dcrat | 4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0

Analysis

max time kernel
145s
max time network
140s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
22-12-2024 20:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0.exe
Size

1.3MB
MD5

a0532904fbed42470ace7fed9959994f
SHA1

7d8a51e77959ec322e62c5f798cbedb5794cf927
SHA256

4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0
SHA512

065a44318e12552375ace49a47779982351835308fc9a62c6cd03fead7c046df3c5ae40675b0d3e8d5066ddd975adb68688888338988cab927d484b54f4d8994
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1652	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	572	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1336	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1492	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	764	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2172	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2184	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1644	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1976	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1128	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	540	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2908	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1980	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2756	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2224	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1092	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2164	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1692	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1212	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2284	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2232	2744	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1872	2744	schtasks.exe	34

DCRat payload 9 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x000800000001653a-12.dat	dcrat
behavioral1/memory/2600-13-0x0000000001340000-0x0000000001450000-memory.dmp	dcrat
behavioral1/memory/2256-57-0x0000000000E30000-0x0000000000F40000-memory.dmp	dcrat
behavioral1/memory/2660-276-0x0000000000160000-0x0000000000270000-memory.dmp	dcrat
behavioral1/memory/1148-337-0x0000000000850000-0x0000000000960000-memory.dmp	dcrat
behavioral1/memory/1164-397-0x00000000001D0000-0x00000000002E0000-memory.dmp	dcrat
behavioral1/memory/1324-457-0x00000000011D0000-0x00000000012E0000-memory.dmp	dcrat
behavioral1/memory/2752-576-0x0000000001280000-0x0000000001390000-memory.dmp	dcrat
behavioral1/memory/1140-755-0x0000000000180000-0x0000000000290000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1308	powershell.exe
872	powershell.exe
1956	powershell.exe
976	powershell.exe
1728	powershell.exe
1876	powershell.exe
944	powershell.exe
300	powershell.exe
780	powershell.exe
1444	powershell.exe
1736	powershell.exe
1668	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2600	DllCommonsvc.exe
2256	dllhost.exe
2520	dllhost.exe
2248	dllhost.exe
2660	dllhost.exe
1148	dllhost.exe
1164	dllhost.exe
1324	dllhost.exe
2660	dllhost.exe
2752	dllhost.exe
1964	dllhost.exe
2072	dllhost.exe
1140	dllhost.exe

Loads dropped DLL 2 IoCs

pid	Process
2780	cmd.exe
2780	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
5	raw.githubusercontent.com
37	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
30	raw.githubusercontent.com
33	raw.githubusercontent.com
9	raw.githubusercontent.com
12	raw.githubusercontent.com
16	raw.githubusercontent.com
19	raw.githubusercontent.com
40	raw.githubusercontent.com

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\WmiPrvSE.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\24dbde2999530e	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\diagnostics\scheduled\Maintenance\dwm.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\conhost.exe	DllCommonsvc.exe
File opened for modification	C:\Windows\ServiceProfiles\conhost.exe	DllCommonsvc.exe
File created	C:\Windows\ServiceProfiles\088424020bedd6	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1644	schtasks.exe
540	schtasks.exe
2756	schtasks.exe
1092	schtasks.exe
1692	schtasks.exe
3020	schtasks.exe
1336	schtasks.exe
1492	schtasks.exe
2116	schtasks.exe
1976	schtasks.exe
2556	schtasks.exe
1484	schtasks.exe
2768	schtasks.exe
1940	schtasks.exe
2164	schtasks.exe
1604	schtasks.exe
2172	schtasks.exe
2184	schtasks.exe
2908	schtasks.exe
2224	schtasks.exe
820	schtasks.exe
1652	schtasks.exe
572	schtasks.exe
1760	schtasks.exe
1964	schtasks.exe
2284	schtasks.exe
2232	schtasks.exe
764	schtasks.exe
1128	schtasks.exe
1988	schtasks.exe
1872	schtasks.exe
1980	schtasks.exe
1212	schtasks.exe

Suspicious behavior: EnumeratesProcesses 25 IoCs

pid	Process
2600	DllCommonsvc.exe
1876	powershell.exe
1444	powershell.exe
1668	powershell.exe
872	powershell.exe
976	powershell.exe
1736	powershell.exe
300	powershell.exe
1956	powershell.exe
1728	powershell.exe
944	powershell.exe
1308	powershell.exe
780	powershell.exe
2256	dllhost.exe
2520	dllhost.exe
2248	dllhost.exe
2660	dllhost.exe
1148	dllhost.exe
1164	dllhost.exe
1324	dllhost.exe
2660	dllhost.exe
2752	dllhost.exe
1964	dllhost.exe
2072	dllhost.exe
1140	dllhost.exe

Suspicious use of AdjustPrivilegeToken 25 IoCs

description	pid	Process
Token: SeDebugPrivilege	2600	DllCommonsvc.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1444	powershell.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	872	powershell.exe
Token: SeDebugPrivilege	2256	dllhost.exe
Token: SeDebugPrivilege	976	powershell.exe
Token: SeDebugPrivilege	1736	powershell.exe
Token: SeDebugPrivilege	300	powershell.exe
Token: SeDebugPrivilege	1956	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	944	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	780	powershell.exe
Token: SeDebugPrivilege	2520	dllhost.exe
Token: SeDebugPrivilege	2248	dllhost.exe
Token: SeDebugPrivilege	2660	dllhost.exe
Token: SeDebugPrivilege	1148	dllhost.exe
Token: SeDebugPrivilege	1164	dllhost.exe
Token: SeDebugPrivilege	1324	dllhost.exe
Token: SeDebugPrivilege	2660	dllhost.exe
Token: SeDebugPrivilege	2752	dllhost.exe
Token: SeDebugPrivilege	1964	dllhost.exe
Token: SeDebugPrivilege	2072	dllhost.exe
Token: SeDebugPrivilege	1140	dllhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2312 wrote to memory of 2836	2312	JaffaCakes118_4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0.exe	30
PID 2312 wrote to memory of 2836	2312	JaffaCakes118_4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0.exe	30
PID 2312 wrote to memory of 2836	2312	JaffaCakes118_4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0.exe	30
PID 2312 wrote to memory of 2836	2312	JaffaCakes118_4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0.exe	30
PID 2836 wrote to memory of 2780	2836	WScript.exe	31
PID 2836 wrote to memory of 2780	2836	WScript.exe	31
PID 2836 wrote to memory of 2780	2836	WScript.exe	31
PID 2836 wrote to memory of 2780	2836	WScript.exe	31
PID 2780 wrote to memory of 2600	2780	cmd.exe	33
PID 2780 wrote to memory of 2600	2780	cmd.exe	33
PID 2780 wrote to memory of 2600	2780	cmd.exe	33
PID 2780 wrote to memory of 2600	2780	cmd.exe	33
PID 2600 wrote to memory of 872	2600	DllCommonsvc.exe	68
PID 2600 wrote to memory of 872	2600	DllCommonsvc.exe	68
PID 2600 wrote to memory of 872	2600	DllCommonsvc.exe	68
PID 2600 wrote to memory of 1956	2600	DllCommonsvc.exe	69
PID 2600 wrote to memory of 1956	2600	DllCommonsvc.exe	69
PID 2600 wrote to memory of 1956	2600	DllCommonsvc.exe	69
PID 2600 wrote to memory of 300	2600	DllCommonsvc.exe	70
PID 2600 wrote to memory of 300	2600	DllCommonsvc.exe	70
PID 2600 wrote to memory of 300	2600	DllCommonsvc.exe	70
PID 2600 wrote to memory of 976	2600	DllCommonsvc.exe	71
PID 2600 wrote to memory of 976	2600	DllCommonsvc.exe	71
PID 2600 wrote to memory of 976	2600	DllCommonsvc.exe	71
PID 2600 wrote to memory of 780	2600	DllCommonsvc.exe	72
PID 2600 wrote to memory of 780	2600	DllCommonsvc.exe	72
PID 2600 wrote to memory of 780	2600	DllCommonsvc.exe	72
PID 2600 wrote to memory of 1444	2600	DllCommonsvc.exe	73
PID 2600 wrote to memory of 1444	2600	DllCommonsvc.exe	73
PID 2600 wrote to memory of 1444	2600	DllCommonsvc.exe	73
PID 2600 wrote to memory of 944	2600	DllCommonsvc.exe	74
PID 2600 wrote to memory of 944	2600	DllCommonsvc.exe	74
PID 2600 wrote to memory of 944	2600	DllCommonsvc.exe	74
PID 2600 wrote to memory of 1308	2600	DllCommonsvc.exe	75
PID 2600 wrote to memory of 1308	2600	DllCommonsvc.exe	75
PID 2600 wrote to memory of 1308	2600	DllCommonsvc.exe	75
PID 2600 wrote to memory of 1876	2600	DllCommonsvc.exe	78
PID 2600 wrote to memory of 1876	2600	DllCommonsvc.exe	78
PID 2600 wrote to memory of 1876	2600	DllCommonsvc.exe	78
PID 2600 wrote to memory of 1668	2600	DllCommonsvc.exe	79
PID 2600 wrote to memory of 1668	2600	DllCommonsvc.exe	79
PID 2600 wrote to memory of 1668	2600	DllCommonsvc.exe	79
PID 2600 wrote to memory of 1736	2600	DllCommonsvc.exe	81
PID 2600 wrote to memory of 1736	2600	DllCommonsvc.exe	81
PID 2600 wrote to memory of 1736	2600	DllCommonsvc.exe	81
PID 2600 wrote to memory of 1728	2600	DllCommonsvc.exe	82
PID 2600 wrote to memory of 1728	2600	DllCommonsvc.exe	82
PID 2600 wrote to memory of 1728	2600	DllCommonsvc.exe	82
PID 2600 wrote to memory of 2256	2600	DllCommonsvc.exe	92
PID 2600 wrote to memory of 2256	2600	DllCommonsvc.exe	92
PID 2600 wrote to memory of 2256	2600	DllCommonsvc.exe	92
PID 2256 wrote to memory of 1928	2256	dllhost.exe	93
PID 2256 wrote to memory of 1928	2256	dllhost.exe	93
PID 2256 wrote to memory of 1928	2256	dllhost.exe	93
PID 1928 wrote to memory of 2044	1928	cmd.exe	95
PID 1928 wrote to memory of 2044	1928	cmd.exe	95
PID 1928 wrote to memory of 2044	1928	cmd.exe	95
PID 1928 wrote to memory of 2520	1928	cmd.exe	96
PID 1928 wrote to memory of 2520	1928	cmd.exe	96
PID 1928 wrote to memory of 2520	1928	cmd.exe	96
PID 2520 wrote to memory of 2840	2520	dllhost.exe	97
PID 2520 wrote to memory of 2840	2520	dllhost.exe	97
PID 2520 wrote to memory of 2840	2520	dllhost.exe	97
PID 2840 wrote to memory of 2420	2840	cmd.exe	99

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_4aa78637af43bc4f623c73384794ead643f0f38e35faea97c3a94a16dfd0f8c0.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2780
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2600
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\ServiceProfiles\conhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1956
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:300
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:976
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Admin\Start Menu\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:780
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1444
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:944
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\WmiPrvSE.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1736
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2256
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2044
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2520
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2840
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:2420
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2248
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat"
        10⤵
        
        PID:804
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:1324
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat"
        12⤵
        
        PID:304
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:264
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat"
        14⤵
        
        PID:2020
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2948
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat"
        16⤵
        
        PID:2312
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:2820
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1324
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat"
        18⤵
        
        PID:2652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:2760
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat"
        20⤵
        
        PID:1060
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2044
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2752
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat"
        22⤵
        
        PID:3056
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2572
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1964
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat"
        24⤵
        
        PID:2796
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:1488
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat"
        26⤵
        
        PID:2864
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1352
        
        C:\Users\Admin\Start Menu\dllhost.exe
        
        "C:\Users\Admin\Start Menu\dllhost.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1140

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 14 /tr "'C:\Windows\ServiceProfiles\conhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3020

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhost" /sc ONLOGON /tr "'C:\Windows\ServiceProfiles\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1652

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "conhostc" /sc MINUTE /mo 13 /tr "'C:\Windows\ServiceProfiles\conhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:572

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1492

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:764

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2172

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 9 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2184

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 13 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2768

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1644

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\Start Menu\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1976

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1128

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1964

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 13 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2908

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 10 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1604

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1940

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\Idle.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 14 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2756

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogon" /sc ONLOGON /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "winlogonw" /sc MINUTE /mo 12 /tr "'C:\Recovery\8cdd6da2-3d81-11ef-9400-f2a3cf4ad94f\winlogon.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2224

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\WmiPrvSE.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1092

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2164

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Program Files (x86)\Google\Update\Install\{EBB1980D-D3FB-4EE3-8028-3788F037127D}\WmiPrvSE.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1692

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 8 /tr "'C:\providercommon\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 9 /tr "'C:\providercommon\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 8 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2284

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2232

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-001B-0409-0000-0000000FF1CE}-C\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bea54e64cf9856a2aad8e3e315f681bc

SHA1
79ae49f0b9442880922116b981dd7c05a9730930

SHA256
a2b1e62f42106a6639cdb79cac6f6d66e09334b71c6bdac5c27570319488a15e

SHA512
84f639953ebefa93e044d9146780cba64758fe326e76a6e39680e5311f152be0c620b9418e40640ef2300189c619fbaedd3f5aa274894906071621571f136a61

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f884a8faaa7e704473237ff1aca1428c

SHA1
7797f234f827fb03ab53602a6baeebecdd069cc6

SHA256
23e6d167cd1a0cda5cdf7b93a68698245a0c62f6e3faab9858f8c172c64ebe11

SHA512
558b45cdc541d55a9eac195f68809db280c707b805ad4f6d1e8766e811fd8657bb8162f5cf6c7580726bbb30b066ce4ed76236c6e89889c8cfbfbc3886dcce39

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d28c67e27ecf105044201ca2241cf582

SHA1
4b2aa65dd2d9bfd019ce21e1d22319f02d13a941

SHA256
45671c303359c95065dfa8d551079745af7a69067e0b0610f4dfca6dbf3bdac5

SHA512
d266e0f37b621a09c5a91c97586579c11e103c2b9eaa3f396a2a7d6fb48c83f5ab3650ec761de6f05d0bfa3adebc42c998956a294115a9ef6b4bec5b5147306e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
bd1c93b833ac6b1352ca7d14eb88a012

SHA1
5842d6e32776b96dc5899806e23558ed1f285448

SHA256
eaf47c14c1a9362851cc1785528989148bb4b85a25bfa3de91a30bf35a51cd2c

SHA512
33fd6914bfa98dab8e2faefbd80642c8cbcbec8f46648771e4805d0fac8da1402fd623f4568f0c8f1533734cd0c42e968a539744426fd5e8f6c46e0be6917482

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
627912e1ea818c8e087cc14beeb8bc62

SHA1
971385a2053f6a185d18ad164554624da0717b8e

SHA256
edfe6d1a94a922f6c823f60d7d8e61a63edd7cf83086b8fccc9822fbd959ed6b

SHA512
55b5633039d2c007a5be92f1cdb96fe92020dcefb7bc1a0b1b8adcabdebeb9ec39a0a79303f6033e524b16085af16749437f1741f72c54c7f9ff08d6be17f36c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2b5fdcdb7a3ed27d4782dc5343d41562

SHA1
fd3da1b5024b4ca5b5510e205a4a3f022f05026a

SHA256
b0353af7f1552439e3dbe7b41ff963d8da70dde6663a244138412c6c8dc0a9dd

SHA512
1e13dbb53ceaf1483b661b0360540313502898dcdc02b20494400889eaded3306d3e520b22953e215f2ea013ffa7cc8267a3b9bd44d739b74dbdc2955ca9b59e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d3d22fcef199c7bf311ecdf80955ce17

SHA1
0b1fa64405b7d1ba44fce6f74aef06c02a3a43cf

SHA256
7659eaea95307b534ffef709d399bf2c70f38238010c028682188b590ef05edc

SHA512
8c3c376646a932e21434f00f11233db34a8b4fed4a21a6f77bfb631b2f7d6071dfe61bd0b1ceb05fc8934922502f01d1ac397b71c19b91e06903359031edab0a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0f87c16b9d4ba6e94b8e02f8ab881bf8

SHA1
281e51a34eef02806cd7419ff80294e0d6258c1f

SHA256
93e3264f79df47cc23452f3610c3ac6d1743f29b5f208c95bdc4d1135e4ae9a5

SHA512
1d93df8a64b5c1ef22f2e21dfe318ca793a8903eb9d1a5912bd0b3d46598c6bdc2fff70464d53d5fd11efd5900b8187b4e73c719c9941814d7c61afb6ea7dfa7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8497a78146964f2e1ef0f449e42e4bea

SHA1
aa4aeafc3ca77bedfaae9d44b7e03e31d95d7550

SHA256
3b59091f49026e5ebbc1c11cdef32b40d55b8ad37dc623fd4e204c8d5534ef7b

SHA512
335e9f1f4740c4f749213e858e5a84869e422a02d0922659aaadff1f56ac64f3b6faa281d0e5583eb8a97a0d25957d814dcf82240cd00ef8a533e6a29c1a5dfe

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a8b6645ba78b867edc4039f73a01e988

SHA1
baca088f9c9f0021f4f262d90d4defc8c5526b93

SHA256
8830d6c247fb7de5a3a5d2100142904b8ae6f3b794600f85cd9fb53ef7e9fbe8

SHA512
c919da00cea4bd02957f459e1f364a664c5cdaa711154ce480f5525d1bd7d46303f0dd4386efb6c9edbee7cfd92c53c8882562ea4224caf7a935069f3217c3f2

Download Submit
C:\Users\Admin\AppData\Local\Temp\8RCzlRjk6I.bat

Filesize
202B

MD5
bdfda6d36fff33e173a5b1fa72a6d326

SHA1
7ad24bb3e256a7b012593db9db8880241e032466

SHA256
553c7cc172b587799b13225a90eeaf0bea408de6b8f2fbc484cc1f28fdc75686

SHA512
217661d0279a46d12487cd86201c1455aaf0b6d420748731707fc43e909c6fd2776a0a83c1bb12cd9bc8c3a67eabfd148f9bb52fc57a92b30dc326d50db83e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\8zQYTmmGlF.bat

Filesize
202B

MD5
7c2101dd36e4a6890ababe13f0d6cf44

SHA1
8159761b8606e4a80b85cdc503cf4fc125f7d66b

SHA256
27d03da3d5dcaa11a68f11cd6f7c5c9858af842dd1a0eeb30793462db49b15d0

SHA512
41f31f43aa5556d33e9d302fcc17146c7716c2868b4cf032c9ad102e16904a2936a2195384771a32f6ae5793b23c81f652f66bb9f8a9408f517a1a4cc493ca8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\BcIiUXCUMc.bat

Filesize
202B

MD5
667bbe24fcdd1b9371b752cb1c0cf5eb

SHA1
4a9a78c6f1fab9a26fe4009f2ce5a1cae162cd74

SHA256
f438ac47207d16ad92280d117d3d4570cc35e2126115ce081ddd1f8781948a0f

SHA512
5a7a4794f4f615c0dc4c4cd0d20dfbe29f3a07cf277f8e16ee0a202553264705603ef5765604e7a0ea355a742965bd412c6901cfddf30d77c577e44bdbb9afee

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab8CA8.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MQa1PIx8rY.bat

Filesize
202B

MD5
4ad250901edc361281e1bafc64168390

SHA1
045671ae3972e27d8df6fcd4f40a3a57e82624bb

SHA256
113b5c25aba02d9dd4e5a5564feda450206946d2d0da94281479b7bdf2ff9141

SHA512
6259bbcb345f2043f07473f73cf3e7a3827c4731cad15dd7bd8bc10dc68407821c051800fe5d37a378a994559858c571556fee7fe5cb34a2d58608c234740268

Download Submit
C:\Users\Admin\AppData\Local\Temp\Mw1PlbJmoj.bat

Filesize
202B

MD5
00ec7e88cb460b9e3c27e98737b4e7d0

SHA1
000b4002e282b5e4e4e12b42f13ccf2869af44ad

SHA256
bad9b8bb3812822762211c415060d43cbee5329cbaad447b1c87474ee13b9f84

SHA512
cc8904d326ca1f6ae272e504348035e021d63f0b850966f145559ede344cca63ac4c69c404d3c51134aa58e24f3a0e5e03d3077c6c1cd2ac23ef405a8b73275d

Download Submit
C:\Users\Admin\AppData\Local\Temp\S2GQUB77UU.bat

Filesize
202B

MD5
4f3091659f19505120b071c9cf0dd8f1

SHA1
394351b319874b892d3df7914d562a80f115e7be

SHA256
d37069d0b21b5ac69fac1a5d84984cd1feb68b11d7f2bdf0cc3d46013c9ef3ac

SHA512
96e6c0f324fa70372899addf8c5e4efb6c432011f7aafe8160b30a12409c8ef7e3cdb5142ccce842f0e810cb6cf9341541d0db7e2703885efa6f95c478f5c117

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar8CBA.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\eXOrkcF5G0.bat

Filesize
202B

MD5
25eba1e8619afb401641bcfd544fe6ea

SHA1
5ef6e1d473a705b14af00c067cf88f08ae1999ac

SHA256
b4f497fe7579e34b2c73bd4346c71b3ade3d3d63f40fc4fd7e24c47b9ddcfc67

SHA512
2aff1a11bba405ea04f9557f8434b2d1fea4cf4f08d80cf364009dd1402eb45bda535eb7458f707a84c602ef8309a4c89b0609c2450a7fbbd81607cd02a98e28

Download Submit
C:\Users\Admin\AppData\Local\Temp\fZs2sOO0th.bat

Filesize
202B

MD5
d8dee1eb28a909e7ef25a4252c7e10ae

SHA1
067d7b5ec6fa5b78a21fbf83403a36beef8fc88a

SHA256
c00a9a7191d4ef47c21b7ae986a1750d517effa3ad204cfa39e0ec8afdc72ac4

SHA512
2371bd1dc42c36c70be929701503a66a8138812f79cd1f3fd50a871ffd2da70251229c41f5ddc843524c066c6742769dc9c2e3e1b236240bdb1be2ab94516650

Download Submit
C:\Users\Admin\AppData\Local\Temp\vdJwOJplm6.bat

Filesize
202B

MD5
14805689bd38419cdb7c50cfba2c2e3d

SHA1
7ddbb4fb718261cedb4da859f0931b0b9802400c

SHA256
b8baa0a531968d0dafb460e99b39a5646b6c8192839fc66daa883bd9bb0fa470

SHA512
195d9ffe859d42ebc59bfbc78dfb3cbc893ec44c6fd4bf79dcf2962f25ba367c663a9cd3de7c437b670062e71aa1b5a30b9a2a50bfcf26d990f1425ed1bb550f

Download Submit
C:\Users\Admin\AppData\Local\Temp\xgactKMGCU.bat

Filesize
202B

MD5
2d9bec63dd9a20e01f79a2d46fb5386b

SHA1
1af6ece1cd89a0b5e2c16043e76e64a04e0d1883

SHA256
695fcfab94bbead0a59433f807fd57ea44b2d233135a37fc821898066dba1599

SHA512
6f8aec8b2bf52d55a7ccad7ad8aad7cf9182bc2848b3fc5b4ea1189a66b4c2311b3c63ea0d855863f714e321250ebd2090955a158c831d2c692c9e4701f0693d

Download Submit
C:\Users\Admin\AppData\Local\Temp\yXZnhMCmO6.bat

Filesize
202B

MD5
d026f39aa9882039d11c93b1c42ab5f6

SHA1
61688f5ad0d2edf59303f5a928ad965f4220122f

SHA256
f502fe63af7678355fc79c6fa33cf279c978c8213f50c1a445dbe9e084c65ebe

SHA512
4a4e0688cf53e7a53df8c5b29c4f1a91369a3e9df079d97054421d0175fd1d7528a1528f3c0b2b571eeaf514715946ba9dc950832007a48645b7ef80621ee7fd

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\MZE43RMRE7PN2JITT5NE.temp

Filesize
7KB

MD5
b90cdf42cb538b953f8f5c58fa731177

SHA1
3b91c79a49f7a3ab0d732f707211ee40b9c0d573

SHA256
21dbf9c04154ade0b3f571151e794301f3c17aa99ceb771669bf8d9811ef3fa9

SHA512
7bbc44e1bd2a595da1a2fe4916a1d64a88c88f3957d87b6e8f6990f6b5789a8bc5198219cdedd724525f35441a74de93b6efa36bb1d16c6b5fad629d5d3bc668

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1140-755-0x0000000000180000-0x0000000000290000-memory.dmp

Filesize
1.1MB

Download
memory/1148-337-0x0000000000850000-0x0000000000960000-memory.dmp

Filesize
1.1MB

Download
memory/1164-397-0x00000000001D0000-0x00000000002E0000-memory.dmp

Filesize
1.1MB

Download
memory/1324-457-0x00000000011D0000-0x00000000012E0000-memory.dmp

Filesize
1.1MB

Download
memory/1444-59-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1876-58-0x000000001B780000-0x000000001BA62000-memory.dmp

Filesize
2.9MB

Download
memory/1964-636-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2256-57-0x0000000000E30000-0x0000000000F40000-memory.dmp

Filesize
1.1MB

Download
memory/2256-99-0x0000000000330000-0x0000000000342000-memory.dmp

Filesize
72KB

Download
memory/2600-16-0x0000000000360000-0x000000000036C000-memory.dmp

Filesize
48KB

Download
memory/2600-13-0x0000000001340000-0x0000000001450000-memory.dmp

Filesize
1.1MB

Download
memory/2600-14-0x00000000002D0000-0x00000000002E2000-memory.dmp

Filesize
72KB

Download
memory/2600-15-0x00000000009A0000-0x00000000009AC000-memory.dmp

Filesize
48KB

Download
memory/2600-17-0x00000000009B0000-0x00000000009BC000-memory.dmp

Filesize
48KB

Download
memory/2660-277-0x0000000000140000-0x0000000000152000-memory.dmp

Filesize
72KB

Download
memory/2660-276-0x0000000000160000-0x0000000000270000-memory.dmp

Filesize
1.1MB

Download
memory/2752-576-0x0000000001280000-0x0000000001390000-memory.dmp

Filesize
1.1MB

Download