dcrat | c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 10:38

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658.exe
Size

1.3MB
MD5

2ef6f0134ea7c28f7083983c6a171c98
SHA1

a5363da235e8a6b6b32c85f1d2f0840bbb03eb74
SHA256

c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658
SHA512

93b057284e91b6d654ebbf82c1fe27ceef58e0a0d566440ed5e1d00638dc90553bd81e4af3fee079ba0ec9a23f93590a60404c25b9cdb07f5e46d5836b70a677
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	624	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2228	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1696	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2872	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2448	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2956	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2144	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2988	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	296	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	832	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1620	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2240	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	928	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2564	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	2564	schtasks.exe	34

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001748f-10.dat	dcrat
behavioral1/memory/2756-13-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat
behavioral1/memory/1136-115-0x0000000000C30000-0x0000000000D40000-memory.dmp	dcrat
behavioral1/memory/2056-235-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/812-295-0x00000000010E0000-0x00000000011F0000-memory.dmp	dcrat
behavioral1/memory/2364-355-0x0000000000350000-0x0000000000460000-memory.dmp	dcrat
behavioral1/memory/1708-415-0x0000000000F00000-0x0000000001010000-memory.dmp	dcrat
behavioral1/memory/604-534-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat
behavioral1/memory/2040-594-0x0000000000B60000-0x0000000000C70000-memory.dmp	dcrat
behavioral1/memory/1588-654-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2056	powershell.exe
1740	powershell.exe
1640	powershell.exe
1728	powershell.exe
1732	powershell.exe
2444	powershell.exe
2468	powershell.exe
1776	powershell.exe
1556	powershell.exe
812	powershell.exe
1544	powershell.exe
2060	powershell.exe
632	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2756	DllCommonsvc.exe
1136	WmiPrvSE.exe
2592	WmiPrvSE.exe
2056	WmiPrvSE.exe
812	WmiPrvSE.exe
2364	WmiPrvSE.exe
1708	WmiPrvSE.exe
1484	WmiPrvSE.exe
604	WmiPrvSE.exe
2040	WmiPrvSE.exe
1588	WmiPrvSE.exe

Loads dropped DLL 2 IoCs

pid	Process
2772	cmd.exe
2772	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
13	raw.githubusercontent.com
16	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
37	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
30	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Media Player\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Photo Viewer\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Media Player\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 10 IoCs

description	ioc	Process
File created	C:\Windows\Web\Wallpaper\Architecture\lsm.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\Web\Wallpaper\Architecture\lsm.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\csrss.exe	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\5940a34987c991	DllCommonsvc.exe
File created	C:\Windows\Web\Wallpaper\Architecture\101b941d020240	DllCommonsvc.exe
File created	C:\Windows\servicing\it-IT\Idle.exe	DllCommonsvc.exe
File created	C:\Windows\Downloaded Program Files\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Windows\Vss\taskhost.exe	DllCommonsvc.exe
File created	C:\Windows\Vss\b75386f1303e64	DllCommonsvc.exe
File created	C:\Windows\LiveKernelReports\dllhost.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3068	schtasks.exe
2872	schtasks.exe
624	schtasks.exe
2656	schtasks.exe
2956	schtasks.exe
668	schtasks.exe
2404	schtasks.exe
2144	schtasks.exe
2424	schtasks.exe
1592	schtasks.exe
1976	schtasks.exe
1924	schtasks.exe
2976	schtasks.exe
2252	schtasks.exe
2148	schtasks.exe
2448	schtasks.exe
3008	schtasks.exe
296	schtasks.exe
832	schtasks.exe
1780	schtasks.exe
2228	schtasks.exe
1696	schtasks.exe
764	schtasks.exe
2888	schtasks.exe
532	schtasks.exe
2248	schtasks.exe
2988	schtasks.exe
1620	schtasks.exe
1636	schtasks.exe
2904	schtasks.exe
1104	schtasks.exe
1804	schtasks.exe
928	schtasks.exe
1028	schtasks.exe
1916	schtasks.exe
2240	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
2756	DllCommonsvc.exe
1544	powershell.exe
1556	powershell.exe
2056	powershell.exe
1740	powershell.exe
1728	powershell.exe
632	powershell.exe
1640	powershell.exe
1776	powershell.exe
2444	powershell.exe
2468	powershell.exe
2060	powershell.exe
812	powershell.exe
1732	powershell.exe
1136	WmiPrvSE.exe
2592	WmiPrvSE.exe
2056	WmiPrvSE.exe
812	WmiPrvSE.exe
2364	WmiPrvSE.exe
1708	WmiPrvSE.exe
1484	WmiPrvSE.exe
604	WmiPrvSE.exe
2040	WmiPrvSE.exe
1588	WmiPrvSE.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2756	DllCommonsvc.exe
Token: SeDebugPrivilege	1544	powershell.exe
Token: SeDebugPrivilege	1556	powershell.exe
Token: SeDebugPrivilege	2056	powershell.exe
Token: SeDebugPrivilege	1740	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	632	powershell.exe
Token: SeDebugPrivilege	1640	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	2444	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2060	powershell.exe
Token: SeDebugPrivilege	812	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	1136	WmiPrvSE.exe
Token: SeDebugPrivilege	2592	WmiPrvSE.exe
Token: SeDebugPrivilege	2056	WmiPrvSE.exe
Token: SeDebugPrivilege	812	WmiPrvSE.exe
Token: SeDebugPrivilege	2364	WmiPrvSE.exe
Token: SeDebugPrivilege	1708	WmiPrvSE.exe
Token: SeDebugPrivilege	1484	WmiPrvSE.exe
Token: SeDebugPrivilege	604	WmiPrvSE.exe
Token: SeDebugPrivilege	2040	WmiPrvSE.exe
Token: SeDebugPrivilege	1588	WmiPrvSE.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2224 wrote to memory of 2808	2224	JaffaCakes118_c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658.exe	30
PID 2224 wrote to memory of 2808	2224	JaffaCakes118_c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658.exe	30
PID 2224 wrote to memory of 2808	2224	JaffaCakes118_c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658.exe	30
PID 2224 wrote to memory of 2808	2224	JaffaCakes118_c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658.exe	30
PID 2808 wrote to memory of 2772	2808	WScript.exe	31
PID 2808 wrote to memory of 2772	2808	WScript.exe	31
PID 2808 wrote to memory of 2772	2808	WScript.exe	31
PID 2808 wrote to memory of 2772	2808	WScript.exe	31
PID 2772 wrote to memory of 2756	2772	cmd.exe	33
PID 2772 wrote to memory of 2756	2772	cmd.exe	33
PID 2772 wrote to memory of 2756	2772	cmd.exe	33
PID 2772 wrote to memory of 2756	2772	cmd.exe	33
PID 2756 wrote to memory of 1776	2756	DllCommonsvc.exe	71
PID 2756 wrote to memory of 1776	2756	DllCommonsvc.exe	71
PID 2756 wrote to memory of 1776	2756	DllCommonsvc.exe	71
PID 2756 wrote to memory of 1556	2756	DllCommonsvc.exe	72
PID 2756 wrote to memory of 1556	2756	DllCommonsvc.exe	72
PID 2756 wrote to memory of 1556	2756	DllCommonsvc.exe	72
PID 2756 wrote to memory of 1544	2756	DllCommonsvc.exe	73
PID 2756 wrote to memory of 1544	2756	DllCommonsvc.exe	73
PID 2756 wrote to memory of 1544	2756	DllCommonsvc.exe	73
PID 2756 wrote to memory of 812	2756	DllCommonsvc.exe	74
PID 2756 wrote to memory of 812	2756	DllCommonsvc.exe	74
PID 2756 wrote to memory of 812	2756	DllCommonsvc.exe	74
PID 2756 wrote to memory of 2056	2756	DllCommonsvc.exe	75
PID 2756 wrote to memory of 2056	2756	DllCommonsvc.exe	75
PID 2756 wrote to memory of 2056	2756	DllCommonsvc.exe	75
PID 2756 wrote to memory of 1740	2756	DllCommonsvc.exe	76
PID 2756 wrote to memory of 1740	2756	DllCommonsvc.exe	76
PID 2756 wrote to memory of 1740	2756	DllCommonsvc.exe	76
PID 2756 wrote to memory of 2060	2756	DllCommonsvc.exe	77
PID 2756 wrote to memory of 2060	2756	DllCommonsvc.exe	77
PID 2756 wrote to memory of 2060	2756	DllCommonsvc.exe	77
PID 2756 wrote to memory of 1640	2756	DllCommonsvc.exe	78
PID 2756 wrote to memory of 1640	2756	DllCommonsvc.exe	78
PID 2756 wrote to memory of 1640	2756	DllCommonsvc.exe	78
PID 2756 wrote to memory of 1728	2756	DllCommonsvc.exe	79
PID 2756 wrote to memory of 1728	2756	DllCommonsvc.exe	79
PID 2756 wrote to memory of 1728	2756	DllCommonsvc.exe	79
PID 2756 wrote to memory of 1732	2756	DllCommonsvc.exe	80
PID 2756 wrote to memory of 1732	2756	DllCommonsvc.exe	80
PID 2756 wrote to memory of 1732	2756	DllCommonsvc.exe	80
PID 2756 wrote to memory of 632	2756	DllCommonsvc.exe	81
PID 2756 wrote to memory of 632	2756	DllCommonsvc.exe	81
PID 2756 wrote to memory of 632	2756	DllCommonsvc.exe	81
PID 2756 wrote to memory of 2468	2756	DllCommonsvc.exe	82
PID 2756 wrote to memory of 2468	2756	DllCommonsvc.exe	82
PID 2756 wrote to memory of 2468	2756	DllCommonsvc.exe	82
PID 2756 wrote to memory of 2444	2756	DllCommonsvc.exe	83
PID 2756 wrote to memory of 2444	2756	DllCommonsvc.exe	83
PID 2756 wrote to memory of 2444	2756	DllCommonsvc.exe	83
PID 2756 wrote to memory of 2020	2756	DllCommonsvc.exe	97
PID 2756 wrote to memory of 2020	2756	DllCommonsvc.exe	97
PID 2756 wrote to memory of 2020	2756	DllCommonsvc.exe	97
PID 2020 wrote to memory of 2188	2020	cmd.exe	99
PID 2020 wrote to memory of 2188	2020	cmd.exe	99
PID 2020 wrote to memory of 2188	2020	cmd.exe	99
PID 2020 wrote to memory of 1136	2020	cmd.exe	100
PID 2020 wrote to memory of 1136	2020	cmd.exe	100
PID 2020 wrote to memory of 1136	2020	cmd.exe	100
PID 1136 wrote to memory of 2836	1136	WmiPrvSE.exe	101
PID 1136 wrote to memory of 2836	1136	WmiPrvSE.exe	101
PID 1136 wrote to memory of 2836	1136	WmiPrvSE.exe	101
PID 2836 wrote to memory of 2556	2836	cmd.exe	103

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c77459cfe110805a50ccb73d7b39f8b37d53c0aa14aa26821866f33dc6c2b658.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2224
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2772
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Web\Wallpaper\Architecture\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1556
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Downloaded Program Files\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Vss\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1740
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2060
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1732
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\LiveKernelReports\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:632
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Media Player\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mj9p1oFRoa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2020
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2188
      - C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2836
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2556
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat"
        9⤵
        
        PID:1628
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:1056
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2056
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat"
        11⤵
        
        PID:1768
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:1484
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat"
        13⤵
        
        PID:1608
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2620
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2364
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat"
        15⤵
        
        PID:2092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2320
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1708
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat"
        17⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2056
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat"
        19⤵
        
        PID:928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2764
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat"
        21⤵
        
        PID:2428
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:852
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2040
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat"
        23⤵
        
        PID:2948
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:1704
        
        C:\Program Files\Windows Media Player\WmiPrvSE.exe
        
        "C:\Program Files\Windows Media Player\WmiPrvSE.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat"
        25⤵
        
        PID:572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        26⤵
        
        PID:2516

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Windows\Web\Wallpaper\Architecture\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Windows\Web\Wallpaper\Architecture\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Windows\Web\Wallpaper\Architecture\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Windows\Downloaded Program Files\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2228

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1696

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 7 /tr "'C:\Program Files\Windows Media Player\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2872

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2448

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Windows\Vss\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Windows\Vss\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Users\Admin\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Users\Admin\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Windows Photo Viewer\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\providercommon\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\providercommon\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2144

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 5 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:296

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 11 /tr "'C:\Windows\LiveKernelReports\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1620

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 7 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 6 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:928

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Media Player\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1780

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35b30c1e6efd65522c4c84aedc8fc385

SHA1
79ab520754913ce54ce05449c88b5c18ff02e38b

SHA256
0938b0cf52fd88e7090a3b707fa19df496e47383ea089478b94f3762e9e2f745

SHA512
f3cb2c98b46b4d1f6db944396a9bea60be20118baccfc0eb046d120e30b9bee222adc7ffc14497d2519f45c2871bee84cea168af4feb02727b4dab86797053f2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e9e36ff339d68b5828f38e5d49128a7

SHA1
65aa12f0f246c4c86ef26d48739aa1924ff03f6a

SHA256
0cec2e277c758b7c42907afa0ccb169b7600019b7a0c3cca5db91871ee810c62

SHA512
3e9c4a9a9a51ecf0daa253603f53d8ba336a4647c27cfdaabd77724e5864c871738bded5165bc6c8499346810673784022c3a29f2662fb5f0ea414b1cb354bea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9782018dbe925258406cacc0cf10204e

SHA1
aed120c195b59db08f195b6f652e74c9ff60cd6e

SHA256
ff967d526b5712e0e50726c37e5b8ac8d33c7f433542026fdc4b9695a264b872

SHA512
500c58e8da3c177ef090df56fc676ebb7c18bcca4ce6845afc940d40334f36d9eb78381fbf32e11138d2f938c8f52d14ef0c19a156c84009f32f57916f117cb8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
87a37c1ab09d7212f5ee6a127f1f7184

SHA1
0c124e1cdbf7732018fffb55e37f942f6661798c

SHA256
27aa6da631ce888e9cff741d3b0cb634f080927ec76304043d5063228fda17a8

SHA512
560c81547229927c26358e2303ee536275a5bf01b9c02d93a7e26317d13cdb583cd7cd3237674f4cf2ce0253593ce5c8b6ac68ba47509dcbd00d294409c1bb9e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f44f3a736a179389efebaac6fefe156

SHA1
d044bf8e4fcadc3d7df2cfea302a33afd4976094

SHA256
78ff4062f808c159bc0d422d71149241fcead1921f874f7a4301d8ad2b519ff9

SHA512
532d15c297ca8813ce64c7adef386a5c3996bc304abf2c125a759a2f785ba8bdee336aa1852d8f44ae9537510abe2bf6378c45f4bc1c817c9c4d4e8770667312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d32e2dba6a9ac025ec443fb41a640e1f

SHA1
14c9773826783aed520deec09cf524a036d5664c

SHA256
28324b10642b3a345ff3bd174bcbe8b0f94542c13f234ab4e430042ef8da25e5

SHA512
60bccbdb55f9777ce859a4f4705f4a1b5e50c21508c41930890a295943de3795fc1ef741db9861ef1c0d56fb2beae2c06937af362d36e7d59cb37a602dbd8cad

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c5a215ec9fde974a87f9913465580877

SHA1
42fec4426f9f0bca760e8df615bb71ef3dfed192

SHA256
db0246d8e0b923bae6d72979e95b82c2d32776c5fce154e79ca77a0dae1efdd3

SHA512
af47aa05bbf39da031157b6d9dec3c9c4f4ee654fecbda44fd9b43c88d37628e006671aea0d82d7377d39a45d104ba7828ef07d18d01f9133b661ae58c600f38

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
56ac1a908450ec383b77acb36cdc870c

SHA1
57c6cd3043f5e4aeaa6a7015e9f83cd32bfbab3c

SHA256
9ee9ed0359081d7c83a2a5790208555669ccd91690be1162706f27f0d41aec87

SHA512
306d1bbb568258119769af3df721d72d699b8e510d32f6b7968db2d7dbb25cf48b07767a4735ec6a5e51a5de545f83596ceab74897cfa4517f43cff1755e4a8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f2b392c44dee67e08d5c10a0a9b26f6

SHA1
e65e0a2b55f48ee76f30de21d8ac5e65df8939f6

SHA256
063c955fd4cdea08e9f7aa0cbb98ede0022e6e06a668eb3c43c66bc4bc8410f2

SHA512
1fb6ba65cff8ab41e1727740ffa3ac8bb891fba6d32f2158c01c81b70b97a83186f290ccfbb2508b46f2922d71fd5768f48d303f5e7ec57d24de90682dcd5928

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3600.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\EYKlAcFNfO.bat

Filesize
215B

MD5
1aca99f4937ed0e20367567652a1ce20

SHA1
536282708c043566d182ca74f36a4c21687aa8bb

SHA256
77fdc56b52df82840442f8151b88654e134d2ed2c8213c244ef5ef93bca1ecd7

SHA512
d0f718d6beb975cdbb535b29fc03185d4d23a51804fc1e3a9a4930d22dea633066678e4e4a945c61b49b135a6b06931fb996597645cc86d5a8a1bd6b0117d713

Download Submit
C:\Users\Admin\AppData\Local\Temp\F82V1kRox2.bat

Filesize
215B

MD5
b1b01f51fb8dd9a966a4ce854323540a

SHA1
d768729e8f4bfa4e96fcf61040bd9cb2dda9a0bc

SHA256
efdb30a7f5fa8bf1c6ac0dff572b0b62a5bc7dd5d137d20709ceaafa735ab9df

SHA512
9a41ad4414aaa1338b4676632c0ad6d8b9951bfa60463d4126bd62c930aeca1c3d1d1be4e41f71c21777359e6575ab7a5f9d32c52521e21eabae211c0c75a679

Download Submit
C:\Users\Admin\AppData\Local\Temp\MNu5MeZyGQ.bat

Filesize
215B

MD5
6af262ebd404faaf45ff65bb64c23a02

SHA1
4a4a6b9e5bd3fc80b04461dd6f33b7007b4c918e

SHA256
f8fbe3665b72a3c02b0639ede5eb8374bbcc754b211ec8ac287dba9f02d75d96

SHA512
2c8b311ef473e129dde2351d88745b00ee8f5f42da161add315da86d4cf9bc964d740a722742dfc847db179421ecac6af44ab5c38dfa291f8dea85bab42ff9fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mj9p1oFRoa.bat

Filesize
215B

MD5
c681ae8ed396acea254f0866e2448d80

SHA1
e38155a780e1f40805c4d2f844baa07c59c1d376

SHA256
ac6c73875f4e43adc4f377dde9cc19d9e2e447840e839cb5c3b39bb3c3adc690

SHA512
39a1513c06fd1853a5bd6812f455d83029569ce8caee998c07db68f4e35d67a9199698203350d11045ddf663dfd9f1d8301e3a0c0ae13a75131cb645ff49db48

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3613.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZH81p4FGmr.bat

Filesize
215B

MD5
c35dcef7403a15c0a75fdf7dd6adb3c3

SHA1
2e317407bb2d955c1e73ca235ab4fd05f6f4408c

SHA256
8e914b7770585a2e0a2239041f92aad7bcccee7dc1b34e887333cb8495852511

SHA512
7d92ecc865b08bee40b1a6f34e2612443726996def38130764886ec0b7a20f50a4a429fed75f1c9112185befcb5f0e091a729111a6bd58061540303eabe6451b

Download Submit
C:\Users\Admin\AppData\Local\Temp\hYa1c8p3ob.bat

Filesize
215B

MD5
30211c1d22e68e3185251ad6d5b583cb

SHA1
f8a70bf8f34f6d1d283ff765462e6442fb594f12

SHA256
7fd8f922a358435007db237d2863f1b713b1a937449231b47f23e1120bde7ef7

SHA512
84fbb82f9339581a5d97235ad9b8ff3e9c78300825812f1ebfa54ab0ba27641a2acaa57fa1e5d0e9fe7a8fc3dd161d1ffe5862fc9e0a79c39f974d868d19baea

Download Submit
C:\Users\Admin\AppData\Local\Temp\jI650TZYhJ.bat

Filesize
215B

MD5
8a6d0008ff31aad8216efa049e0d5da0

SHA1
08faacecf3ba21570cd3b2fb7ee4aeacfd0a068e

SHA256
1f39b6f2628d1d91a3cee75d2b0834d9121ef8eb06feb191d60b9e884b121bfc

SHA512
b43463e5f3fb52658604e98916806277ae4b099f7d63ebe9aa885335ed315f01050b519d4a2afdb1a85f3743053bea1ad3dca213c529d399c96348d77174e02d

Download Submit
C:\Users\Admin\AppData\Local\Temp\lmMgPtgxf2.bat

Filesize
215B

MD5
122df1eddc862c30e78b6fa2716eaada

SHA1
34ef93e629728c822ebefa5c95d9f2349eaaaead

SHA256
7919ad2cc769dafb8f2e93b262bb0e8164a5ad7dc7e2cf0a09fd39f7534b7ee3

SHA512
7424f5ef40bf548d228e6655f3163f9af98a4daa412c4a456b80306df56e3b6f6bdc84cc7f0b39ec06038fb6097d59b72044d85f080f2d4b9f451874c9067637

Download Submit
C:\Users\Admin\AppData\Local\Temp\rjauxUKpXQ.bat

Filesize
215B

MD5
ea40e07eb857bc2571c476e2402ebd63

SHA1
f0627814d05b0e28ee16ec2ccfcb0e50bf0daf9a

SHA256
703f79413e9a00abc789043165befbdb7f96d7645e515d8379c63f84dd0a1cc0

SHA512
fb796bdbfbe7433882c3e4aef1177d487e151fab14593fcf0bc996bdf9a1e45b786c0e68d2a770c98828afffaf72ed2d42f63710bb7e53c766da622f50b603a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\s2EHkno7yQ.bat

Filesize
215B

MD5
61a0940604cfa4c6332d64cf9479757c

SHA1
db2b4537ce7ef2a658655076710d962e9e49776d

SHA256
87e017de4c4de0b120468d0898340c58809767a7af5a6b2c4a483b9f40a7c657

SHA512
d21124b4cfc20fe9981d1352d29170c0413f1eab16ab0e08820a503798e9e965ed75cf9f744cc68aa10d30adb0ac72e15ca01200129988ee624528e2eb2e9eb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\vIn8vbLsXf.bat

Filesize
215B

MD5
5369882b6e3aa49a71fec9ea6e9a1b4a

SHA1
c5cd9d20aa7efc48e8a96dc476fdd43365195427

SHA256
9a5b97dd8aab56ebc4744114e8b87b23df463104943dcbded84a271576909500

SHA512
dab7a32a66f9beea9e56b0fa9aaf5526b536910ca021c93505439566076805c558bcae52ab777120a29301aed273f9a90e7f55e4ca71769075de137f59d72314

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
94faddb51882c4060513aee5ab149c71

SHA1
1e8c54360dc308850e8fcae396580e28c235725d

SHA256
a5ab3c0f7efda751f41ff02bed8189a945ff89fc1f486c165e0c9ff6a141fe37

SHA512
0a7c53b353fe785fed025487febb4317944cd0609910e257a2c6ad5ab7ecf7f8ce09c36d480af162afe061d9ac330718ae54636a787b359cfadfd87df88ab8bc

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/604-534-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/812-295-0x00000000010E0000-0x00000000011F0000-memory.dmp

Filesize
1.1MB

Download
memory/1136-116-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1136-115-0x0000000000C30000-0x0000000000D40000-memory.dmp

Filesize
1.1MB

Download
memory/1544-55-0x000000001B600000-0x000000001B8E2000-memory.dmp

Filesize
2.9MB

Download
memory/1544-57-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1588-654-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1588-655-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/1708-415-0x0000000000F00000-0x0000000001010000-memory.dmp

Filesize
1.1MB

Download
memory/2040-594-0x0000000000B60000-0x0000000000C70000-memory.dmp

Filesize
1.1MB

Download
memory/2056-235-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2364-355-0x0000000000350000-0x0000000000460000-memory.dmp

Filesize
1.1MB

Download
memory/2592-175-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2756-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2756-15-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2756-17-0x0000000000610000-0x000000000061C000-memory.dmp

Filesize
48KB

Download
memory/2756-13-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/2756-14-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download