dcrat | 9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45

Analysis

max time kernel
150s
max time network
154s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45.exe
Size

1.3MB
MD5

96802a1b7e54620e69c7726c02c749fe
SHA1

c197fbdb26ed2d95bf9b3ec9685eecba731e0ca4
SHA256

9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45
SHA512

fc158732db7a83150e3d7c2934cd21394f8a247f106f32fc11232c9356faca0c14e765fc6b42cf215be7f638bbdc9dd29b07a27f2d53d7aa32b25297d093586f
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2912	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3000	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1528	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2728	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2740	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2316	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1832	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2656	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2340	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1504	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1636	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2008	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2004	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1764	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2428	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2416	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2248	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2484	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2424	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	108	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2588	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2992	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1552	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	988	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	236	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1736	2512	schtasks.exe	35
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1028	2512	schtasks.exe	35

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016d69-9.dat	dcrat
behavioral1/memory/2152-13-0x0000000001220000-0x0000000001330000-memory.dmp	dcrat
behavioral1/memory/1384-112-0x00000000008E0000-0x00000000009F0000-memory.dmp	dcrat
behavioral1/memory/3024-171-0x0000000000E10000-0x0000000000F20000-memory.dmp	dcrat
behavioral1/memory/2576-231-0x00000000013A0000-0x00000000014B0000-memory.dmp	dcrat
behavioral1/memory/1584-409-0x0000000000200000-0x0000000000310000-memory.dmp	dcrat
behavioral1/memory/1552-469-0x00000000002F0000-0x0000000000400000-memory.dmp	dcrat
behavioral1/memory/1560-529-0x0000000000DD0000-0x0000000000EE0000-memory.dmp	dcrat
behavioral1/memory/1240-589-0x0000000000EE0000-0x0000000000FF0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1912	powershell.exe
2072	powershell.exe
2260	powershell.exe
2436	powershell.exe
2640	powershell.exe
272	powershell.exe
908	powershell.exe
2312	powershell.exe
2400	powershell.exe
2272	powershell.exe
2540	powershell.exe
1424	powershell.exe
1540	powershell.exe

Executes dropped EXE 10 IoCs

pid	Process
2152	DllCommonsvc.exe
1384	winlogon.exe
3024	winlogon.exe
2576	winlogon.exe
2408	winlogon.exe
1384	winlogon.exe
1584	winlogon.exe
1552	winlogon.exe
1560	winlogon.exe
1240	winlogon.exe

Loads dropped DLL 2 IoCs

pid	Process
2196	cmd.exe
2196	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 10 IoCs

Web Service

T1102

flow	ioc
29	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
16	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
33	raw.githubusercontent.com

Drops file in Program Files directory 9 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\56085415360792	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\OSPPSVC.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Journal\Templates\1610b97d3ab4a7	DllCommonsvc.exe
File created	C:\Program Files\DVD Maker\en-US\wininit.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\assembly\GAC_64\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\assembly\GAC_64\6cb0b6c459d5d3	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1764	schtasks.exe
2428	schtasks.exe
2424	schtasks.exe
2912	schtasks.exe
1552	schtasks.exe
236	schtasks.exe
1528	schtasks.exe
2680	schtasks.exe
2968	schtasks.exe
1808	schtasks.exe
2484	schtasks.exe
1788	schtasks.exe
2728	schtasks.exe
1656	schtasks.exe
108	schtasks.exe
988	schtasks.exe
2588	schtasks.exe
2992	schtasks.exe
1028	schtasks.exe
2740	schtasks.exe
2316	schtasks.exe
2340	schtasks.exe
2008	schtasks.exe
3000	schtasks.exe
1832	schtasks.exe
2644	schtasks.exe
1504	schtasks.exe
2368	schtasks.exe
2004	schtasks.exe
2416	schtasks.exe
2248	schtasks.exe
1736	schtasks.exe
2656	schtasks.exe
3016	schtasks.exe
1128	schtasks.exe
1636	schtasks.exe

Suspicious behavior: EnumeratesProcesses 23 IoCs

pid	Process
2152	DllCommonsvc.exe
2640	powershell.exe
272	powershell.exe
1424	powershell.exe
1912	powershell.exe
1540	powershell.exe
908	powershell.exe
2072	powershell.exe
2540	powershell.exe
2400	powershell.exe
2312	powershell.exe
2260	powershell.exe
2436	powershell.exe
2272	powershell.exe
1384	winlogon.exe
3024	winlogon.exe
2576	winlogon.exe
2408	winlogon.exe
1384	winlogon.exe
1584	winlogon.exe
1552	winlogon.exe
1560	winlogon.exe
1240	winlogon.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeDebugPrivilege	2152	DllCommonsvc.exe
Token: SeDebugPrivilege	2640	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	1424	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1540	powershell.exe
Token: SeDebugPrivilege	908	powershell.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2540	powershell.exe
Token: SeDebugPrivilege	2400	powershell.exe
Token: SeDebugPrivilege	2312	powershell.exe
Token: SeDebugPrivilege	2260	powershell.exe
Token: SeDebugPrivilege	2436	powershell.exe
Token: SeDebugPrivilege	2272	powershell.exe
Token: SeDebugPrivilege	1384	winlogon.exe
Token: SeDebugPrivilege	3024	winlogon.exe
Token: SeDebugPrivilege	2576	winlogon.exe
Token: SeDebugPrivilege	2408	winlogon.exe
Token: SeDebugPrivilege	1384	winlogon.exe
Token: SeDebugPrivilege	1584	winlogon.exe
Token: SeDebugPrivilege	1552	winlogon.exe
Token: SeDebugPrivilege	1560	winlogon.exe
Token: SeDebugPrivilege	1240	winlogon.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2240 wrote to memory of 2084	2240	JaffaCakes118_9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45.exe	30
PID 2240 wrote to memory of 2084	2240	JaffaCakes118_9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45.exe	30
PID 2240 wrote to memory of 2084	2240	JaffaCakes118_9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45.exe	30
PID 2240 wrote to memory of 2084	2240	JaffaCakes118_9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45.exe	30
PID 2084 wrote to memory of 2196	2084	WScript.exe	32
PID 2084 wrote to memory of 2196	2084	WScript.exe	32
PID 2084 wrote to memory of 2196	2084	WScript.exe	32
PID 2084 wrote to memory of 2196	2084	WScript.exe	32
PID 2196 wrote to memory of 2152	2196	cmd.exe	34
PID 2196 wrote to memory of 2152	2196	cmd.exe	34
PID 2196 wrote to memory of 2152	2196	cmd.exe	34
PID 2196 wrote to memory of 2152	2196	cmd.exe	34
PID 2152 wrote to memory of 908	2152	DllCommonsvc.exe	72
PID 2152 wrote to memory of 908	2152	DllCommonsvc.exe	72
PID 2152 wrote to memory of 908	2152	DllCommonsvc.exe	72
PID 2152 wrote to memory of 272	2152	DllCommonsvc.exe	73
PID 2152 wrote to memory of 272	2152	DllCommonsvc.exe	73
PID 2152 wrote to memory of 272	2152	DllCommonsvc.exe	73
PID 2152 wrote to memory of 1540	2152	DllCommonsvc.exe	74
PID 2152 wrote to memory of 1540	2152	DllCommonsvc.exe	74
PID 2152 wrote to memory of 1540	2152	DllCommonsvc.exe	74
PID 2152 wrote to memory of 1424	2152	DllCommonsvc.exe	75
PID 2152 wrote to memory of 1424	2152	DllCommonsvc.exe	75
PID 2152 wrote to memory of 1424	2152	DllCommonsvc.exe	75
PID 2152 wrote to memory of 2640	2152	DllCommonsvc.exe	77
PID 2152 wrote to memory of 2640	2152	DllCommonsvc.exe	77
PID 2152 wrote to memory of 2640	2152	DllCommonsvc.exe	77
PID 2152 wrote to memory of 2436	2152	DllCommonsvc.exe	78
PID 2152 wrote to memory of 2436	2152	DllCommonsvc.exe	78
PID 2152 wrote to memory of 2436	2152	DllCommonsvc.exe	78
PID 2152 wrote to memory of 2260	2152	DllCommonsvc.exe	81
PID 2152 wrote to memory of 2260	2152	DllCommonsvc.exe	81
PID 2152 wrote to memory of 2260	2152	DllCommonsvc.exe	81
PID 2152 wrote to memory of 2540	2152	DllCommonsvc.exe	82
PID 2152 wrote to memory of 2540	2152	DllCommonsvc.exe	82
PID 2152 wrote to memory of 2540	2152	DllCommonsvc.exe	82
PID 2152 wrote to memory of 2072	2152	DllCommonsvc.exe	83
PID 2152 wrote to memory of 2072	2152	DllCommonsvc.exe	83
PID 2152 wrote to memory of 2072	2152	DllCommonsvc.exe	83
PID 2152 wrote to memory of 2272	2152	DllCommonsvc.exe	84
PID 2152 wrote to memory of 2272	2152	DllCommonsvc.exe	84
PID 2152 wrote to memory of 2272	2152	DllCommonsvc.exe	84
PID 2152 wrote to memory of 2400	2152	DllCommonsvc.exe	85
PID 2152 wrote to memory of 2400	2152	DllCommonsvc.exe	85
PID 2152 wrote to memory of 2400	2152	DllCommonsvc.exe	85
PID 2152 wrote to memory of 1912	2152	DllCommonsvc.exe	86
PID 2152 wrote to memory of 1912	2152	DllCommonsvc.exe	86
PID 2152 wrote to memory of 1912	2152	DllCommonsvc.exe	86
PID 2152 wrote to memory of 2312	2152	DllCommonsvc.exe	87
PID 2152 wrote to memory of 2312	2152	DllCommonsvc.exe	87
PID 2152 wrote to memory of 2312	2152	DllCommonsvc.exe	87
PID 2152 wrote to memory of 1560	2152	DllCommonsvc.exe	98
PID 2152 wrote to memory of 1560	2152	DllCommonsvc.exe	98
PID 2152 wrote to memory of 1560	2152	DllCommonsvc.exe	98
PID 1560 wrote to memory of 2636	1560	cmd.exe	100
PID 1560 wrote to memory of 2636	1560	cmd.exe	100
PID 1560 wrote to memory of 2636	1560	cmd.exe	100
PID 1560 wrote to memory of 1384	1560	cmd.exe	101
PID 1560 wrote to memory of 1384	1560	cmd.exe	101
PID 1560 wrote to memory of 1384	1560	cmd.exe	101
PID 1384 wrote to memory of 2044	1384	winlogon.exe	102
PID 1384 wrote to memory of 2044	1384	winlogon.exe	102
PID 1384 wrote to memory of 2044	1384	winlogon.exe	102
PID 2044 wrote to memory of 1688	2044	cmd.exe	104

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_9d5e25f45d5d577322a1e6fb6b8eedf781d86aedb94dbf1c1bfaa9e71af5bc45.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2240
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2152
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:908
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\All Users\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1424
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2640
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2436
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2260
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2540
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\assembly\GAC_64\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2400
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\DVD Maker\en-US\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2312
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wRhF7PcXPa.bat"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:1560
      - C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        6⤵
        
        PID:2636
      - C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        6⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat"
        7⤵
        Suspicious use of WriteProcessMemory
        
        PID:2044
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        8⤵
        
        PID:1688
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        8⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3024
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat"
        9⤵
        
        PID:2024
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        10⤵
        
        PID:2116
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        10⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat"
        11⤵
        
        PID:2152
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        12⤵
        
        PID:2436
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        12⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2408
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat"
        13⤵
        
        PID:2056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        14⤵
        
        PID:2680
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        14⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1384
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat"
        15⤵
        
        PID:1592
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        16⤵
        
        PID:2188
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        16⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat"
        17⤵
        
        PID:2508
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        18⤵
        
        PID:1724
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        18⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1552
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat"
        19⤵
        
        PID:3016
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        20⤵
        
        PID:1920
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        20⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat"
        21⤵
        
        PID:1604
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        22⤵
        
        PID:2384
        
        C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe
        
        "C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe"
        22⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1240

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2912

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3000

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft Office\CLIPART\PUB60COR\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1528

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2728

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2740

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\Users\All Users\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1832

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 14 /tr "'C:\Users\All Users\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2340

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1504

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1656

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 12 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAP" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1636

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WMIADAPW" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WMIADAP.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-00BA-0409-0000-0000000FF1CE}-C\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 11 /tr "'C:\Windows\assembly\GAC_64\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2428

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Windows\assembly\GAC_64\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2416

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Windows\assembly\GAC_64\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 5 /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1808

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 11 /tr "'C:\Program Files\Windows Journal\Templates\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2424

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:108

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2588

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Users\Default User\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2992

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 7 /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1552

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Program Files\DVD Maker\en-US\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:236

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1736

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0044-0409-0000-0000000FF1CE}-C\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5c5e2151da53b583447674311310cb01

SHA1
aa2ccef21a35d0af5515422210427fbef5ffdcad

SHA256
65838ada0ccd1e2514f99ab361173262f86fd0ce62074a3f17a7dd1627bfefe3

SHA512
02e210550ee35ce31a09d09a232585aa97f11c5cfe594702e7518bd994ba71f202fba97b056104fd016401f95fdf0331c67da53a7a029679293980e1248d40a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
df9cea67028bf21df80383924026d36f

SHA1
b0fd9e7a8556053584a9e97aebbcc90456b090ca

SHA256
3c569d59ef675d8d5d4c9eb53847cdd0774267977caa3deb1bb6dc47a413fe2b

SHA512
0ab7fd2e9c87c46c3557867262a997d4758bb874a30b8054da3745ef25fbf7e5487b00d5c5e3abd1b5852770d56703c88e2172fa731f9fcb20d7835407c3f391

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5e41fc05c507aae5292e1fc620915f22

SHA1
55295b43d526ab6d24328f5555cd1f79b8de761b

SHA256
07fb9cf359a8d2609083a6c254c46368144bf6babc5748f0d49865de554fb732

SHA512
c99a267a3c7db62b6e528589d584b71a9ca598750f7bdd8a4f52a0b08f262585d7013168edc5537661ee2df9dcd85b9a9331c477ddae65a080ed64c02bd75a6a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b480a50c1add349a7505a8af6e99d918

SHA1
1066648a029da7be305971d8179ea13e599dfde9

SHA256
fadb5ca1aeae61ea98fe09d32f0194863dda12c67e11823ebfcb158083c4605e

SHA512
1ffd41c8284450873b8fb6b89673554a246e816cda72d5e27f1562bbaa2db76259728e4b7c7cc41bfc3de23f3987988e7e90998c7f1f4fd5c362db899a4633cd

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b14392c27dc99a74311f63361a431ce

SHA1
3ea551db65a0dcb51bb73582580b4a58f5c9f8b9

SHA256
6bb5824d0afd8d0a31fadda610cd18d41245a25c5b4909c7c3de9521611c4483

SHA512
06a446fb79ec603ee50cd38772ee12b308082dc1f4152070e02b65f9d7af1a8f49d8d802aa99ac5bacc4981d8df51666f32813832e4853717dd1bdb8c46d267e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f8fc1c069c70115b44d2c9c277c598ae

SHA1
1026dd11e19e04c89952a8b5135a875689cae26f

SHA256
bb67b002b20c1d3ab7463b8a34361b8df417cce5514a627fcd8cb5c650706467

SHA512
91a1b22f8ed733e1ce542e16cd66e69a0715aa1a4ffde5ce20fbde1c5d7ecf56c8f20c4fa8c19a555d3f3653851ba738c79e022f0bfa3d08fba9e1975ff78bea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
446209c193aad30996a5b1f898f97d1d

SHA1
433c74d548dfbf71828a3c3a7522d341d0452ae8

SHA256
c3d289a367b14006b83b428ad97af7e920bef9a49fe0cac2bee2d10e5a36260a

SHA512
02d3a347a58ce171b3cdf89e9746a7a6f005da535c442d963d69ded93e5b9b6db12693db899cf3179fc273d7e80841b8275b99cdfd8529cb52a059d236353528

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8a9676c69e062d5e583524cd600bfa68

SHA1
c638deaa910a2b1745efab33bdef958cf337535a

SHA256
f772c56edbaed23777385e3d466005cfd8ca723e2178e463e86dae0448fd93c6

SHA512
5e2b91cc191c7fe7f413d092942cfcc4c85bb543ecc399a58fe12da16e8013c01dbc8ff1249ed05e89c1ac8290fdba53c3f3f72d5eda5cb0c9133f87c6c9ad6f

Download Submit
C:\Users\Admin\AppData\Local\Temp\0xFiNVDkrN.bat

Filesize
240B

MD5
771cbf2c5839d99ab88d8987bec0662e

SHA1
66c1ca65e502e053840d667adf1fe6e5ef1fafbe

SHA256
1e8e8603f29252f842a419eddf053830537cb7ae44c4f827d4119c0e433d4704

SHA512
3d2bd15a21bf562dcdd2fcdc3bcd4e55963cc937579bff401dc65bd6b40aa613002d072833232813f5c29e7ae7d2b974a9a8f299f001c126c1828e9efcf43054

Download Submit
C:\Users\Admin\AppData\Local\Temp\8YXrskW4JY.bat

Filesize
240B

MD5
fa99fa118bba37253881a762698d9966

SHA1
bddadbaef1e5e231f807def6497a222021a68500

SHA256
bec4ef6ad19dedcc6e122b8af366d5f50b593997833fbdcdd69c0ffcffe87389

SHA512
67c3ac41f5acd5c646db0c21718ed4b96503ddde3596c0ea8cae22c231705b6d552699ecbe856427790656c19cf6fd4f0ad085bc35e08345100566a7226ac31d

Download Submit
C:\Users\Admin\AppData\Local\Temp\AXFqcUy7ES.bat

Filesize
240B

MD5
786be2f5e1e4c76a948c96bd0ffff1f4

SHA1
32432a5ea899cb7e6159db3b70300340e18351cd

SHA256
7a593f4a318f7df2810a9d31fac660c88e07a583bafc2ebec046d95af897ee87

SHA512
d7f780e2698cfe2ffda2aa0c759981081e1fb59012b56a563edce5c0e9f81b52edc21dab3f6dc9c7ab16f1d8113300b268a83a01fa855c0cf723c3dde41f403f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4250.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar432D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WPmuDeaX4D.bat

Filesize
240B

MD5
c7d83c622c079497521336d1579d94ef

SHA1
5b09760213cb1a8d156072bb429ae1a84b34c5f4

SHA256
84d0aa2c117fa44a502eede910c63f18bb3c75778572b2e55bbc4262ce0e9e54

SHA512
f3520b352a0f37c916b62b500cc04c8a8ab35438716f79894eef7f1b47eef4a8e7bf80e3db5b068fc87e0cfac1a59f4a07a290f4201c59cb616da285612599a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\XFk51gP3Gp.bat

Filesize
240B

MD5
dda68293ec570dd85deca8cc3260dec5

SHA1
2fdb93108cb02e8c298205c22e0f12648d5bea74

SHA256
a7c3b41e88b6eb6709fe6e12e35e4b046d5202d770df465d0d2f227e87651ea9

SHA512
0e461e88ee162683d8b2ca1d6be8d4933000f2cb8f0c1dddbe9940e64e044d35a4153d484d705c8d177e7fa57cb5817e35b0f1cad26664eca7acca951c4f1ba9

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZBm8ilTxac.bat

Filesize
240B

MD5
35cff79946547cebd82a64dfb331ea23

SHA1
8f6db20fd9014738625d829cdb9f331826fbf617

SHA256
15ddda80978849e251e43a911f6383e5dcb1f54a08f9b94ca3d96631f7166f15

SHA512
19a41fc003f73bdd6de85177ec5dc0a097aac7c864b15a04d4cc0c3e3c940cbb5a3f11c078d34ddf3cc8e551be1fe3e190123948ff8dced73efd8a93a20ee23d

Download Submit
C:\Users\Admin\AppData\Local\Temp\fdSjcfTSOA.bat

Filesize
240B

MD5
30efa063b045b003dff897705e1cb4ad

SHA1
27569ff2b9b7ff4c33b144756c92643343daa9bd

SHA256
532a6e88e38abc6879f29e3331dcdb1c1b943d3c6a245ad672f2a3843de397a9

SHA512
d337ff53441ef94c7e763366b3fe243d0935f44ec89a787c3e289d9adc1c2b46203bded88f3e16a21af6b73842ea9993348a547f6880aa32b6c0744d307b78af

Download Submit
C:\Users\Admin\AppData\Local\Temp\uVa8TbDE3p.bat

Filesize
240B

MD5
922a129c30d9be0c22c547561e43aad0

SHA1
65a9534aa3db001ee95736cdebca4b0e2d0e41d6

SHA256
c960d6df9acf18407225c0ff50d27b3004d3b419f3130aff026e784049f0f3a0

SHA512
5e1c7e6482368f43595eef8cbe8ec5d5af11904046f4d3ba9db1be618295d1c1bef57238ee13f405450e9f092720a7e559b6e79bcc9e4d9fd06f05dd884d43b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wRhF7PcXPa.bat

Filesize
240B

MD5
107451eb5b42cabc9d8734683836ce96

SHA1
f9c150c84121520779fc749fa911fe1af4e664a1

SHA256
e49caed264a3b8afd0cf229860f06c8f03a2cb674ad1c264d882329fdeb41b1a

SHA512
6476c63c98033c7a5212946fe1a5bceca1917cba61b506526207354256c17cdc3cb5b5d31873caa84cd5898bea8edd01b6d37e4ef95963ed4de99b9ea2f2e0f7

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
bf076d4af3eca3659df5c5fecb0dba4b

SHA1
a22b5a41346659baed1aff3d7e9178be5836b273

SHA256
785d886807a59c205b9a5e5b9017e37c365ddceb36f69ac2d1dd05cc6f1b6f10

SHA512
56f16a1e672a1c92caedbfd37a327393a719dbe564d124f07bf8e715f903a087622357b310b4259bba7bba9bc2074fc31715b8049833701b813e9a647798f179

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/1240-589-0x0000000000EE0000-0x0000000000FF0000-memory.dmp

Filesize
1.1MB

Download
memory/1384-112-0x00000000008E0000-0x00000000009F0000-memory.dmp

Filesize
1.1MB

Download
memory/1552-469-0x00000000002F0000-0x0000000000400000-memory.dmp

Filesize
1.1MB

Download
memory/1560-529-0x0000000000DD0000-0x0000000000EE0000-memory.dmp

Filesize
1.1MB

Download
memory/1584-409-0x0000000000200000-0x0000000000310000-memory.dmp

Filesize
1.1MB

Download
memory/2152-16-0x0000000000460000-0x000000000046C000-memory.dmp

Filesize
48KB

Download
memory/2152-14-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2152-13-0x0000000001220000-0x0000000001330000-memory.dmp

Filesize
1.1MB

Download
memory/2152-15-0x0000000000450000-0x000000000045C000-memory.dmp

Filesize
48KB

Download
memory/2152-17-0x0000000000470000-0x000000000047C000-memory.dmp

Filesize
48KB

Download
memory/2576-231-0x00000000013A0000-0x00000000014B0000-memory.dmp

Filesize
1.1MB

Download
memory/2640-57-0x000000001B190000-0x000000001B472000-memory.dmp

Filesize
2.9MB

Download
memory/2640-59-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/3024-171-0x0000000000E10000-0x0000000000F20000-memory.dmp

Filesize
1.1MB

Download