dcrat | 803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639

Analysis

max time kernel
148s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:21

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639.exe
Size

1.3MB
MD5

3a433a189e495f52095a1a38b5c0534c
SHA1

624918a68a1dd47cd79ea3963c48bca2ce8670a0
SHA256

803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639
SHA512

75bcc7cd769ba9546116b27ddd11a0058bab9eedf49f7be2bbcc965cfc2ef378863ea5a02d28f2cb2123d34bd3df03ca233f0fd0b6384eade61f0869d0663c14
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 30 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2744	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3048	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1252	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1468	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2636	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2900	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1720	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1364	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1624	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2544	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	536	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2156	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2176	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3024	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	660	2588	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1744	2588	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x00070000000173f3-12.dat	dcrat
behavioral1/memory/2736-13-0x0000000001390000-0x00000000014A0000-memory.dmp	dcrat
behavioral1/memory/2344-48-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/2720-156-0x00000000001F0000-0x0000000000300000-memory.dmp	dcrat
behavioral1/memory/580-216-0x00000000011E0000-0x00000000012F0000-memory.dmp	dcrat
behavioral1/memory/2084-454-0x0000000000070000-0x0000000000180000-memory.dmp	dcrat
behavioral1/memory/896-514-0x00000000000D0000-0x00000000001E0000-memory.dmp	dcrat
behavioral1/memory/1552-574-0x0000000000A40000-0x0000000000B50000-memory.dmp	dcrat
behavioral1/memory/484-634-0x0000000000E70000-0x0000000000F80000-memory.dmp	dcrat
behavioral1/memory/1964-695-0x0000000000040000-0x0000000000150000-memory.dmp	dcrat
behavioral1/memory/1052-755-0x0000000000060000-0x0000000000170000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 11 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2276	powershell.exe
2208	powershell.exe
1812	powershell.exe
300	powershell.exe
2488	powershell.exe
2548	powershell.exe
1756	powershell.exe
868	powershell.exe
2280	powershell.exe
1032	powershell.exe
1612	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2736	DllCommonsvc.exe
2344	spoolsv.exe
2720	spoolsv.exe
580	spoolsv.exe
1032	spoolsv.exe
1792	spoolsv.exe
2136	spoolsv.exe
2084	spoolsv.exe
896	spoolsv.exe
1552	spoolsv.exe
484	spoolsv.exe
1964	spoolsv.exe
1052	spoolsv.exe

Loads dropped DLL 2 IoCs

pid	Process
2400	cmd.exe
2400	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 13 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
15	raw.githubusercontent.com
29	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
21	raw.githubusercontent.com
22	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com
36	raw.githubusercontent.com
40	raw.githubusercontent.com
4	raw.githubusercontent.com
18	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\ja-JP\886983d96e3d3e	DllCommonsvc.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\servicing\smss.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 30 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3008	schtasks.exe
2900	schtasks.exe
1616	schtasks.exe
1364	schtasks.exe
536	schtasks.exe
1468	schtasks.exe
2636	schtasks.exe
2888	schtasks.exe
1720	schtasks.exe
1288	schtasks.exe
2744	schtasks.exe
2544	schtasks.exe
2556	schtasks.exe
2156	schtasks.exe
2176	schtasks.exe
1988	schtasks.exe
1624	schtasks.exe
1104	schtasks.exe
1592	schtasks.exe
1252	schtasks.exe
856	schtasks.exe
1964	schtasks.exe
2116	schtasks.exe
1744	schtasks.exe
3048	schtasks.exe
3024	schtasks.exe
2992	schtasks.exe
660	schtasks.exe
2444	schtasks.exe
2016	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2736	DllCommonsvc.exe
2276	powershell.exe
300	powershell.exe
2488	powershell.exe
1812	powershell.exe
1756	powershell.exe
868	powershell.exe
2208	powershell.exe
2548	powershell.exe
1032	powershell.exe
2280	powershell.exe
1612	powershell.exe
2344	spoolsv.exe
2720	spoolsv.exe
580	spoolsv.exe
1032	spoolsv.exe
1792	spoolsv.exe
2136	spoolsv.exe
2084	spoolsv.exe
896	spoolsv.exe
1552	spoolsv.exe
484	spoolsv.exe
1964	spoolsv.exe
1052	spoolsv.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2736	DllCommonsvc.exe
Token: SeDebugPrivilege	2276	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	2488	powershell.exe
Token: SeDebugPrivilege	1812	powershell.exe
Token: SeDebugPrivilege	1756	powershell.exe
Token: SeDebugPrivilege	868	powershell.exe
Token: SeDebugPrivilege	2208	powershell.exe
Token: SeDebugPrivilege	2548	powershell.exe
Token: SeDebugPrivilege	1032	powershell.exe
Token: SeDebugPrivilege	2280	powershell.exe
Token: SeDebugPrivilege	1612	powershell.exe
Token: SeDebugPrivilege	2344	spoolsv.exe
Token: SeDebugPrivilege	2720	spoolsv.exe
Token: SeDebugPrivilege	580	spoolsv.exe
Token: SeDebugPrivilege	1032	spoolsv.exe
Token: SeDebugPrivilege	1792	spoolsv.exe
Token: SeDebugPrivilege	2136	spoolsv.exe
Token: SeDebugPrivilege	2084	spoolsv.exe
Token: SeDebugPrivilege	896	spoolsv.exe
Token: SeDebugPrivilege	1552	spoolsv.exe
Token: SeDebugPrivilege	484	spoolsv.exe
Token: SeDebugPrivilege	1964	spoolsv.exe
Token: SeDebugPrivilege	1052	spoolsv.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2152 wrote to memory of 2796	2152	JaffaCakes118_803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639.exe	30
PID 2152 wrote to memory of 2796	2152	JaffaCakes118_803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639.exe	30
PID 2152 wrote to memory of 2796	2152	JaffaCakes118_803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639.exe	30
PID 2152 wrote to memory of 2796	2152	JaffaCakes118_803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639.exe	30
PID 2796 wrote to memory of 2400	2796	WScript.exe	31
PID 2796 wrote to memory of 2400	2796	WScript.exe	31
PID 2796 wrote to memory of 2400	2796	WScript.exe	31
PID 2796 wrote to memory of 2400	2796	WScript.exe	31
PID 2400 wrote to memory of 2736	2400	cmd.exe	33
PID 2400 wrote to memory of 2736	2400	cmd.exe	33
PID 2400 wrote to memory of 2736	2400	cmd.exe	33
PID 2400 wrote to memory of 2736	2400	cmd.exe	33
PID 2736 wrote to memory of 2548	2736	DllCommonsvc.exe	65
PID 2736 wrote to memory of 2548	2736	DllCommonsvc.exe	65
PID 2736 wrote to memory of 2548	2736	DllCommonsvc.exe	65
PID 2736 wrote to memory of 2488	2736	DllCommonsvc.exe	66
PID 2736 wrote to memory of 2488	2736	DllCommonsvc.exe	66
PID 2736 wrote to memory of 2488	2736	DllCommonsvc.exe	66
PID 2736 wrote to memory of 300	2736	DllCommonsvc.exe	67
PID 2736 wrote to memory of 300	2736	DllCommonsvc.exe	67
PID 2736 wrote to memory of 300	2736	DllCommonsvc.exe	67
PID 2736 wrote to memory of 1032	2736	DllCommonsvc.exe	68
PID 2736 wrote to memory of 1032	2736	DllCommonsvc.exe	68
PID 2736 wrote to memory of 1032	2736	DllCommonsvc.exe	68
PID 2736 wrote to memory of 868	2736	DllCommonsvc.exe	69
PID 2736 wrote to memory of 868	2736	DllCommonsvc.exe	69
PID 2736 wrote to memory of 868	2736	DllCommonsvc.exe	69
PID 2736 wrote to memory of 1756	2736	DllCommonsvc.exe	70
PID 2736 wrote to memory of 1756	2736	DllCommonsvc.exe	70
PID 2736 wrote to memory of 1756	2736	DllCommonsvc.exe	70
PID 2736 wrote to memory of 2276	2736	DllCommonsvc.exe	71
PID 2736 wrote to memory of 2276	2736	DllCommonsvc.exe	71
PID 2736 wrote to memory of 2276	2736	DllCommonsvc.exe	71
PID 2736 wrote to memory of 1612	2736	DllCommonsvc.exe	72
PID 2736 wrote to memory of 1612	2736	DllCommonsvc.exe	72
PID 2736 wrote to memory of 1612	2736	DllCommonsvc.exe	72
PID 2736 wrote to memory of 1812	2736	DllCommonsvc.exe	73
PID 2736 wrote to memory of 1812	2736	DllCommonsvc.exe	73
PID 2736 wrote to memory of 1812	2736	DllCommonsvc.exe	73
PID 2736 wrote to memory of 2208	2736	DllCommonsvc.exe	74
PID 2736 wrote to memory of 2208	2736	DllCommonsvc.exe	74
PID 2736 wrote to memory of 2208	2736	DllCommonsvc.exe	74
PID 2736 wrote to memory of 2280	2736	DllCommonsvc.exe	75
PID 2736 wrote to memory of 2280	2736	DllCommonsvc.exe	75
PID 2736 wrote to memory of 2280	2736	DllCommonsvc.exe	75
PID 2736 wrote to memory of 2344	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 2344	2736	DllCommonsvc.exe	87
PID 2736 wrote to memory of 2344	2736	DllCommonsvc.exe	87
PID 2344 wrote to memory of 2336	2344	spoolsv.exe	88
PID 2344 wrote to memory of 2336	2344	spoolsv.exe	88
PID 2344 wrote to memory of 2336	2344	spoolsv.exe	88
PID 2336 wrote to memory of 2992	2336	cmd.exe	90
PID 2336 wrote to memory of 2992	2336	cmd.exe	90
PID 2336 wrote to memory of 2992	2336	cmd.exe	90
PID 2336 wrote to memory of 2720	2336	cmd.exe	91
PID 2336 wrote to memory of 2720	2336	cmd.exe	91
PID 2336 wrote to memory of 2720	2336	cmd.exe	91
PID 2720 wrote to memory of 1092	2720	spoolsv.exe	92
PID 2720 wrote to memory of 1092	2720	spoolsv.exe	92
PID 2720 wrote to memory of 1092	2720	spoolsv.exe	92
PID 1092 wrote to memory of 1604	1092	cmd.exe	94
PID 1092 wrote to memory of 1604	1092	cmd.exe	94
PID 1092 wrote to memory of 1604	1092	cmd.exe	94
PID 1092 wrote to memory of 580	1092	cmd.exe	95

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_803d7eab27c8e9af01c2a6afb9b62cf4ae6b2efff25b0518daad5382b822f639.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2152
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Libraries\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:868
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2276
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1612
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
    - - C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2344
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2336
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2992
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1092
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1604
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat"
        10⤵
        
        PID:2772
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1696
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat"
        12⤵
        
        PID:268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1788
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1792
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat"
        14⤵
        
        PID:2460
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1552
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat"
        16⤵
        
        PID:3032
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:680
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2084
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat"
        18⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:668
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat"
        20⤵
        
        PID:2216
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:988
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat"
        22⤵
        
        PID:2832
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:296
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat"
        24⤵
        
        PID:1656
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1664
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat"
        26⤵
        
        PID:2408
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:2452
        
        C:\Users\Default User\spoolsv.exe
        
        "C:\Users\Default User\spoolsv.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1052

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2744

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3048

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1468

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 6 /tr "'C:\Users\Public\Libraries\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2888

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Public\Libraries\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1720

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1104

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2544

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:536

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 8 /tr "'C:\Users\Default User\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2444

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1592

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 9 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2156

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Windows Media Player\ja-JP\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 14 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1744

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
59783bf9e0d8f0244d6ee2cfc90bf255

SHA1
5d283c97e4c1b748bc2b7f532fc66297d1ca4d47

SHA256
3c3d81dbe255cc0c58e5697c38376f60b1a5f09ffe9ae39ee130230fdfbb5390

SHA512
fbe7ead08de1a6055cdaad262178d03ff033b8b2c9bc890f41ee631d6a2c1584a01228b3722018f40dacfe6b842e2ae52b1d1d3eda4a5ee1b04aebd2dd5a8e8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e55a0482c4a04fb3cb27c8cb6a106f8b

SHA1
2f1b453b510e4b32daece81a490b395aba926301

SHA256
5aad4a2ed2f02f6df29f1ec68edbfa87b98a8f8b31480e58b65a97be2f7fa585

SHA512
83e8e3e2562b7dfb7bb2b518c9237bf2bf839674d76903d29ffba628fcf19f704b9694143ab7fb0efcfb32c707aa6589f8081c35e00ee4045cd84425be650a42

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f9174bb9d773c5770e630833c746c8f

SHA1
061b9372bf6eca566de39dcec5b9e1e359f8846f

SHA256
ae377e9a01c09ac4e1a9145ddf4c8127a1ca7f7596e9bbf2a4420ef81fc3787e

SHA512
49f034469b425b542cfabf1ff4f33aab490c465064e7eb5939e2575f5144bc2a3e424f3c07f5d8c6f0cfe95a863f8dd3bb4d8318668119e34919235a4579026a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
150a97bd5670561a0f051a1f6e5d58e5

SHA1
ae24fb313a351a0419a8a482a5dccec32f854647

SHA256
cb54cd1b860b54be8f481f7e29f786a3387ed7ca27ae188e6bb756e92ad5bd62

SHA512
1fe781806f488c6207f9b769811ddc54860e1f2641ffec26393a77007b0e36c874c05077ab642c7240a1436fef0d2d1a65847d25917bf466439bcd34511d4ab1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e401014c2818b5ab31aee59862c11dd8

SHA1
22aacc94461d8a38bbdb0d80cfe287f3551191fb

SHA256
713519104b9892c21029c4368d20e61ef90d9ca677b63b52510500bdaeb43f6e

SHA512
b147492219c5a4795a4114d6b9059ee39db904df16b3019a8798d404f8c3665702e293fe0bc503b367d15cb76999e4bcbf0fc4806bd9ec45daab5ec66c4c8a78

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0587022f83ae82a32e4700515f7f7f72

SHA1
2877b1ec28d896a5769d6955a7151216f8f1cfdb

SHA256
b2f55f1a2a10b7c47335305d4d281058b22b759cde1829cd774ac6336c0a1919

SHA512
3865ffbc19b85b1adfb7417fc8ce7871347a223d9587dad11ce21b7d2366ee3096804107a8c8e961b7ff07ff5c5dcd6920a7bed319a9c0fac7478aca78377460

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6fbea0b08dac1341cea1adb154659c05

SHA1
1a0296a85d49a47a76cd68617077f17f9cd62af3

SHA256
7642d802b5e6b8169500508b9825f09633dbb25ac6b48eb8daa639e83cdca926

SHA512
f543726fe3e899ff67212d02c894a36f289aa287684b6aa1230278d7b66ced4094d09133a9f21b1b303aa2fa4325fc8c84807c7aea6411058d56a7fe15d44f6d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3c158b7611a266abf5290490b4d2fe79

SHA1
ee9d373d497e90a8600b38e823eea4edf53113ac

SHA256
cd5fc991f4761ea1aad7aedc67bc909f4d5423a2c4a48f5a28e4115627ccf3c3

SHA512
95b6c8d1553d33cecea57b6547c3139a149d23361d891f74e5da078e2e3d170703fa52ef8a61f6a45aeef3ce23b73062ca63535a1889611d2205ac8603a516d2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4a9c8763464cec386d610f5edae0c1f

SHA1
b4e9ea091a3d6a243bdf7cb9a5ce580b0956c99b

SHA256
916058065591ff40f12e29e5b2956c7384a0a990e7d3c54ca9f208df7f46d8a5

SHA512
a050c1992fd2714d4d87115f6e0a641ef28c02186a01067fabbb9d38b11078f1aee62cd2e21abd78c2519edf4b52d1618f16432e4e5f3ecd000b9daae8002037

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
75ba68b2f1eebc82123150c10daf12fb

SHA1
4608ee8e1e6b3b1b95182683a26ececf3ee6d3d5

SHA256
da1abeccc5227183e461c84f5d20869ab5972d923b447dbed672b685985d326a

SHA512
31c6d606830b6cb4ddc09ff1818bc3d4d14667a1c9bac02814e2ed0c817101109d0657d82f4005f53da6478d9d2ac39797b08be904ec612cfd38c4fd5c40e7d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\3npectBbsF.bat

Filesize
198B

MD5
2a07dc33f37a34087469de0d3ecbe9ad

SHA1
0672bcc8ab7f68039de3b9525c73196687be5621

SHA256
adad00cf73b09be4f66f5f8f0e1e0f4d41bf5e6d0e540d0dfd3e4afe41110608

SHA512
c11dedc5f66662b9b484d8bccab8a736fe8ebec5a04917f8474fead4c9387632efa44706800148a0e394041e914584765f049130ac18bb816ad34c24d6e2cd7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\7C7JiPLtAl.bat

Filesize
198B

MD5
aaba863816146bc90541141e38edbbfb

SHA1
5e9c4b7d1f283019afb6b42a557a29cf5159cfa3

SHA256
61931eb063cb728f5c272aa8ed9f4c394c965a2b7de6b4bc17f8c18a69180583

SHA512
8ae40ede385132b02c7d8701cdb878a0ee461a5c265206aa51f6f3240d31efd328e74abc490f1d59139b8c0f692a5da7b2185556850598625237d9ceeab18e36

Download Submit
C:\Users\Admin\AppData\Local\Temp\ATgAsDsfjz.bat

Filesize
198B

MD5
0e208f26e86a17b0fc07a420859b797a

SHA1
6d18ab55ef8c8c857aa3e13dfa4e047122689304

SHA256
eda7e71cb6bb264de52dbb7037e30fcebb4d2405ab89df8c927a017cb770f1f8

SHA512
ae96d1b751da39b5d347eb81ffe3930019f8523c2f36fef8c55c405813d0c8badcbc895b0878be5fbd8a3be3158936ba0ac3725058b3a348c12645b2f21893d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AF2.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\FjqlTNZm6T.bat

Filesize
198B

MD5
7ecac00bf258d59e77a6845d6073936e

SHA1
5ea65217ba749c4852b9bdf0c6120649d0ccdf19

SHA256
31c7902f7d012d0fbf0c24a3e469804b4d9006e0bf8278dd9d64e09a74b6ddf6

SHA512
a2ad4d7d435c07c031f72fb71dae1e975636d06446bb51ee13f439b51f28c8e6bac6e4da91fd7b440ebade0f6a81cac197a36b8f573e3bfd06c979ee7ec26a67

Download Submit
C:\Users\Admin\AppData\Local\Temp\HiXkD60p2N.bat

Filesize
198B

MD5
c7c015100b937aa8901e814934bb5bb2

SHA1
4a8f37fb91ccb454ecba3d085973644264fd960e

SHA256
8a2fc1530328d9e0ad1c1005f6c7138b0587b24cbc0a9909eb7c20dcac2633ea

SHA512
a9395996080e6fcc5018c3a17def917857d24e7eead6a5f02662f4244b6d703af81e40de0b6e32254480be1b46b974e3af66c99b27f6dd7ae0c400e62a0fff6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B05.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\W0gPze1DKI.bat

Filesize
198B

MD5
c6dc0e62a3fed8d12d4b26b138cad767

SHA1
88d7bd8b135c58ce626bf262bbf548a9fc522943

SHA256
3bfc1bfb13a5d821ec1a36934bd6a061d1bdef5b5079da45427eb4a88f8accf8

SHA512
9f0c4bd6968d87b950025a1546000fec4bd58f29269c4ca83ab3ccc8881e9059f13304e67d423bb2060bba35906fc64e3500d59aa066841f7dbf63ec9ba02816

Download Submit
C:\Users\Admin\AppData\Local\Temp\eR3ydISl4k.bat

Filesize
198B

MD5
e64db7d2225822079bdc602ad1d43811

SHA1
bfbe780deeabdb6a1357672960e76d5d8dfccbc0

SHA256
5203f7b5fe3ae59c5517eeb8025fb30f5feffe697f1cf76d3045c4277a93bbe9

SHA512
88548966cee15ea5ccbe8345cb39ed6d716916ecf56cbe34718a5258c9973202b21b5fa32d1f8ffaff53520fffe282b4c057dc8547614853144f4dc0c325e25f

Download Submit
C:\Users\Admin\AppData\Local\Temp\iVu5YTRuDT.bat

Filesize
198B

MD5
66701636e8980834d606103ee75a265e

SHA1
dd5a81346f9959a8064963bc98fa8c803487da59

SHA256
13881e5489c30c0bfbfc6c7f54d1661422015a822173b0d7d29c863049536944

SHA512
9718b4d5887fb458c12ecd927d436b2f0b0a96a1d30a2e1cc2a33788fdf8792f0d6e9f2eab8ccf436a62c707663319d63df3ff998aab96a248c4236848206c7a

Download Submit
C:\Users\Admin\AppData\Local\Temp\moqrXfpsIj.bat

Filesize
198B

MD5
b9010351299d7da16926979e56087226

SHA1
1fd79362d87269332f49d454a6257b42d571747b

SHA256
d6a69eb91a64d0a0fc6400d41e360335358060629997b08303f4a49b058fe26e

SHA512
72744b1d81b623429cedd2f4ff8eff8d3f03a340f20834faf35882a460fde05087e7a8cc7f847b287ef218bb57a1e2e70c26f0c22ff11b3340fb6ffd148762c5

Download Submit
C:\Users\Admin\AppData\Local\Temp\sWmtPUST1G.bat

Filesize
198B

MD5
0b88b1a4955a26a337997edb1397bdb3

SHA1
34998e0f18d99c6fd180dd4e82dbad17a4db38bf

SHA256
742b310e8c55ebc1585f7c93a0211af9a35098d1cc74363432ce8307a5b36f18

SHA512
1b34b261b89da6f749a8ebb2d8b8a2cfee59046f830b58805dfa9ce9f2ec981f481a91501226ca23398d4f5c3f643d5a9e3ed91d36ae338c9a17d2cb2e5a9943

Download Submit
C:\Users\Admin\AppData\Local\Temp\x8TIUMdSeB.bat

Filesize
198B

MD5
347240c871735c8b8d24e71ed7b3385e

SHA1
15b322c160378ca639b0f2c40fc300c5460de5b7

SHA256
17ced902c79a7013079393123152d534f427c771487329fab5b94668a5c4fb93

SHA512
94f01996cd417548b96dd5fe4437df41c632a33c763cc5b0c167a722cedc90a35d8fde3910f8b4ebf7588b91df60ce3058fac6533acc92e6b0e6f1f587ca58c8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\B4P0HLWMLE3I8W3EGY76.temp

Filesize
7KB

MD5
05936c530ec3096752d86de97522b1fb

SHA1
d16e6d05ee20460d5f65eae889f5839c28c81d32

SHA256
b8a9b17305d12d46c102c1949166bc3c66d9711abca3f3202317e1c014ca2076

SHA512
b52183f5a05e6b6bb1bd9145f93bd453099a65a623a514a80c19af91662e92eba6613769abc19655b6b8408e8d57c5a9c482db5824c82d70e8d77a9c3f88a287

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/484-635-0x0000000000150000-0x0000000000162000-memory.dmp

Filesize
72KB

Download
memory/484-634-0x0000000000E70000-0x0000000000F80000-memory.dmp

Filesize
1.1MB

Download
memory/580-216-0x00000000011E0000-0x00000000012F0000-memory.dmp

Filesize
1.1MB

Download
memory/896-514-0x00000000000D0000-0x00000000001E0000-memory.dmp

Filesize
1.1MB

Download
memory/1052-755-0x0000000000060000-0x0000000000170000-memory.dmp

Filesize
1.1MB

Download
memory/1552-574-0x0000000000A40000-0x0000000000B50000-memory.dmp

Filesize
1.1MB

Download
memory/1964-695-0x0000000000040000-0x0000000000150000-memory.dmp

Filesize
1.1MB

Download
memory/2084-454-0x0000000000070000-0x0000000000180000-memory.dmp

Filesize
1.1MB

Download
memory/2136-394-0x0000000000410000-0x0000000000422000-memory.dmp

Filesize
72KB

Download
memory/2276-77-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/2276-76-0x000000001B740000-0x000000001BA22000-memory.dmp

Filesize
2.9MB

Download
memory/2344-48-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/2720-156-0x00000000001F0000-0x0000000000300000-memory.dmp

Filesize
1.1MB

Download
memory/2736-16-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/2736-15-0x00000000003F0000-0x00000000003FC000-memory.dmp

Filesize
48KB

Download
memory/2736-17-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2736-14-0x00000000003D0000-0x00000000003E2000-memory.dmp

Filesize
72KB

Download
memory/2736-13-0x0000000001390000-0x00000000014A0000-memory.dmp

Filesize
1.1MB

Download