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2384

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 9 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\providercommon\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1244

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2752

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\providercommon\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Microsoft Office\MEDIA\CAGCAT10\1033\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 11 /tr "'C:\providercommon\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1944

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\providercommon\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f4ba082-69f6-11ef-a143-62cb582c238c\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:932

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Program Files\Reference Assemblies\Microsoft\Framework\v3.5\es\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2496

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Users\Admin\AppData\Roaming\Mozilla\Extensions\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4cf1bc91212951e76f0e71023897f8a

SHA1
b1d718892dc12bd89fd5d3477664b6280f0f36e5

SHA256
7cbe00c03ea07117524cbc77582ebd58e3a10f41ce46f37e2eb3ca74159cf3e7

SHA512
ce65727e18131d8e88a3f943e1802d8f550a457f7fd4e2ebd536b2b3f4685982706a998cb4c0e20ea4552efe963a165108c845864f5da2afc1f0f7048b15a60e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
db44c042e14e50b0fe9d692d5115c800

SHA1
21408a3b891e3c5c7a52ab5184a90b858c40d780

SHA256
363bbe0a11e73defdd3b8dca1938bf6e9e9dd873334b63bbc20b5d72bd43585e

SHA512
4d3dc5eca004204847adc4cebeadb36268cc8d79bf7d78bc709e612d8da8cca9addd7cd654ed5abfa1ef0de60d093270243a24aee783d5b812b8cd6b268c9f93

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d6a8c39c59106beebbe40dfe9a292006

SHA1
7f255d77474bc84a38f38a123f753020b751bd64

SHA256
dd75beed17a74eab04f7d63aacb4c08c2d1c0073abed46aac558f192eeccda90

SHA512
596062385c1f9fbe7a5f16fd3a41b54799579c3c62a07e3712b536f13145c7a83565f14b17d7528cbeaa2a80fcdf44d01eb6170ae848e6658ac04a2bc2d59e3f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
879e30aeaa2307194428e031cf41ed31

SHA1
8ab81604b276c481efd66e575b19a0153299bc83

SHA256
b85c48ce5dff9fe0e5f894345526aa609b7aad53be202b0b28e0a80f1cfcb4d2

SHA512
733b5b1261625d1fb36df3439cf2404e37110b878abe087f0bcf64d14ad5d63531ddf6abb70b9925c917e52397cd93665ea7dce29d1aaed74f654de4e15dafb4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
dfeca4fe3dedb156f3600cad77d5f334

SHA1
9c4f8d7bef06dea87fb09645c9f2ebb23ac6708d

SHA256
2cc0a08c5a15e248742f89d36780b1ea5b0973daa81c6f14d87da343a8a3c205

SHA512
fc21011e9fa1e788d4089e0aa4e9b412c0d20c62cce76c5cfe5b2fe920ea79033cc5b7897dd1f828b81d539a3c8910d6079970d5235b1d2489ec2efed3d72f97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
04c621ea784b19a44956d6ee80f03e59

SHA1
dca6362affcd6cf3a40c65997441eababde9adc6

SHA256
ec08d9ca4a717cd92594c5cc8e8adb30eb33bea0bc0c14b7a2d16d5cc23dc4ff

SHA512
1d91b9117a2199c0551913f28eeebf864b961d38bb3e054d800efec40002f0bdb139021f76f85bf0ddf7368221bf900aa0c194c4eaaf62160aa3842cf5bd650f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ccaac28e28ab04b68747f5f8365960dd

SHA1
974c10b818c76dcb1f65f6ae7b4d6cc4a6d6137e

SHA256
308916aedcd787775723a2ffbbfa71db0f1faf15ef83e4d6a3c20ecef6cef5b0

SHA512
933bded2321a8267eb9d0e53c782a587a619163bb772b1971b5d2b75b6870891afb6329381def002aaa0aae5f9c3ffdafd9ead0a530db7e10dbb9eac5058bf0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2c2ab4a11a9e421a745cefcda9a5b2c1

SHA1
253311456c6b4b1e1183fa1d928a1c8f5ae15846

SHA256
30dbdc51920cafdba3c55f36255f364178ea93b605bf033cbe9b1cc0922937a0

SHA512
b64e60f748d103e56a55262abc27acee1af11cacf9a5ad31526d37a4f20d3687ebe03f698eedfb26d5341f3fab0dcab9f7c69e2a5ad7968b52bb3af4a61fc997

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
01599509bed05ef8b3e851b286fe587e

SHA1
e9e8510b988426f98a1c552e07aaf0d5e3b78b47

SHA256
59d5780621deffe110b95b9e26b605aa958381700995290e47eb0ef3a3ef492b

SHA512
52a53c1c2bd82b606de3c11420f5d764f9b88c027288efd144fcf6d7c450116b5206e1b1b89329bf9f554f084ae88fca1772e4f83861bcf814d2bef9565bf948

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

Filesize
192B

MD5
547a42d611bcbe12bc24c8b38de6eff7

SHA1
297012fe818659cc7fcc7f8f9bae755766003ca9

SHA256
4bd975b795382f5b53374b1bed715135cd485a7546f09520a420904418011cdd

SHA512
543ff120d9ed3693483e7a003682a5a4665d79821f1bd95a616a2c2b849b4e13d3f72aa5719a7a1633d4553bbebb7e2e41eb8a44c509a99f7d6be436414fc881

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab21A6.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar21D8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\X5jGqiFaSS.bat

Filesize
192B

MD5
aa5719d0ad2ee905072c9548310fd4f2

SHA1
172bb35f5edd6e047ee63be6f1edda27087a8400

SHA256
ec7094d26cadafa1c313da0be60b458e37650e5f80ef11f1585b4a5075a2fad9

SHA512
78c6ff56dbd98f3fd66862be8d1f729efa2179e3c9daebac9fa444444d916b660222fbf771a282e0bc484b237a6aa3b3625f56d604308f581387066905b1e702

Download Submit
C:\Users\Admin\AppData\Local\Temp\Y23Kn3rQqK.bat

Filesize
192B

MD5
eee0d3a983db0aec9299fd36a80c3815

SHA1
5cbd8fd2b181e91d57d9c50f6ec20a3936f926dc

SHA256
cb72f7fd963c69ac732f3c56efa8bd0734e7713451321657e3fbf252f99b8e54

SHA512
63b31caad0409c15106e121f1e8ea30c32c6ccd30813753ed2380f8a9be09e53be8244431efeb544ec99e3d0d1e07814466416e31b338238c4c43b33dfc754fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\bGwFtC02oQ.bat

Filesize
192B

MD5
4770af5fb7fa62d819d3f5dc239c65bf

SHA1
1df90538369ce6265d7d01178e42186b915ae6df

SHA256
f8831efd2bead2a1fbd29f0d763c9c2f20612c0f6379422c77530dacf58b4ff1

SHA512
fce9b7367494af6a5f4926ec0bd23259557528e8a1a8f40cf57e65b8bc433305a410407d90d006f89bfca3de13f8b9d0244b43d6b6b058301128707bc7f9aabe

Download Submit
C:\Users\Admin\AppData\Local\Temp\cLz7lFEPwa.bat

Filesize
192B

MD5
ffdaaa4bb120857eaebcab524589adcc

SHA1
02ef8bf83fc7344f96a6ce11e708a75dbd2b0f29

SHA256
e7c3b6a76db7932ea4059d074cd09a0e16a3d220146676273bcf2f9c5490eca2

SHA512
1162605054e382044b7680e992e25d6cf6e8e846b9a8f013dd80b527e1b67951a0a9b3bb9e1107fe1641c0480a7f7d3e8a9f472ff581f46f924851b08eac0e16

Download Submit
C:\Users\Admin\AppData\Local\Temp\fjnbjzFmbP.bat

Filesize
192B

MD5
bf161b4634d800feaa2366688f64896b

SHA1
b93b5b89524fe518589caaa45f020322fda3688d

SHA256
2db03f6423b7f126c4c098bc4a96807ed1cd75d3dc6393f12a91844b8ab84cc2

SHA512
20c300fe47f4a9f9e59eecc5299d483402279aa92e24d2f41167103f1d3051faf19dcbcd8f3ba8e277c4cab04c608ac622419f868a8489d127c59de7d5677508

Download Submit
C:\Users\Admin\AppData\Local\Temp\gyyX5OxKdc.bat

Filesize
192B

MD5
cb2f00b9c60f0e3f29d7f0cc60ffdcdb

SHA1
66b47b7e9514f65501e64c247c25308b36a827cb

SHA256
1fa11f89b7df89974151706021f43057580cfa3287b4ea2062149a4d00d82c20

SHA512
99a156093422cfd77af66d11106e275627e292e8115ad8b9030bc1e9d5edbf648f84297cd77249b069c7dc81fd5f6cc5d5781df9b98301cb2803cf89265e9154

Download Submit
C:\Users\Admin\AppData\Local\Temp\q3WH03M43W.bat

Filesize
192B

MD5
0852bb07cc387f33abacb0c872bf45e1

SHA1
9b89fd07863843609be431e5cb552292045b3e09

SHA256
bc5a25eae252919e0d4bb4b80c853658ebb9008ac6ec3e12231035bc0d40e33a

SHA512
96795c571a53d7a61792d43bb983dab49175a65db009d076768ecc3c352a5b6e2d9805eafaa12292998127b5617bf189b015d1f1d865034368a9d02cc88d2314

Download Submit
C:\Users\Admin\AppData\Local\Temp\sPXGbYzrvf.bat

Filesize
192B

MD5
712b14921e8c53c1ec2f3bc9267cce1c

SHA1
00e0f6f072fb5b108d7aeb1b9ff761fa6a42d514

SHA256
2d37ed88a0f816a9a71e2f1fa5f3563e526a6fa5a156ca43b17b2f7bd5b9c531

SHA512
e4e38e7742344722218896e32970b125c1f22a9be6cb2b21706501c516bed1e120f883363ad3131424f9d4dfecbafd4109a6b228ff2734e6927fc65fc9f1e998

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
192B

MD5
e654dfabb5f9cbba7644897b43769441

SHA1
eef0710ba9f801cb0d3b5a830d26eef980e04b21

SHA256
10b5f94906ab3e2af69d8f85e6d8574a5afaad9056a97655819ed9e5260dba97

SHA512
dda395a21cfd9a07303d669ab10eb6ed929edcc74bcabffab5fd3e22bdeded416a7fec7089941a5ffd1a10b833b0386b4abd293f6c719761cb4bd13d3415d933

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
2dc20fe6d249490a73cb355a7181f422

SHA1
0bd6e300f4b5fafb4e720e647ebb7f5a1540244d

SHA256
9ed2fa29b324f1a3dde0be581ebf4fd804d277c1f3cba985ec23039e9f390145

SHA512
6a5a857f85aeb6217d5397f0e19f2544e9b40f0feaa4f03441f4c8ef960f699c364b11d3bb87f22aa89485a8ffc7a27276f7fd6d3c098d70945ec50f8c612f5c

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/380-237-0x00000000002A0000-0x00000000003B0000-memory.dmp

Filesize
1.1MB

Download
memory/872-717-0x0000000001170000-0x0000000001280000-memory.dmp

Filesize
1.1MB

Download
memory/872-718-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/904-657-0x0000000000340000-0x0000000000450000-memory.dmp

Filesize
1.1MB

Download
memory/1608-537-0x00000000002E0000-0x00000000002F2000-memory.dmp

Filesize
72KB

Download
memory/1608-536-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/2208-15-0x0000000000160000-0x000000000016C000-memory.dmp

Filesize
48KB

Download
memory/2208-13-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/2208-14-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2208-17-0x0000000000170000-0x000000000017C000-memory.dmp

Filesize
48KB

Download
memory/2208-16-0x0000000000150000-0x000000000015C000-memory.dmp

Filesize
48KB

Download
memory/2324-66-0x0000000000910000-0x0000000000A20000-memory.dmp

Filesize
1.1MB

Download
memory/2396-357-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2632-63-0x000000001B6A0000-0x000000001B982000-memory.dmp

Filesize
2.9MB

Download
memory/2732-417-0x0000000001000000-0x0000000001110000-memory.dmp

Filesize
1.1MB

Download
memory/2748-177-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2764-297-0x0000000000B20000-0x0000000000C30000-memory.dmp

Filesize
1.1MB

Download
memory/2776-64-0x0000000002790000-0x0000000002798000-memory.dmp

Filesize
32KB

Download
memory/2956-597-0x00000000010B0000-0x00000000011C0000-memory.dmp

Filesize
1.1MB

Download