dcrat | c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8

Analysis

max time kernel
147s
max time network
143s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 19:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8.exe
Size

1.3MB
MD5

6c92cd558de463df500c3055941fc09e
SHA1

644f7d966568dabad53962a4c255000b726421a2
SHA256

c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8
SHA512

a5d17ad401607cf25b5020e67f07ece9696a9c4af045544e500e8045a654d65edf7072380ac77c860f314317188389b0e27e7cccba980bbeeda5076fc24de765
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2604	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2832	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2652	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2628	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1568	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	668	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1836	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2024	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1924	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2480	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1040	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1580	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1036	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1220	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	916	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1172	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2804	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2548	2808	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1672	2808	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0007000000016d0b-9.dat	dcrat
behavioral1/memory/1488-13-0x0000000000980000-0x0000000000A90000-memory.dmp	dcrat
behavioral1/memory/732-46-0x0000000000270000-0x0000000000380000-memory.dmp	dcrat
behavioral1/memory/2848-166-0x0000000000D50000-0x0000000000E60000-memory.dmp	dcrat
behavioral1/memory/1952-404-0x0000000000DE0000-0x0000000000EF0000-memory.dmp	dcrat
behavioral1/memory/2812-464-0x0000000001210000-0x0000000001320000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1664	powershell.exe
1896	powershell.exe
1776	powershell.exe
1108	powershell.exe
1224	powershell.exe
836	powershell.exe
1932	powershell.exe
872	powershell.exe
2636	powershell.exe
1208	powershell.exe
1468	powershell.exe
1552	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
1488	DllCommonsvc.exe
732	csrss.exe
2848	csrss.exe
484	csrss.exe
2468	csrss.exe
1996	csrss.exe
1952	csrss.exe
2812	csrss.exe
2520	csrss.exe
1412	csrss.exe
1304	csrss.exe
2772	csrss.exe
560	csrss.exe

Loads dropped DLL 2 IoCs

pid	Process
2668	cmd.exe
2668	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
37	raw.githubusercontent.com
4	raw.githubusercontent.com
19	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
40	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com

Drops file in Program Files directory 6 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Internet Explorer\ja-JP\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Reference Assemblies\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Portable Devices\7a0fd90576e088	DllCommonsvc.exe

Drops file in Windows directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Cursors\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Windows\Cursors\24dbde2999530e	DllCommonsvc.exe
File created	C:\Windows\Help\mui\040C\winlogon.exe	DllCommonsvc.exe
File created	C:\Windows\Help\mui\040C\cc11b995f2a76d	DllCommonsvc.exe
File created	C:\Windows\Cursors\WmiPrvSE.exe	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1836	schtasks.exe
2128	schtasks.exe
1580	schtasks.exe
2224	schtasks.exe
2456	schtasks.exe
2604	schtasks.exe
1764	schtasks.exe
2548	schtasks.exe
2596	schtasks.exe
1036	schtasks.exe
2388	schtasks.exe
2440	schtasks.exe
2624	schtasks.exe
668	schtasks.exe
856	schtasks.exe
1040	schtasks.exe
916	schtasks.exe
2628	schtasks.exe
2024	schtasks.exe
1568	schtasks.exe
2480	schtasks.exe
1220	schtasks.exe
1172	schtasks.exe
2832	schtasks.exe
2652	schtasks.exe
2328	schtasks.exe
2616	schtasks.exe
2220	schtasks.exe
1672	schtasks.exe
1924	schtasks.exe
2416	schtasks.exe
1900	schtasks.exe
2804	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
1488	DllCommonsvc.exe
1224	powershell.exe
1552	powershell.exe
872	powershell.exe
1468	powershell.exe
1896	powershell.exe
1932	powershell.exe
2636	powershell.exe
836	powershell.exe
1664	powershell.exe
1208	powershell.exe
1108	powershell.exe
1776	powershell.exe
732	csrss.exe
2848	csrss.exe
484	csrss.exe
2468	csrss.exe
1996	csrss.exe
1952	csrss.exe
2812	csrss.exe
2520	csrss.exe
1412	csrss.exe
1304	csrss.exe
2772	csrss.exe
560	csrss.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	1488	DllCommonsvc.exe
Token: SeDebugPrivilege	1224	powershell.exe
Token: SeDebugPrivilege	1552	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	1468	powershell.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeDebugPrivilege	1932	powershell.exe
Token: SeDebugPrivilege	2636	powershell.exe
Token: SeDebugPrivilege	836	powershell.exe
Token: SeDebugPrivilege	1664	powershell.exe
Token: SeDebugPrivilege	1208	powershell.exe
Token: SeDebugPrivilege	1108	powershell.exe
Token: SeDebugPrivilege	1776	powershell.exe
Token: SeDebugPrivilege	732	csrss.exe
Token: SeDebugPrivilege	2848	csrss.exe
Token: SeDebugPrivilege	484	csrss.exe
Token: SeDebugPrivilege	2468	csrss.exe
Token: SeDebugPrivilege	1996	csrss.exe
Token: SeDebugPrivilege	1952	csrss.exe
Token: SeDebugPrivilege	2812	csrss.exe
Token: SeDebugPrivilege	2520	csrss.exe
Token: SeDebugPrivilege	1412	csrss.exe
Token: SeDebugPrivilege	1304	csrss.exe
Token: SeDebugPrivilege	2772	csrss.exe
Token: SeDebugPrivilege	560	csrss.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8.exe	30
PID 2496 wrote to memory of 2960	2496	JaffaCakes118_c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8.exe	30
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2960 wrote to memory of 2668	2960	WScript.exe	31
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 2668 wrote to memory of 1488	2668	cmd.exe	33
PID 1488 wrote to memory of 2636	1488	DllCommonsvc.exe	68
PID 1488 wrote to memory of 2636	1488	DllCommonsvc.exe	68
PID 1488 wrote to memory of 2636	1488	DllCommonsvc.exe	68
PID 1488 wrote to memory of 1776	1488	DllCommonsvc.exe	69
PID 1488 wrote to memory of 1776	1488	DllCommonsvc.exe	69
PID 1488 wrote to memory of 1776	1488	DllCommonsvc.exe	69
PID 1488 wrote to memory of 1552	1488	DllCommonsvc.exe	70
PID 1488 wrote to memory of 1552	1488	DllCommonsvc.exe	70
PID 1488 wrote to memory of 1552	1488	DllCommonsvc.exe	70
PID 1488 wrote to memory of 1108	1488	DllCommonsvc.exe	71
PID 1488 wrote to memory of 1108	1488	DllCommonsvc.exe	71
PID 1488 wrote to memory of 1108	1488	DllCommonsvc.exe	71
PID 1488 wrote to memory of 836	1488	DllCommonsvc.exe	74
PID 1488 wrote to memory of 836	1488	DllCommonsvc.exe	74
PID 1488 wrote to memory of 836	1488	DllCommonsvc.exe	74
PID 1488 wrote to memory of 1208	1488	DllCommonsvc.exe	75
PID 1488 wrote to memory of 1208	1488	DllCommonsvc.exe	75
PID 1488 wrote to memory of 1208	1488	DllCommonsvc.exe	75
PID 1488 wrote to memory of 1224	1488	DllCommonsvc.exe	76
PID 1488 wrote to memory of 1224	1488	DllCommonsvc.exe	76
PID 1488 wrote to memory of 1224	1488	DllCommonsvc.exe	76
PID 1488 wrote to memory of 1468	1488	DllCommonsvc.exe	77
PID 1488 wrote to memory of 1468	1488	DllCommonsvc.exe	77
PID 1488 wrote to memory of 1468	1488	DllCommonsvc.exe	77
PID 1488 wrote to memory of 1664	1488	DllCommonsvc.exe	79
PID 1488 wrote to memory of 1664	1488	DllCommonsvc.exe	79
PID 1488 wrote to memory of 1664	1488	DllCommonsvc.exe	79
PID 1488 wrote to memory of 1932	1488	DllCommonsvc.exe	80
PID 1488 wrote to memory of 1932	1488	DllCommonsvc.exe	80
PID 1488 wrote to memory of 1932	1488	DllCommonsvc.exe	80
PID 1488 wrote to memory of 1896	1488	DllCommonsvc.exe	81
PID 1488 wrote to memory of 1896	1488	DllCommonsvc.exe	81
PID 1488 wrote to memory of 1896	1488	DllCommonsvc.exe	81
PID 1488 wrote to memory of 872	1488	DllCommonsvc.exe	83
PID 1488 wrote to memory of 872	1488	DllCommonsvc.exe	83
PID 1488 wrote to memory of 872	1488	DllCommonsvc.exe	83
PID 1488 wrote to memory of 732	1488	DllCommonsvc.exe	92
PID 1488 wrote to memory of 732	1488	DllCommonsvc.exe	92
PID 1488 wrote to memory of 732	1488	DllCommonsvc.exe	92
PID 732 wrote to memory of 3048	732	csrss.exe	93
PID 732 wrote to memory of 3048	732	csrss.exe	93
PID 732 wrote to memory of 3048	732	csrss.exe	93
PID 3048 wrote to memory of 3008	3048	cmd.exe	95
PID 3048 wrote to memory of 3008	3048	cmd.exe	95
PID 3048 wrote to memory of 3008	3048	cmd.exe	95
PID 3048 wrote to memory of 2848	3048	cmd.exe	97
PID 3048 wrote to memory of 2848	3048	cmd.exe	97
PID 3048 wrote to memory of 2848	3048	cmd.exe	97
PID 2848 wrote to memory of 1020	2848	csrss.exe	98
PID 2848 wrote to memory of 1020	2848	csrss.exe	98
PID 2848 wrote to memory of 1020	2848	csrss.exe	98
PID 1020 wrote to memory of 2632	1020	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c7c5a2da950f434fc4414735fd18b566376028aff21839d51d2984c8d6d719e8.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2496
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2668
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1488
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2636
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Cursors\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1776
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:836
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Help\mui\040C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1208
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1224
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Pictures\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1468
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Reference Assemblies\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1664
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1932
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\Favorites\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Portable Devices\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:732
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3048
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:3008
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2848
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2632
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat"
        10⤵
        
        PID:1712
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1392
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2468
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat"
        12⤵
        
        PID:2072
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2520
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat"
        14⤵
        
        PID:2572
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2440
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat"
        16⤵
        
        PID:1648
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2920
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat"
        18⤵
        
        PID:2348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1564
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat"
        20⤵
        
        PID:1932
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2508
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1412
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat"
        22⤵
        
        PID:2988
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:1900
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1304
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat"
        24⤵
        
        PID:1000
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2728
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat"
        26⤵
        
        PID:2564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1616
        
        C:\Program Files (x86)\Reference Assemblies\csrss.exe
        
        "C:\Program Files (x86)\Reference Assemblies\csrss.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:560

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 7 /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 14 /tr "'C:\Windows\Cursors\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2624

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 8 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2596

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2628

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-002C-0409-0000-0000000FF1CE}-C\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:668

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 8 /tr "'C:\providercommon\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1836

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2024

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 11 /tr "'C:\providercommon\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\040C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Windows\Help\mui\040C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Windows\Help\mui\040C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1900

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\ja-JP\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Pictures\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Users\Default\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Users\Default\Pictures\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2616

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Reference Assemblies\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1036

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 11 /tr "'C:\Recovery\1f276ee2-69f6-11ef-8b31-62cb582c238c\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 14 /tr "'C:\Users\Public\Favorites\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2440

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Users\Public\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:916

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 7 /tr "'C:\Users\Public\Favorites\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 8 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2804

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2548

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Program Files\Windows Portable Devices\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1672

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bdc1dc40bdf6ec1dd96447aa976bd03c

SHA1
fd47acc77b8cbb8b2833e808412f8c2f3f4f350b

SHA256
3462cb1aaff6039c1724c2921e2e56945b66f9111cb0179fa6912b1d32ca3115

SHA512
ed3198e54e5b056f45f7ee38357e49679db9c66b978da4954afbc4bf397a974de270c6d2b9a11f6179462f750eab25bdd61ef63bec8661be18b5cfb19f4a6cfa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c1648f6b020c97e305419ad2cbeab8e8

SHA1
b686aabb0443d5f7adcbb7e48adce7fc7bd1c803

SHA256
59d6816c35cb24a0d5961359219746a7cc2a31cbe5c14f73ed7bbe32153f2d4b

SHA512
eb61caf893198ffa8bafeffd3fa64307f0a49bd6afcaf859234573346061f5ead9b68c67e3bc3c3e3c651594d55347f82d435e72ff54c95f9628677800431c71

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6b18d8228c8b7349c1663e62899b8bb7

SHA1
10e0f98f4261b734b9ac91f4456e5eba2ed79dbe

SHA256
7c53cea164fb2dbd69f6cef4eda5bf591bbe06828ef35fb2bd20c23fb6b64681

SHA512
022bd328f5feae509e60f4f40ba33c4f52ee76bc5591289993f0b6cd6e6bd072b4471f0b6d3162985750a9f99e8609df61f5110d06017ec66a655eb269906ad4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
06d0a2a4ee694a68cc6b36e7ba5db2c8

SHA1
bfa7b8c9439caa6f7baf98cbdbedc55e6a465c8a

SHA256
5c32064c1cde19bbfe10b6efb49e370c8863253bd6be10d7197da312bcde46d2

SHA512
b0fd83cff4e9e4e7a2af820e0f7485ee05ea63b92154079ca3b794709d7edb4eaca7a28be5e2426ed3c746af2b12543fb024d6e416a4343c70ee7208d42d4cfd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fdb56f11fa353ff9e68c51177ec7e283

SHA1
0fb2527eb54515d053dc462362d2cce95ef0642c

SHA256
99f0938b08f66795c5c51cf123462c9678a95a15683e574d495d60f36443d098

SHA512
a0c18c65bbe02abe074805e630658ace950492e48de680a6f9d1fe0a8fc8fd3d9354dd51c137475bb3423865650f0e0b99f2220de41358833fe440303f8ec2c6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
edc57b44346b86299d23a77f374fd4fb

SHA1
19550be196008665313d887cf6f61fdc2d8cd7e8

SHA256
0b34a442a3dbea557830db981893cb01f461174d502aa97abbcb00c193f8eef3

SHA512
3c707f8e41b307d1e08d5ed16d415ec0ee528844df24aa934750e810e96fe6052b47890ee869ad13541647e031ba95050dc83e345eb63e865673e776af50cf47

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0046d7030bab8512d9c5d217b8154102

SHA1
ac2266467848c3dfaa09f776cfcba6fae6561e1d

SHA256
410c635bea5b9e97e0a2c97bed885bade9f50ff0af20221ef8c3378d37b89a02

SHA512
bb07054e7d177a6f6c880b2a1c7d3a0d47f530731b87438f0c08b872c472173e210cf7b28371bae685b4b3fc02bef8485b9cee0319cb2edc8edd467b504bdabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f9409757f8bef0a0124dfcb321a9ac15

SHA1
d1dcb01b71471a9145ebbd9e035aa0d629cd2450

SHA256
f1dfe3b37341b091e97e7c7ee14e80677b9174ad88dac5ac7868426427877eb4

SHA512
65210ad9aa8cc11476a13ce67ff4bae42aeffbf5c98d78690a978572f78942836237bd0dd5223d4ae4925164ca6ddc0939b75cbf61d013b3595e016073281545

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a6ff027b299bab31f275ab146b6a7991

SHA1
359298f22e66bc9774fc1748c5383120c9be1fed

SHA256
e5db0ae0223c9394cb965cd1be0e4db7bbf419c08b6b9246fbb4c5c82d306463

SHA512
5adb3c1c50a38b79029319650f148b88bf5ba7e3ac82cdb58a45763b0e1ad683611b9368afbafac8a7ae865b3a25f76c222ad375a137e78827ac90d2ec6b8ec7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd2868efae43349a31c4e5dd97ecd4d5

SHA1
5c1b4f5ba6a3cf8f479a5a8715bc7b31754be70a

SHA256
820e51d1e91feccd0ba1ac9b116cf9b9386b89dabd34b2158ba166470121e64b

SHA512
04860a59f0c9fc9c90b11e067025b167535d7e09debfb1a0ccda0ea42fac79a83be6ae0c580ea3250fa0760650a52e16adda8de23f0df56e413caef62e7a5ca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\3gUlVaPHfz.bat

Filesize
218B

MD5
d09540e6106e7e6b3bb0beb4d40518da

SHA1
d26f3f2239936bd441c55c484bdf03ca8daa03dc

SHA256
2358b1fed9fde57ed3ba07014f2442b92971095feb68698cb2dbdfdcc7c448c5

SHA512
a18c71a0c558c04a40e0f3bb10ac4bfc071478676d132190fab8b3667189734ba60e9ab3d4726d09dcfdbe30f90ea7b990d26a48d06414e212272e3290126410

Download Submit
C:\Users\Admin\AppData\Local\Temp\5EJ4eIa89C.bat

Filesize
218B

MD5
ef8dc3a848e763d60c7b805a3ca748ac

SHA1
99848305a2b33ccb1fcd37ef071b4d6a8cb01f3d

SHA256
2b7831ddffafa34586111a6ea03e9a20fe14a4ada6a35de173643c0543a25c55

SHA512
ecfc3e142d5e10f76b1d02b60cf53a06e199428c2adc1a0e10ab3c05951457e257cea5754c579c75c8f3bab11f3f10c17f9da029f9f98af27ea7fd1f995fb8dd

Download Submit
C:\Users\Admin\AppData\Local\Temp\Ap6i2Y3psm.bat

Filesize
218B

MD5
8750af29a6f6199f36906ac77015f48d

SHA1
8825925c21adc3015c1203042f9b975437e03bf9

SHA256
8179d284ce71bd551645603dc84ec688e2a3d9ea272eabb2eafeecd9e1961e32

SHA512
5c22dc23cdecd1d107db50a2d03d9981a58531fc9bd933dd23507445883d1fd8317cff77eddc24eacc722e5c27cadd2efb66718c78d2cf32fd8b1c5a81e21df4

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC18D.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\G2aNa3Lme8.bat

Filesize
218B

MD5
0d7d914cd2d470c1b526129041ba7239

SHA1
5a55872770f6eade65f9e58ff59a06ec20153bbf

SHA256
30f11aa3e9e5310c442aa268ede5de6a6e4c00f0671ac161941df148dfe52295

SHA512
8bbdaeb11c2f8a1b0151e3f5e32cd4c8b125cb2eab8a4948241c11451b4a07db2b4724018eaf2891b87573285ce89577e8ed5824c405196399614b05b52dad0f

Download Submit
C:\Users\Admin\AppData\Local\Temp\HZWv28qLDz.bat

Filesize
218B

MD5
49e554ff0530438813e1d397633ac654

SHA1
0e2d8e685af1840abcf49f2a66d343aacd4ae9e8

SHA256
feda976185024f1510c6ab9ac4431418d4f0ff78c5b014d0cec5abb4ca5dd985

SHA512
9c7a9ab1a3111a2edb89420a296734de65f4a30be13bd3862cbcdf95cfea04ce42b5b4d441b27415804cef46cb564bca13e582ac4e7e716b05a1c5f53fb085d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\MUFyTxLHSg.bat

Filesize
218B

MD5
3817f48c34f562aa6b1b8f1515ec3b0e

SHA1
4214525f63e412fc7494b51a795e4b2140d3f839

SHA256
56b6522f70c0003f3b3689f12831708fa2c18c71a95ca83b84b82c9f5b77a046

SHA512
1cf79dedc5d07c2e24ffbecd6550e9b53b7cbac70c1a4ceca7d430844a72b5d1daa05c6a16f84ecfc01ebb0ee563313d05a5d33d0133657463ae80d0cd0b648b

Download Submit
C:\Users\Admin\AppData\Local\Temp\SNhzeWIHcH.bat

Filesize
218B

MD5
d1302ad67ef99fcc55ed10e86531b833

SHA1
2a1f523ee95b81f75e0fc78bcf55f510645c5e5c

SHA256
a6646967309f75fc38f1a9536e6a1b6e54024a85491880df902021ab5be04878

SHA512
76b00097e25b734fbba6e5974f965e0991502b88f4febf19ddf15b90293d43b8ac250bb15b0587e04bd42a08f86ee1e003a1d0121bd65d9229bed80c27e5f6f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\SzaURWjxsM.bat

Filesize
218B

MD5
061ee0dd3d610ecbef9219b5524ffb45

SHA1
f780e8f87d23709ca538d6b1f148b1469851faa7

SHA256
543d3209016530d34698366738f49e856643d63b13beb3d1da03014e14271cf6

SHA512
02107ea112635494d03e8eb2388123b195976b843e4690241c85ea79e1158b07f831831c710ba8c1e7fef771d0a054ae1739610126289be09760199f79fee173

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC19F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

Filesize
218B

MD5
d0ab8fa1fc38fbda1779608d0d5f9a9c

SHA1
cc33e7ac1d5f05b14f8c16395968e79dbfca496d

SHA256
697be6bfecb48df367bfcd1f20b07f1044020621f296f70ec79f822bdee41b37

SHA512
8e6d3807efd9a7e9733b503532a574032d518d2b346136445f68aaadfd0ee7e42273a85caeb2750e4c0cb512b9eb6b6084dc0c16808fc471f63a310beff9f627

Download Submit
C:\Users\Admin\AppData\Local\Temp\a1rZrAbBst.bat

Filesize
218B

MD5
08f4030e7f73e3dbb95031f5c31d32e2

SHA1
8df79e287b4674cac0b59e6b0d20d40e53563500

SHA256
689ef27b59f4d5184e35137e67342534ccd743898b3aac5b5402c0cdbbb628af

SHA512
f9ac657c173c7c70d7327ac2c941b26d3bc4a8d28284208c001623893b60e510b9c3f3e252a8bff25d886c5ddbd913cac991b4a22d9d40ff655d7c776d3045ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\uSow6ZWML2.bat

Filesize
218B

MD5
7ee5702211d1652aabebfb126bfa64ba

SHA1
c92687f78ff21979068877aaf8b897cc6a375395

SHA256
62d8b07b833ad5aeb2069eaa3e05d9b6d3b6368d6ff4ef903190385af8309fdb

SHA512
b7a2cd729bf5dd67a376d9bb303abd4cf00b1d35dffc994f96d94ff522f16404fe90a63cfb5bb27d97572048cc4aef74e734b019c02d645ab360b8bf621496c1

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
b400b74077f4b813403c5701e964c52e

SHA1
88a7cf5db262881629fa467a2d9fc1421c287ff8

SHA256
02c575595dd49cbd6febd36076510dd8a137f730f8e9e459ed7ec88c1fd09868

SHA512
5df0cab1cca29020d503b175ab6fc2afac85b9004217d5ad7fdd29745280fa4e520880efa880c5be2125a6f753ffc68e0053dc16e4709299813800f6f835e2ce

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/732-46-0x0000000000270000-0x0000000000380000-memory.dmp

Filesize
1.1MB

Download
memory/1224-58-0x0000000002320000-0x0000000002328000-memory.dmp

Filesize
32KB

Download
memory/1224-57-0x000000001B590000-0x000000001B872000-memory.dmp

Filesize
2.9MB

Download
memory/1488-17-0x00000000003E0000-0x00000000003EC000-memory.dmp

Filesize
48KB

Download
memory/1488-16-0x00000000003D0000-0x00000000003DC000-memory.dmp

Filesize
48KB

Download
memory/1488-15-0x00000000003C0000-0x00000000003CC000-memory.dmp

Filesize
48KB

Download
memory/1488-14-0x00000000003B0000-0x00000000003C2000-memory.dmp

Filesize
72KB

Download
memory/1488-13-0x0000000000980000-0x0000000000A90000-memory.dmp

Filesize
1.1MB

Download
memory/1952-404-0x0000000000DE0000-0x0000000000EF0000-memory.dmp

Filesize
1.1MB

Download
memory/1996-344-0x0000000000450000-0x0000000000462000-memory.dmp

Filesize
72KB

Download
memory/2772-701-0x0000000000240000-0x0000000000252000-memory.dmp

Filesize
72KB

Download
memory/2812-464-0x0000000001210000-0x0000000001320000-memory.dmp

Filesize
1.1MB

Download
memory/2848-166-0x0000000000D50000-0x0000000000E60000-memory.dmp

Filesize
1.1MB

Download