dcrat | 8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 12:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202.exe
Size

1.3MB
MD5

c63dac4117e878ae8cffdd6abbadd687
SHA1

34e44d76994bd181ba88eb5b59244e36d5e4f4bf
SHA256

8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202
SHA512

6fb8acebd1a056dfac80d6467fce3deefa4d0e6fbb90b9dcdf186fcdcbc0042baf44bc3eacc73dcce1568158a122662285789d840a8d3e90a19173ec66d6065b
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2068	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2840	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2668	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2788	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1156	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1992	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2736	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1996	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1416	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1800	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1100	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2464	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	584	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3052	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2404	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2192	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	712	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1068	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	280	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1828	2860	schtasks.exe	33
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1772	2860	schtasks.exe	33

DCRat payload 10 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016c10-9.dat	dcrat
behavioral1/memory/2540-13-0x0000000000B60000-0x0000000000C70000-memory.dmp	dcrat
behavioral1/memory/2176-94-0x0000000000AA0000-0x0000000000BB0000-memory.dmp	dcrat
behavioral1/memory/2976-154-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/2184-273-0x00000000000F0000-0x0000000000200000-memory.dmp	dcrat
behavioral1/memory/2604-333-0x0000000001060000-0x0000000001170000-memory.dmp	dcrat
behavioral1/memory/1616-394-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2904-454-0x0000000000B40000-0x0000000000C50000-memory.dmp	dcrat
behavioral1/memory/2616-515-0x0000000000CF0000-0x0000000000E00000-memory.dmp	dcrat
behavioral1/memory/960-636-0x0000000001130000-0x0000000001240000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1212	powershell.exe
936	powershell.exe
2104	powershell.exe
2024	powershell.exe
2196	powershell.exe
3040	powershell.exe
972	powershell.exe
2000	powershell.exe
2124	powershell.exe
2468	powershell.exe
1520	powershell.exe
1292	powershell.exe
2260	powershell.exe

Executes dropped EXE 11 IoCs

pid	Process
2540	DllCommonsvc.exe
2176	lsm.exe
2976	lsm.exe
2236	lsm.exe
2184	lsm.exe
2604	lsm.exe
1616	lsm.exe
2904	lsm.exe
2616	lsm.exe
788	lsm.exe
960	lsm.exe

Loads dropped DLL 2 IoCs

pid	Process
2504	cmd.exe
2504	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
23	raw.githubusercontent.com
29	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
26	raw.githubusercontent.com

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Fonts\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Windows\Fonts\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\dllhost.exe	DllCommonsvc.exe
File created	C:\Windows\Prefetch\ReadyBoot\5940a34987c991	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2840	schtasks.exe
2968	schtasks.exe
772	schtasks.exe
2736	schtasks.exe
1672	schtasks.exe
2668	schtasks.exe
2788	schtasks.exe
712	schtasks.exe
1828	schtasks.exe
2992	schtasks.exe
236	schtasks.exe
2464	schtasks.exe
2416	schtasks.exe
280	schtasks.exe
2652	schtasks.exe
1996	schtasks.exe
1416	schtasks.exe
1772	schtasks.exe
1156	schtasks.exe
1900	schtasks.exe
3052	schtasks.exe
2404	schtasks.exe
2192	schtasks.exe
1068	schtasks.exe
2068	schtasks.exe
2688	schtasks.exe
2484	schtasks.exe
1992	schtasks.exe
1800	schtasks.exe
1100	schtasks.exe
1832	schtasks.exe
2080	schtasks.exe
584	schtasks.exe
2756	schtasks.exe
1552	schtasks.exe
2156	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2540	DllCommonsvc.exe
936	powershell.exe
1212	powershell.exe
2104	powershell.exe
2468	powershell.exe
2024	powershell.exe
2260	powershell.exe
1520	powershell.exe
1292	powershell.exe
972	powershell.exe
2124	powershell.exe
2000	powershell.exe
3040	powershell.exe
2196	powershell.exe
2176	lsm.exe
2976	lsm.exe
2236	lsm.exe
2184	lsm.exe
2604	lsm.exe
1616	lsm.exe
2904	lsm.exe
2616	lsm.exe
788	lsm.exe
960	lsm.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2540	DllCommonsvc.exe
Token: SeDebugPrivilege	936	powershell.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeDebugPrivilege	2104	powershell.exe
Token: SeDebugPrivilege	2468	powershell.exe
Token: SeDebugPrivilege	2024	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	1520	powershell.exe
Token: SeDebugPrivilege	1292	powershell.exe
Token: SeDebugPrivilege	972	powershell.exe
Token: SeDebugPrivilege	2124	powershell.exe
Token: SeDebugPrivilege	2000	powershell.exe
Token: SeDebugPrivilege	3040	powershell.exe
Token: SeDebugPrivilege	2196	powershell.exe
Token: SeDebugPrivilege	2176	lsm.exe
Token: SeDebugPrivilege	2976	lsm.exe
Token: SeDebugPrivilege	2236	lsm.exe
Token: SeDebugPrivilege	2184	lsm.exe
Token: SeDebugPrivilege	2604	lsm.exe
Token: SeDebugPrivilege	1616	lsm.exe
Token: SeDebugPrivilege	2904	lsm.exe
Token: SeDebugPrivilege	2616	lsm.exe
Token: SeDebugPrivilege	788	lsm.exe
Token: SeDebugPrivilege	960	lsm.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2176	2376	JaffaCakes118_8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202.exe	29
PID 2376 wrote to memory of 2176	2376	JaffaCakes118_8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202.exe	29
PID 2376 wrote to memory of 2176	2376	JaffaCakes118_8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202.exe	29
PID 2376 wrote to memory of 2176	2376	JaffaCakes118_8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202.exe	29
PID 2176 wrote to memory of 2504	2176	WScript.exe	30
PID 2176 wrote to memory of 2504	2176	WScript.exe	30
PID 2176 wrote to memory of 2504	2176	WScript.exe	30
PID 2176 wrote to memory of 2504	2176	WScript.exe	30
PID 2504 wrote to memory of 2540	2504	cmd.exe	32
PID 2504 wrote to memory of 2540	2504	cmd.exe	32
PID 2504 wrote to memory of 2540	2504	cmd.exe	32
PID 2504 wrote to memory of 2540	2504	cmd.exe	32
PID 2540 wrote to memory of 2196	2540	DllCommonsvc.exe	70
PID 2540 wrote to memory of 2196	2540	DllCommonsvc.exe	70
PID 2540 wrote to memory of 2196	2540	DllCommonsvc.exe	70
PID 2540 wrote to memory of 1212	2540	DllCommonsvc.exe	71
PID 2540 wrote to memory of 1212	2540	DllCommonsvc.exe	71
PID 2540 wrote to memory of 1212	2540	DllCommonsvc.exe	71
PID 2540 wrote to memory of 3040	2540	DllCommonsvc.exe	72
PID 2540 wrote to memory of 3040	2540	DllCommonsvc.exe	72
PID 2540 wrote to memory of 3040	2540	DllCommonsvc.exe	72
PID 2540 wrote to memory of 972	2540	DllCommonsvc.exe	73
PID 2540 wrote to memory of 972	2540	DllCommonsvc.exe	73
PID 2540 wrote to memory of 972	2540	DllCommonsvc.exe	73
PID 2540 wrote to memory of 936	2540	DllCommonsvc.exe	74
PID 2540 wrote to memory of 936	2540	DllCommonsvc.exe	74
PID 2540 wrote to memory of 936	2540	DllCommonsvc.exe	74
PID 2540 wrote to memory of 2000	2540	DllCommonsvc.exe	75
PID 2540 wrote to memory of 2000	2540	DllCommonsvc.exe	75
PID 2540 wrote to memory of 2000	2540	DllCommonsvc.exe	75
PID 2540 wrote to memory of 2124	2540	DllCommonsvc.exe	76
PID 2540 wrote to memory of 2124	2540	DllCommonsvc.exe	76
PID 2540 wrote to memory of 2124	2540	DllCommonsvc.exe	76
PID 2540 wrote to memory of 2468	2540	DllCommonsvc.exe	77
PID 2540 wrote to memory of 2468	2540	DllCommonsvc.exe	77
PID 2540 wrote to memory of 2468	2540	DllCommonsvc.exe	77
PID 2540 wrote to memory of 2024	2540	DllCommonsvc.exe	78
PID 2540 wrote to memory of 2024	2540	DllCommonsvc.exe	78
PID 2540 wrote to memory of 2024	2540	DllCommonsvc.exe	78
PID 2540 wrote to memory of 1520	2540	DllCommonsvc.exe	79
PID 2540 wrote to memory of 1520	2540	DllCommonsvc.exe	79
PID 2540 wrote to memory of 1520	2540	DllCommonsvc.exe	79
PID 2540 wrote to memory of 2104	2540	DllCommonsvc.exe	80
PID 2540 wrote to memory of 2104	2540	DllCommonsvc.exe	80
PID 2540 wrote to memory of 2104	2540	DllCommonsvc.exe	80
PID 2540 wrote to memory of 1292	2540	DllCommonsvc.exe	82
PID 2540 wrote to memory of 1292	2540	DllCommonsvc.exe	82
PID 2540 wrote to memory of 1292	2540	DllCommonsvc.exe	82
PID 2540 wrote to memory of 2260	2540	DllCommonsvc.exe	83
PID 2540 wrote to memory of 2260	2540	DllCommonsvc.exe	83
PID 2540 wrote to memory of 2260	2540	DllCommonsvc.exe	83
PID 2540 wrote to memory of 2172	2540	DllCommonsvc.exe	96
PID 2540 wrote to memory of 2172	2540	DllCommonsvc.exe	96
PID 2540 wrote to memory of 2172	2540	DllCommonsvc.exe	96
PID 2172 wrote to memory of 1680	2172	cmd.exe	98
PID 2172 wrote to memory of 1680	2172	cmd.exe	98
PID 2172 wrote to memory of 1680	2172	cmd.exe	98
PID 2172 wrote to memory of 2176	2172	cmd.exe	99
PID 2172 wrote to memory of 2176	2172	cmd.exe	99
PID 2172 wrote to memory of 2176	2172	cmd.exe	99
PID 2176 wrote to memory of 1300	2176	lsm.exe	100
PID 2176 wrote to memory of 1300	2176	lsm.exe	100
PID 2176 wrote to memory of 1300	2176	lsm.exe	100
PID 1300 wrote to memory of 2584	1300	cmd.exe	102

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8ee771178a05d3d153bfeff18df37204b65af91ba5590112ae4129e16af8c202.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2176
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2504
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2196
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3040
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:972
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:936
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2124
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Videos\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2024
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Fonts\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1520
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2104
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1292
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\UsR4YEIOaH.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:2172
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:1680
      - C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:1300
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:2584
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat"
        9⤵
        
        PID:1516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:964
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2236
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat"
        11⤵
        
        PID:1672
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2172
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat"
        13⤵
        
        PID:1560
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:1092
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat"
        15⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:892
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat"
        17⤵
        
        PID:1476
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:2960
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat"
        19⤵
        
        PID:2084
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:2648
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2616
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat"
        21⤵
        
        PID:2556
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2652
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat"
        23⤵
        
        PID:1680
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        24⤵
        
        PID:2412
        
        C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe
        
        "C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe"
        24⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 6 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2840

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2688

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:772

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 9 /tr "'C:\Windows\Prefetch\ReadyBoot\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1996

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1800

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00A1-0409-0000-0000000FF1CE}-C\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 8 /tr "'C:\Users\Public\Videos\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1100

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Public\Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Videos\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 7 /tr "'C:\providercommon\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2080

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2464

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\providercommon\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:584

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Windows\Fonts\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2404

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2192

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:712

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:280

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fe88b139dbc3e48d6a3ea4e7c402556

SHA1
852ec7e98b6b11193a4b91c0b377c09b1cf54de5

SHA256
59e07280c77998a4c979ecd105fe8d03ad7fe6a56683df8a54cad34a72e4acf1

SHA512
b2f47b3f2b41a3dc35a5cf34101374fbed2f015f6a7d441ac8f6ca7bca3a595da695393524a189b6d444a529e7912bad7f87b7c88e2ce63c29a9c970e84b8207

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7c13cc590b569da23cb3a23f7ef58af2

SHA1
20499b398ff2b06c45242e6feb1bca8d2f5562fb

SHA256
5ef980cb758dd7d5d4e4cb04abefc66294d0f5078b06bf39f4c785059f3652ae

SHA512
4661947476d3657f77f1558817ff37485fb05b9a38f0246abaa2c7b352d7f73e8a8cb2f27774ec7a0d2e692ec87cff4a784376d48ec7a8fcc50f748dc9ea9e4f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a732c3b36865ccb347f700c72c825b5e

SHA1
d6daa0732c1db10a2cc55b1e2626f2712c5a290f

SHA256
cd49153bf8addf524c61e70842b65cc9046db2cd2078c758023e6868dd2543b5

SHA512
d326b8402ae4f5a9bf277c93b3c0dadb7587a0b38b5eb339f1734c57cf68259bc8fa9c34ef07483edb6e0e8310e8debf8689ecfe6415574580e1dad52d6a9907

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
532a7ed872c609f8c4bfbf131637ffc3

SHA1
79f36f929ecb80d8d1f743a38773b79075e9494f

SHA256
0c378622bcef78e4c06e00c8f492768b3f78679f98871ccc797fbacd68576a66

SHA512
2585b710a833b5a9f8f48db5d776bbc099c9de1d27760d5d6454ea32975cca6a386b75648a8e5fd03322d05825e4f2aafa6949a577fa53395cb5c5cafca36d47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bb589de94460070a3ed23bf30eda7aab

SHA1
350c2dde7835bf484099bc459e6af862229f627c

SHA256
b9ce21dbb2c35a27373bfafbf51bb0fc7bc5ff2d7753424e6852475426cf5050

SHA512
dd016a6ff62db853c2f6c639cdc8aba371d7815ab87830ec91d803da58b0803bebefe398a2cb01f5eb0717fb7b8c61f8274ca9d4ef1f03bbf0bc1d33edade9a9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
19b01708a6379f7a8dfb117ebf43210f

SHA1
7a10befd939e1828c75cdf0ae97fcf4cbe30a302

SHA256
13e3e9de25216de21d8e37d87c63155d07c0e2bbaad2bf92de8b1f708d217911

SHA512
e95728812d88a05deb8e1dc04e5aff60772c1b84f64b85b0cf9b0c48fe714b3fec1d2f5e7d9aff15ceb19a9f134b635f4fc6f98c7e4ea025b64edbcf734aa1ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4659e6ea91c8cd046e0fb06434ac3764

SHA1
7dd0dc474d9394a054e703ea4d02f7974e903809

SHA256
42f0b0995b663160e6e58b1310197910572e4524ef4da953ce624efef4ee50fe

SHA512
94c4245e83987bb8a21e4d6aa1817d3a05373a4a1ef42f716e08e83088089a44adebd904e9355cc65b28dc45e5a8483d7edba39b372bfcfe2377242c72435183

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d7a3df9f0a00d53ac75c2d1a1637cba

SHA1
2ca5846b5fb91601b1b2de065612c206999cd1f6

SHA256
005fe7b8d3945f46b3145c393445d8f314af9fec5c9175073038df56de25dd31

SHA512
3bce55c93429bba38f9c5b832d4df6f3e779ed667930ca318e46657c0d81cf2dfd05b8a57acfd1e660b0514181a0fa6d8923470220ca0e1a8c021a903d766f8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\0Sh6ipYOoX.bat

Filesize
235B

MD5
e3a2e4822c38ed4a7bd0aa709726005a

SHA1
610889802a3a4c1f75f500c214736e8c96db108f

SHA256
17ca7737b9ffc832d64beba9963f60f24d972155bef673f8c8c25362c5280169

SHA512
df7e719bd544d2b9e8e991c1cbfc746231b76fd112a11678dd33a32da11a316c85be79d1a86cadb645643c79fa47c12588e1186b3151cc932e3755fdb97f247d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2mwtwHUJyt.bat

Filesize
235B

MD5
538d7c30efd5d4ad6a0be0de1df74d9c

SHA1
39460b9871075a5811c183c9a6fdee9144ffc739

SHA256
68552d690382c2457efaf99228ea12da79a11b8d863d29e50beafe8ad72da712

SHA512
82033f747c2e2ecb01975aefc4001c1cfbfed00704dea63b5082e43b679605f03df304212e706c96efee08ea763c0d1d78227095a17742b4bb5c10185902ae03

Download Submit
C:\Users\Admin\AppData\Local\Temp\CPbxFudqw6.bat

Filesize
235B

MD5
c2c17a580fb4aaeea227bac68e6de709

SHA1
b08314e29ee26f931da1fb900dd81918aecf211a

SHA256
d00b60589a70baf37a67bb291b32f833322ce00286a6ce2da57d3d1c51285b4d

SHA512
deaba17b50b9c1ed18b9354ac75e452a9f1bcdb9c661072a0527d982166cd634de4e5b9e70b7711ea507d0b9dbc2c01d46820cb53063cefb264c3fc05ccb01ef

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC0D1.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\NHYDEKme3A.bat

Filesize
235B

MD5
35d337f92982ce5a0c322ebb99b3c77d

SHA1
da87a1d5968a833c4ed99432883ddd5e94cb4222

SHA256
7bf223e16c1ddea1e472fa593dd94c2704c067a68970789ebf6b697f7645404e

SHA512
0051f12a0ccf1c7ef89f5a9957d06d8e4865063d897087a13331423e23c17747a6012441b48c09d1a99cb4a3b288958e296dd76e2065a1100ad2fcd737435328

Download Submit
C:\Users\Admin\AppData\Local\Temp\OvjOVLkpjd.bat

Filesize
235B

MD5
cff1ce993815caf2947583e479e726de

SHA1
0e9ff01e971642b28090ffec4d00342ba60c7b51

SHA256
14a193b5fe0506f0218e9a6b0531371003e8de3c136c32599c684100c7e41938

SHA512
90187806cd30a8f42d537a0bbcf1812a7e38610388eef73ac6b83b3b2396116e0488e1831149f90d37d5a1cfe1afdb67d3547288e8d2bd90e4a795b93a9c64f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QqrgVo7Q94.bat

Filesize
235B

MD5
2ca82c6276487184479ecaa0acb5a999

SHA1
a1e2a083c1f69c1e9755c3c801fe81285f40177a

SHA256
b8442b9d551a932ff0b4adbbc68538087a6b140aef709a3dc911881a266d1d5a

SHA512
4784d9eb7db4613dec5a87a688222fb45114f43659baa37c633a135156657555bd5ebeb53966335d2cff926407e99ffea8d7403c821fb0c1e41a7285cd4bd10d

Download Submit
C:\Users\Admin\AppData\Local\Temp\RgqsKqwwLg.bat

Filesize
235B

MD5
fcbf9a3946766f6efb06c07d129cfcf3

SHA1
926125ec1db6fc1795c68ea0e0535f1fa858c9cd

SHA256
3b2657a3658b05d501ccc5d45ed06fe2334981dd662e40f5fdff4a70f2b7ab1c

SHA512
eea9c4bc55104169ca8c97624e035ab8127e77fb0f5f0d3550642a78fbb89f440f5357c2266ffc37b3f51695e81f1e88c32b3bc9a2417978673ba9ac1387a88c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC0F4.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\UsR4YEIOaH.bat

Filesize
235B

MD5
543a06f10cc31363051573f48f729a10

SHA1
6f749de7ce6e4e87fd15eaed133840239954a3c6

SHA256
eddf40114cf9dc96cd53b6a5dd309ea76f24958f1c25330457df1bccaf77b380

SHA512
33d046456c50ca89559bef7d3a9219da6979c659d1e6199bb2906610ff7a8f4a1676f4d8c823af23b1b00a50753a7ef884479f465883785dee979edec15ff9ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\XkJigN4PJf.bat

Filesize
235B

MD5
f56eb0ffabf18bd68b929cb39ee3f4ba

SHA1
1d51b45ec06e84d79962873b6611deef307cc0c8

SHA256
5423f91e01b0252e7452390f5232ea697f0525d02d19f646e8fc07f47c1e9bb1

SHA512
9d4d8cfe6c2c535a58f019131c7b88a388eed4588abbfbbfcd0b152e8a81065578ff821188001c92cca73eeff2baceb5a87d66d001605c044e9e46a13ffd7e9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\yQDva2PSBr.bat

Filesize
235B

MD5
ef50ba6e69b034147bca8538a2cf8bfb

SHA1
d437f4a27ee020206c58ad5b7e9faf539b41a866

SHA256
7eae839cbfcc17ffda0159b48394e79dde7325957496a781e698169451e55d3a

SHA512
008d833c7f90c77c6e43b98cfbf4b03c81acdf50e6274a60dffc03ac35890ac7b270a606bb42f590af507d68ed9614356456709a30df9a78c92fe6f22430885d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\W1AAQZLCOYVMB0ZKDF29.temp

Filesize
7KB

MD5
6ad94c3a6317b2aa0d12b0f66339b4b0

SHA1
d506ecb88195cf16571b65cd103797e9b3d7b06d

SHA256
253dddd7d2f8efb98eb6ad81b43e9fc88d80a3bed59fb292e8b40223b1816998

SHA512
dead9d79157e1414596edb1127b1d82b150deba3fb60c84b3ad2489df749cb185cb114f9642e158fb3a88bad7182da4f4bb21144e331e2fbde9f866ffb75fe02

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/788-576-0x0000000000980000-0x0000000000992000-memory.dmp

Filesize
72KB

Download
memory/936-90-0x000000001B230000-0x000000001B512000-memory.dmp

Filesize
2.9MB

Download
memory/960-636-0x0000000001130000-0x0000000001240000-memory.dmp

Filesize
1.1MB

Download
memory/1212-91-0x0000000002410000-0x0000000002418000-memory.dmp

Filesize
32KB

Download
memory/1616-394-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/2176-95-0x0000000000390000-0x00000000003A2000-memory.dmp

Filesize
72KB

Download
memory/2176-94-0x0000000000AA0000-0x0000000000BB0000-memory.dmp

Filesize
1.1MB

Download
memory/2184-273-0x00000000000F0000-0x0000000000200000-memory.dmp

Filesize
1.1MB

Download
memory/2540-17-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/2540-16-0x000000001AF20000-0x000000001AF2C000-memory.dmp

Filesize
48KB

Download
memory/2540-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2540-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2540-13-0x0000000000B60000-0x0000000000C70000-memory.dmp

Filesize
1.1MB

Download
memory/2604-334-0x00000000001D0000-0x00000000001E2000-memory.dmp

Filesize
72KB

Download
memory/2604-333-0x0000000001060000-0x0000000001170000-memory.dmp

Filesize
1.1MB

Download
memory/2616-515-0x0000000000CF0000-0x0000000000E00000-memory.dmp

Filesize
1.1MB

Download
memory/2616-516-0x00000000002B0000-0x00000000002C2000-memory.dmp

Filesize
72KB

Download
memory/2904-454-0x0000000000B40000-0x0000000000C50000-memory.dmp

Filesize
1.1MB

Download
memory/2904-455-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2976-154-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download