dcrat | 3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9

Analysis

max time kernel
148s
max time network
150s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
22/12/2024, 20:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9.exe
Size

1.3MB
MD5

8642fcbbf68b3a14c75875a9d3a5fce8
SHA1

6d4b209a47ec53ed41ee03740998b79f6da7e5a1
SHA256

3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9
SHA512

d0ded6c187286a7a35a4651f1ab433a171ee16f382dc834d6e6f00ea335f2bb341e02dc83874cdf58e5c9fffce5e977cfc34f801a8c14b2232f4bebe68c3a167
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2924	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2904	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2660	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2644	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2396	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1972	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	780	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	316	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2672	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	480	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	532	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2940	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2976	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2368	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2028	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2400	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2708	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1360	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2076	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1076	2736	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	796	2736	schtasks.exe	34

DCRat payload 13 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016210-9.dat	dcrat
behavioral1/memory/2988-13-0x00000000000E0000-0x00000000001F0000-memory.dmp	dcrat
behavioral1/memory/2552-46-0x0000000000E60000-0x0000000000F70000-memory.dmp	dcrat
behavioral1/memory/1980-163-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/2420-223-0x0000000000110000-0x0000000000220000-memory.dmp	dcrat
behavioral1/memory/2732-283-0x0000000000D90000-0x0000000000EA0000-memory.dmp	dcrat
behavioral1/memory/1756-344-0x0000000000E20000-0x0000000000F30000-memory.dmp	dcrat
behavioral1/memory/544-405-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2704-465-0x0000000001370000-0x0000000001480000-memory.dmp	dcrat
behavioral1/memory/2144-525-0x00000000003F0000-0x0000000000500000-memory.dmp	dcrat
behavioral1/memory/896-585-0x00000000001E0000-0x00000000002F0000-memory.dmp	dcrat
behavioral1/memory/2444-646-0x00000000003B0000-0x00000000004C0000-memory.dmp	dcrat
behavioral1/memory/1844-707-0x00000000008C0000-0x00000000009D0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1440	powershell.exe
1624	powershell.exe
616	powershell.exe
1372	powershell.exe
280	powershell.exe
3016	powershell.exe
1312	powershell.exe
1912	powershell.exe
1068	powershell.exe
2796	powershell.exe
1092	powershell.exe
1584	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2988	DllCommonsvc.exe
2552	cmd.exe
1980	cmd.exe
2420	cmd.exe
2732	cmd.exe
1756	cmd.exe
544	cmd.exe
2704	cmd.exe
2144	cmd.exe
896	cmd.exe
2444	cmd.exe
1844	cmd.exe

Loads dropped DLL 2 IoCs

pid	Process
2540	cmd.exe
2540	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 11 IoCs

Web Service

T1102

flow	ioc
12	raw.githubusercontent.com
35	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
27	raw.githubusercontent.com
31	raw.githubusercontent.com
38	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\b75386f1303e64	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\69ddcba757bf72	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SchCache\DllCommonsvc.exe	DllCommonsvc.exe
File created	C:\Windows\SchCache\a76d7bf15d8370	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2076	schtasks.exe
2184	schtasks.exe
1676	schtasks.exe
2968	schtasks.exe
2708	schtasks.exe
2700	schtasks.exe
2660	schtasks.exe
1956	schtasks.exe
2368	schtasks.exe
2904	schtasks.exe
2252	schtasks.exe
780	schtasks.exe
532	schtasks.exe
2940	schtasks.exe
2976	schtasks.exe
2924	schtasks.exe
2612	schtasks.exe
2672	schtasks.exe
480	schtasks.exe
1076	schtasks.exe
796	schtasks.exe
1972	schtasks.exe
2816	schtasks.exe
316	schtasks.exe
2400	schtasks.exe
2040	schtasks.exe
1960	schtasks.exe
2028	schtasks.exe
1360	schtasks.exe
2644	schtasks.exe
2396	schtasks.exe
1788	schtasks.exe
2936	schtasks.exe

Suspicious behavior: EnumeratesProcesses 28 IoCs

pid	Process
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
2988	DllCommonsvc.exe
616	powershell.exe
1624	powershell.exe
2552	cmd.exe
1584	powershell.exe
1068	powershell.exe
1912	powershell.exe
1312	powershell.exe
2796	powershell.exe
1440	powershell.exe
1092	powershell.exe
280	powershell.exe
1372	powershell.exe
3016	powershell.exe
1980	cmd.exe
2420	cmd.exe
2732	cmd.exe
1756	cmd.exe
544	cmd.exe
2704	cmd.exe
2144	cmd.exe
896	cmd.exe
2444	cmd.exe
1844	cmd.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2988	DllCommonsvc.exe
Token: SeDebugPrivilege	2552	cmd.exe
Token: SeDebugPrivilege	616	powershell.exe
Token: SeDebugPrivilege	1624	powershell.exe
Token: SeDebugPrivilege	1584	powershell.exe
Token: SeDebugPrivilege	1068	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	1312	powershell.exe
Token: SeDebugPrivilege	2796	powershell.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	1092	powershell.exe
Token: SeDebugPrivilege	280	powershell.exe
Token: SeDebugPrivilege	1372	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	1980	cmd.exe
Token: SeDebugPrivilege	2420	cmd.exe
Token: SeDebugPrivilege	2732	cmd.exe
Token: SeDebugPrivilege	1756	cmd.exe
Token: SeDebugPrivilege	544	cmd.exe
Token: SeDebugPrivilege	2704	cmd.exe
Token: SeDebugPrivilege	2144	cmd.exe
Token: SeDebugPrivilege	896	cmd.exe
Token: SeDebugPrivilege	2444	cmd.exe
Token: SeDebugPrivilege	1844	cmd.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1908 wrote to memory of 3044	1908	JaffaCakes118_3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9.exe	30
PID 1908 wrote to memory of 3044	1908	JaffaCakes118_3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9.exe	30
PID 1908 wrote to memory of 3044	1908	JaffaCakes118_3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9.exe	30
PID 1908 wrote to memory of 3044	1908	JaffaCakes118_3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9.exe	30
PID 3044 wrote to memory of 2540	3044	WScript.exe	31
PID 3044 wrote to memory of 2540	3044	WScript.exe	31
PID 3044 wrote to memory of 2540	3044	WScript.exe	31
PID 3044 wrote to memory of 2540	3044	WScript.exe	31
PID 2540 wrote to memory of 2988	2540	cmd.exe	33
PID 2540 wrote to memory of 2988	2540	cmd.exe	33
PID 2540 wrote to memory of 2988	2540	cmd.exe	33
PID 2540 wrote to memory of 2988	2540	cmd.exe	33
PID 2988 wrote to memory of 1440	2988	DllCommonsvc.exe	68
PID 2988 wrote to memory of 1440	2988	DllCommonsvc.exe	68
PID 2988 wrote to memory of 1440	2988	DllCommonsvc.exe	68
PID 2988 wrote to memory of 1312	2988	DllCommonsvc.exe	69
PID 2988 wrote to memory of 1312	2988	DllCommonsvc.exe	69
PID 2988 wrote to memory of 1312	2988	DllCommonsvc.exe	69
PID 2988 wrote to memory of 1624	2988	DllCommonsvc.exe	70
PID 2988 wrote to memory of 1624	2988	DllCommonsvc.exe	70
PID 2988 wrote to memory of 1624	2988	DllCommonsvc.exe	70
PID 2988 wrote to memory of 1912	2988	DllCommonsvc.exe	71
PID 2988 wrote to memory of 1912	2988	DllCommonsvc.exe	71
PID 2988 wrote to memory of 1912	2988	DllCommonsvc.exe	71
PID 2988 wrote to memory of 1068	2988	DllCommonsvc.exe	72
PID 2988 wrote to memory of 1068	2988	DllCommonsvc.exe	72
PID 2988 wrote to memory of 1068	2988	DllCommonsvc.exe	72
PID 2988 wrote to memory of 2796	2988	DllCommonsvc.exe	73
PID 2988 wrote to memory of 2796	2988	DllCommonsvc.exe	73
PID 2988 wrote to memory of 2796	2988	DllCommonsvc.exe	73
PID 2988 wrote to memory of 1092	2988	DllCommonsvc.exe	74
PID 2988 wrote to memory of 1092	2988	DllCommonsvc.exe	74
PID 2988 wrote to memory of 1092	2988	DllCommonsvc.exe	74
PID 2988 wrote to memory of 616	2988	DllCommonsvc.exe	75
PID 2988 wrote to memory of 616	2988	DllCommonsvc.exe	75
PID 2988 wrote to memory of 616	2988	DllCommonsvc.exe	75
PID 2988 wrote to memory of 1372	2988	DllCommonsvc.exe	76
PID 2988 wrote to memory of 1372	2988	DllCommonsvc.exe	76
PID 2988 wrote to memory of 1372	2988	DllCommonsvc.exe	76
PID 2988 wrote to memory of 280	2988	DllCommonsvc.exe	77
PID 2988 wrote to memory of 280	2988	DllCommonsvc.exe	77
PID 2988 wrote to memory of 280	2988	DllCommonsvc.exe	77
PID 2988 wrote to memory of 3016	2988	DllCommonsvc.exe	78
PID 2988 wrote to memory of 3016	2988	DllCommonsvc.exe	78
PID 2988 wrote to memory of 3016	2988	DllCommonsvc.exe	78
PID 2988 wrote to memory of 1584	2988	DllCommonsvc.exe	79
PID 2988 wrote to memory of 1584	2988	DllCommonsvc.exe	79
PID 2988 wrote to memory of 1584	2988	DllCommonsvc.exe	79
PID 2988 wrote to memory of 2552	2988	DllCommonsvc.exe	91
PID 2988 wrote to memory of 2552	2988	DllCommonsvc.exe	91
PID 2988 wrote to memory of 2552	2988	DllCommonsvc.exe	91
PID 2552 wrote to memory of 1080	2552	cmd.exe	94
PID 2552 wrote to memory of 1080	2552	cmd.exe	94
PID 2552 wrote to memory of 1080	2552	cmd.exe	94
PID 1080 wrote to memory of 1596	1080	cmd.exe	96
PID 1080 wrote to memory of 1596	1080	cmd.exe	96
PID 1080 wrote to memory of 1596	1080	cmd.exe	96
PID 1080 wrote to memory of 1980	1080	cmd.exe	97
PID 1080 wrote to memory of 1980	1080	cmd.exe	97
PID 1080 wrote to memory of 1980	1080	cmd.exe	97
PID 1980 wrote to memory of 1588	1980	cmd.exe	98
PID 1980 wrote to memory of 1588	1980	cmd.exe	98
PID 1980 wrote to memory of 1588	1980	cmd.exe	98
PID 1588 wrote to memory of 1048	1588	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_3adec94168c851367ace81c565d4a5bdb4b0e5862dc5f993a88f8d7d0e1580d9.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3044
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2540
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2988
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\cmd.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1312
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default\Templates\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1068
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2796
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1092
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:616
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SchCache\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1372
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:280
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1584
    - - C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2552
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:1596
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1980
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1048
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat"
        10⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:2956
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2732
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat"
        12⤵
        
        PID:1516
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:2352
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat"
        14⤵
        
        PID:2156
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:1956
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:544
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat"
        16⤵
        
        PID:2436
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2168
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat"
        18⤵
        
        PID:2700
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1640
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2144
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat"
        20⤵
        
        PID:1164
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:1908
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:896
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat"
        22⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2060
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2444
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat"
        24⤵
        
        PID:1432
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2292
        
        C:\providercommon\cmd.exe
        
        "C:\providercommon\cmd.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 7 /tr "'C:\providercommon\cmd.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2924

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmd" /sc ONLOGON /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "cmdc" /sc MINUTE /mo 10 /tr "'C:\providercommon\cmd.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2700

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 12 /tr "'C:\Users\Default\Templates\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2660

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Users\Default\Templates\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 6 /tr "'C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2816

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:316

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Adobe\Reader 9.0\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2672

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:480

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:532

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsass" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2968

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsassl" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\lsass.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1956

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 12 /tr "'C:\Windows\SchCache\DllCommonsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvc" /sc ONLOGON /tr "'C:\Windows\SchCache\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "DllCommonsvcD" /sc MINUTE /mo 5 /tr "'C:\Windows\SchCache\DllCommonsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2368

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2028

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2400

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 12 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2708

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\AppData\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Users\Admin\AppData\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1360

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Users\Admin\AppData\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 5 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2936

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1076

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 10 /tr "'C:\Recovery\1f5748e2-69f6-11ef-b486-62cb582c238c\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
fee9439eb0dd71bbd18c3acf32e01920

SHA1
a995d870bbfeaf0c3a97f5239a75c8b5d839b369

SHA256
79eb2804121b90897c175ba67023998de2b28d402cc2600d5cfd8bc690f28996

SHA512
637dcb73c106b4cec48fb13869fec1e97746987837af7a3ca37613eb1ad9287f6429254b44107dde331e4c382d6b94a47a64eb233fcc100bf5b10b3e8f7ece57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32d6b4ac0acb826baae22a119e908c30

SHA1
9a99c0e14783a8206911452c254db7668331b13b

SHA256
fc63d7ec5d86352ae383b949fbd292a324dba9043adcca8a292f5909354de67c

SHA512
33237e8b5713e1ab0c2cad41dcd67f3e70be29a5e3a559841de8d85bc15473a676716532abde7c64f5c8d1dc1b518aed9f11afcbe1150957f056e05ca5405d73

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d077c804fff6e2891e0ea7669bda34c9

SHA1
39cb27b80e1fd744f511eab5fabb737415165a34

SHA256
67c4bd26f58d2a2dbbf847e8c5a88bf176617b637b88f966dd770f56c3b38cbe

SHA512
8b0d62b5d8eecc46df93d031bec2d48ac5875fd536d35a491ad651981468bacdf2a8bdffb1751c5355658f23ed0ec32fbbba28a42321ee5e5b526826541631e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b912ba0a1e287102d5b4200c46c6a507

SHA1
23a1a7ab9deff6aa46edd54dee468ef072864ba2

SHA256
a7fab29a72b404c9912a3d0d8a987bf31e87702526fdcd86e54e103b29d63ecf

SHA512
6080337dc430762af4eb4d6b64e3b319a117b992a83c821e34895b5b40bb947ba1959dbc191588b5a238bc51bb61aeb3ae67bf59c16fff16497f9c23771e992a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ab3cbdb11db335766eb8ab47242ddb80

SHA1
c438c1580b4514132dbac3bebaba3f673454fe0e

SHA256
55897c78aed580c1c968251fddd0f9cf5de612d5188d04d4b2bb1e775b715041

SHA512
39a57bd28e0e1911957a2a22bd093a718f97b9b7743b8e276018eb54aad27a4d0392632a6150f5e78f9cb12194b1c1f8f3ecebf54348174c7b744271197b4cc7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e5f297b498a98577cac6145156538cac

SHA1
720709d4a35ca6c7fe4812a838d670b1f0cbc9b1

SHA256
8c3dc66e963351110405de70c2ee31054813bf0b23b088c80d8f15defcb7f2af

SHA512
69f54b3e2091aae16e49006326d59979220bd89f48c59f3cf337028892f2c9538ea030eb551580742ad7314190e2425c0c6669ee4cfaba691c88b01e45da18a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0ed7ecb698b59c91f600164ca1bd48f8

SHA1
3cf99700170b68d6dd361a50480c94c6884f2036

SHA256
84411328795f6de574254fffd7069c37d8dc40e1d1acf6190326cfde8978b8ac

SHA512
9c2e00fe5c8ab0cabed078f24151b74d5bd577b7a18b4d36b7dc266d9146f26ed61bc4a92f4cfbb6d2b46d05e4d38fafb8bf6b261cfeffbf546b2a85a1ea8e5d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8b06e238e8eccca0cc88b2c99402af04

SHA1
917522979be01732e471e0a6fb91dcb24ef0e74b

SHA256
4f195a352010c1d592d70f4da31d7b76e7b5b9777a758a4a11690b6b53eb4f8c

SHA512
6cf5e664ccf3e1ad29efad6367f37c78602fd2299eef5998c5a5574242a13a52eb8434ca3f9ac94c1d4dfce3943fcd8bedc218ed28134a9de2665d3916e872e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1f305e3cec9590a7be6f83da952265af

SHA1
511128803ea752fe846da04070927c033935dd66

SHA256
003be2df73c88f97791b4dbfc381322147e5d7f51fa43a7d63c155144ecc0eca

SHA512
c2b03833c8239e141fe3adb506bcf0e56730b7fa844f7850256f1bc4ce7874d1c1f2a33d2c801e15d985ed9411b5c144cb59fc564499d66d3d5e3946df96d190

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF8B3.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\D9EGxcg3vT.bat

Filesize
190B

MD5
6fffae58691291957a925f4a8c4df87f

SHA1
9ccb04f3487443f4f218a1bd1f7441c97f94f9fd

SHA256
70fe337019cda510c98213dcfa8a4dc3660106ddb19902910055b1042c0c6e81

SHA512
7344105e49b40e13ef513108373f1425829a2e8098f7ae38429b8dcdb7438ed7f5a80024e93ed522d682c0584b811ec0713f07adc55ef3e963fe9f9e620bb9ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\M1TWCJOn7d.bat

Filesize
190B

MD5
a2c7ca5e0a52526cdace61f5349d4132

SHA1
d1c36c6b99fe2412db17e2cdfb4b5f4e1890dd35

SHA256
8558e1825f9e5ce29b5efbcf35eddfbb0b89326d1e4991f877c24913be7facac

SHA512
475fbd16053d229a174510a247fbe336966db5e2941ce71510009a77c7daa712244fd5a14a167d3af500101d4a93be039609d8471f4ffb36dac67dbe34f58261

Download Submit
C:\Users\Admin\AppData\Local\Temp\OI2OM6vZgr.bat

Filesize
190B

MD5
82575b0ea58ab89b7455cc3d0ce5f45f

SHA1
50e78fd1e4084b93e4b1268dd5704a121009b64d

SHA256
4ea6cf3c30926cf8eb9d59597b3b6cca851601dfbf84b582b9a75f147816100f

SHA512
438d33504e303b2c8b20d63eb5c89ca837494c0d8b5d92617181268c457224191fb35323f2cf76e264cd86ae2d1e2a47e18860b8a37e907ac4b2270f4a3fd47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF8D5.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\VhvmsyECnd.bat

Filesize
190B

MD5
8baa62d39b679194cc3eed241d36afbb

SHA1
d12bca7dd4b7189a563b5e1cdbf08743f92767a0

SHA256
a78ff68ee4a0c55d98f4189eb6aafdb3404e131266f7a9e9d1ae33e4de7cb47e

SHA512
68be7119de3d63edbefd77bc50f5ba26158d8d980b46325cd609ac3fc05c69606eb4aff730047fae61e827fef344d3025fa04481eabfd64fea2d19e0e9688c6c

Download Submit
C:\Users\Admin\AppData\Local\Temp\eNTIt1NKYH.bat

Filesize
190B

MD5
d340ae2a5221ca8624e7207a9396cca7

SHA1
6dd0fae388021c73571979009671f1729e7a7eee

SHA256
1ae1b570bd369a41961833e56f622bfac72b912b967893a75759d55570fde1e1

SHA512
0606384b785be6bf1380e10ae91fb49edf14c2bf5d4862b48f6b1e9e9fd63337f9d5c2660747763117ed91d1e02bfda5041d5caf0998ea8aeaba84d8317af42e

Download Submit
C:\Users\Admin\AppData\Local\Temp\fmZn61weJC.bat

Filesize
190B

MD5
933eb84a9ec64530851fc85cb6a64109

SHA1
05ab25be727b6610f610a89b2a5dab87ce73df23

SHA256
dded8be6d9a3b2c68e879c15fa85cf4b4ef65e7c2c8f5253f4fc6c4d18985802

SHA512
b7242a27a9050bdc7395ba37d7eab59ef38cf2c81616ec7440bd1ba9b996c631dfd55fd40c816ea0b621e867fad62a43b66d29df15e3306ffb52ef66809e8165

Download Submit
C:\Users\Admin\AppData\Local\Temp\jaxwQXfGLd.bat

Filesize
190B

MD5
4b0414e0f95d8057154ff5512e77a00e

SHA1
a4cfa2ed8beaa2cebca33fae96b96f53e12ae296

SHA256
75b874ee3370c6238157e1451e5794f3030125cc1287d8cc9199525e85b046da

SHA512
975ee3217c74b44e1d6bf18161b68cb200134dbf699686cd6ba2d55568e77280a1f6abda816538d53aa6801e5b419088d496f59b1283c03f2276ee316c254fff

Download Submit
C:\Users\Admin\AppData\Local\Temp\lEFN0vw97k.bat

Filesize
190B

MD5
41766065c9306fea35bb51b5a82fdad8

SHA1
c59c620c4c22a5ff0332e547e2a62a4ec167692a

SHA256
67a182585580c0ecb2a9bf84494da16ce0d5cbc5866f8015b3b2ae2d4c131f99

SHA512
b11b6d0f2d47cfe4ee53e24dd30490f46ebe516a78382471f0de65ad3962788179a4434d3d82323ac803f1b108abfc5e40f2ca706befe071326b4d3dcbd42dfc

Download Submit
C:\Users\Admin\AppData\Local\Temp\mWzz7cjAeP.bat

Filesize
190B

MD5
ad1662ba5f03d622e7ef7e676e0320e9

SHA1
a390b41b5dcfee8907d975c82701822d53cc1248

SHA256
eb0acbbc9ec2a69230051f936e6b8f2cb90dc9d79d089cccafc10bc51c716d68

SHA512
5b55faa6f0ff3ae01a375158f50ab2e06efc77d8525afd142dc9c3ec62d722a4b3c79242e16d8affea14ee31e9588650102f5b80ff4639927a6c00e79f1c2117

Download Submit
C:\Users\Admin\AppData\Local\Temp\wHaMzi6eYE.bat

Filesize
190B

MD5
9a2248f31c384adbebf57bf9bbc49f75

SHA1
420d30124b7c40c6483fae75395125e5cd8438ba

SHA256
c2e0e6fb5a1119fa3babe1e1d027c809cdf30a83925e384146c43aa496fb2e62

SHA512
168aad03d66592d8da40aad884bba790902edcc857419c1149e76a4c71fa5950ec649efe5e62f5ec04cf016fb252d648c7b832dd73a199f9bc2527fa29d4aad2

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\F2A0O11RK2ON3OEJF74P.temp

Filesize
7KB

MD5
065a10e5471ed09a4c1d7419d95dd0b9

SHA1
a01ed6b3261a6fe8149189637083683ca4a40239

SHA256
c748e850cf42fdd4534fe2d232a5076d2e1bb830e00e108552c6b883174251b9

SHA512
7e6aa0d8efb4c11a8ca130d6a80420ad53f28599f100e969e542d2f566da07f9f0b7f76d6f9ff99c66bd03132eea2918340033cfcb905576583bde8b4eac0699

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
memory/544-405-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/616-67-0x00000000027A0000-0x00000000027A8000-memory.dmp

Filesize
32KB

Download
memory/616-66-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/896-586-0x0000000000660000-0x0000000000672000-memory.dmp

Filesize
72KB

Download
memory/896-585-0x00000000001E0000-0x00000000002F0000-memory.dmp

Filesize
1.1MB

Download
memory/1756-344-0x0000000000E20000-0x0000000000F30000-memory.dmp

Filesize
1.1MB

Download
memory/1756-345-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/1844-707-0x00000000008C0000-0x00000000009D0000-memory.dmp

Filesize
1.1MB

Download
memory/1980-163-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2144-525-0x00000000003F0000-0x0000000000500000-memory.dmp

Filesize
1.1MB

Download
memory/2420-223-0x0000000000110000-0x0000000000220000-memory.dmp

Filesize
1.1MB

Download
memory/2444-647-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/2444-646-0x00000000003B0000-0x00000000004C0000-memory.dmp

Filesize
1.1MB

Download
memory/2552-46-0x0000000000E60000-0x0000000000F70000-memory.dmp

Filesize
1.1MB

Download
memory/2704-465-0x0000000001370000-0x0000000001480000-memory.dmp

Filesize
1.1MB

Download
memory/2732-283-0x0000000000D90000-0x0000000000EA0000-memory.dmp

Filesize
1.1MB

Download
memory/2732-284-0x0000000000440000-0x0000000000452000-memory.dmp

Filesize
72KB

Download
memory/2988-16-0x0000000000570000-0x000000000057C000-memory.dmp

Filesize
48KB

Download
memory/2988-15-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2988-17-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2988-14-0x00000000004D0000-0x00000000004E2000-memory.dmp

Filesize
72KB

Download
memory/2988-13-0x00000000000E0000-0x00000000001F0000-memory.dmp

Filesize
1.1MB

Download