dcrat | 7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742

Analysis

max time kernel
149s
max time network
144s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 16:45

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
Size

1.3MB
MD5

3108a2dabc945949edc1019eb794b752
SHA1

16c16b63f45d8cb9303102bff7981003719ec705
SHA256

7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742
SHA512

8fee7b5345a6e7e7f6195b4de30b57ce53196dbc509a080367f261e2f9c688ae8fa50c9fd1aa471b95bc00eccb0acbb9afe33f96ff2cfddd5f61bb4abee256c8
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 36 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2568	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	856	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1904	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2040	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2168	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2364	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	352	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2116	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2064	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1276	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2556	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1760	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2252	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1004	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	264	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2212	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2220	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2132	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2188	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1540	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	980	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1576	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1176	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1288	3008	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1680	3008	schtasks.exe	34

DCRat payload 6 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0006000000019570-10.dat	dcrat
behavioral1/memory/2596-13-0x0000000000120000-0x0000000000230000-memory.dmp	dcrat
behavioral1/memory/912-60-0x0000000000CA0000-0x0000000000DB0000-memory.dmp	dcrat
behavioral1/memory/2780-346-0x0000000001010000-0x0000000001120000-memory.dmp	dcrat
behavioral1/memory/308-702-0x0000000000150000-0x0000000000260000-memory.dmp	dcrat
behavioral1/memory/1852-762-0x0000000000090000-0x00000000001A0000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 13 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2140	powershell.exe
1996	powershell.exe
824	powershell.exe
272	powershell.exe
1912	powershell.exe
2496	powershell.exe
1728	powershell.exe
3048	powershell.exe
3056	powershell.exe
1672	powershell.exe
684	powershell.exe
2440	powershell.exe
1668	powershell.exe

Executes dropped EXE 13 IoCs

pid	Process
2596	DllCommonsvc.exe
912	sppsvc.exe
2212	sppsvc.exe
2812	sppsvc.exe
1576	sppsvc.exe
2780	sppsvc.exe
1432	sppsvc.exe
1672	sppsvc.exe
1576	sppsvc.exe
2548	sppsvc.exe
2392	sppsvc.exe
308	sppsvc.exe
1852	sppsvc.exe

Loads dropped DLL 2 IoCs

pid	Process
2892	cmd.exe
2892	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
9	raw.githubusercontent.com
13	raw.githubusercontent.com
20	raw.githubusercontent.com
23	raw.githubusercontent.com
26	raw.githubusercontent.com
32	raw.githubusercontent.com
4	raw.githubusercontent.com
5	raw.githubusercontent.com
16	raw.githubusercontent.com
29	raw.githubusercontent.com
35	raw.githubusercontent.com
39	raw.githubusercontent.com

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Windows Portable Devices\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Portable Devices\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\audiodg.exe	DllCommonsvc.exe
File created	C:\Program Files\7-Zip\Lang\42af1c969fbb7b	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Mail\ja-JP\6cb0b6c459d5d3	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\smss.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows NT\TableTextService\69ddcba757bf72	DllCommonsvc.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Microsoft.NET\Framework\1036\explorer.exe	DllCommonsvc.exe
File created	C:\Windows\Microsoft.NET\Framework\1036\7a0fd90576e088	DllCommonsvc.exe
File created	C:\Windows\IME\imekr8\help\System.exe	DllCommonsvc.exe
File created	C:\Windows\IME\imekr8\help\27d1bcfc3c54e0	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 36 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1288	schtasks.exe
2168	schtasks.exe
1096	schtasks.exe
2380	schtasks.exe
2132	schtasks.exe
2336	schtasks.exe
3068	schtasks.exe
1680	schtasks.exe
2116	schtasks.exe
2212	schtasks.exe
2220	schtasks.exe
1540	schtasks.exe
980	schtasks.exe
1988	schtasks.exe
2568	schtasks.exe
2556	schtasks.exe
2436	schtasks.exe
1576	schtasks.exe
1176	schtasks.exe
1276	schtasks.exe
264	schtasks.exe
2472	schtasks.exe
856	schtasks.exe
2040	schtasks.exe
1760	schtasks.exe
2188	schtasks.exe
2208	schtasks.exe
2252	schtasks.exe
2364	schtasks.exe
352	schtasks.exe
1456	schtasks.exe
2064	schtasks.exe
1004	schtasks.exe
2200	schtasks.exe
1904	schtasks.exe
2096	schtasks.exe

Suspicious behavior: CmdExeWriteProcessMemorySpam 11 IoCs

pid	Process
2212	sppsvc.exe
2812	sppsvc.exe
1576	sppsvc.exe
2780	sppsvc.exe
1432	sppsvc.exe
1672	sppsvc.exe
1576	sppsvc.exe
2548	sppsvc.exe
2392	sppsvc.exe
308	sppsvc.exe
1852	sppsvc.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
2596	DllCommonsvc.exe
1668	powershell.exe
2440	powershell.exe
1728	powershell.exe
272	powershell.exe
1912	powershell.exe
3056	powershell.exe
684	powershell.exe
1996	powershell.exe
3048	powershell.exe
2496	powershell.exe
912	sppsvc.exe
824	powershell.exe
1672	powershell.exe
2140	powershell.exe
2212	sppsvc.exe
2812	sppsvc.exe
1576	sppsvc.exe
2780	sppsvc.exe
1432	sppsvc.exe
1672	sppsvc.exe
1576	sppsvc.exe
2548	sppsvc.exe
2392	sppsvc.exe
308	sppsvc.exe
1852	sppsvc.exe

Suspicious use of AdjustPrivilegeToken 26 IoCs

description	pid	Process
Token: SeDebugPrivilege	2596	DllCommonsvc.exe
Token: SeDebugPrivilege	1668	powershell.exe
Token: SeDebugPrivilege	2440	powershell.exe
Token: SeDebugPrivilege	1728	powershell.exe
Token: SeDebugPrivilege	272	powershell.exe
Token: SeDebugPrivilege	1912	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	912	sppsvc.exe
Token: SeDebugPrivilege	684	powershell.exe
Token: SeDebugPrivilege	1996	powershell.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeDebugPrivilege	2496	powershell.exe
Token: SeDebugPrivilege	824	powershell.exe
Token: SeDebugPrivilege	1672	powershell.exe
Token: SeDebugPrivilege	2140	powershell.exe
Token: SeDebugPrivilege	2212	sppsvc.exe
Token: SeDebugPrivilege	2812	sppsvc.exe
Token: SeDebugPrivilege	1576	sppsvc.exe
Token: SeDebugPrivilege	2780	sppsvc.exe
Token: SeDebugPrivilege	1432	sppsvc.exe
Token: SeDebugPrivilege	1672	sppsvc.exe
Token: SeDebugPrivilege	1576	sppsvc.exe
Token: SeDebugPrivilege	2548	sppsvc.exe
Token: SeDebugPrivilege	2392	sppsvc.exe
Token: SeDebugPrivilege	308	sppsvc.exe
Token: SeDebugPrivilege	1852	sppsvc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2704 wrote to memory of 2932	2704	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	30
PID 2704 wrote to memory of 2932	2704	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	30
PID 2704 wrote to memory of 2932	2704	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	30
PID 2704 wrote to memory of 2932	2704	7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe	30
PID 2932 wrote to memory of 2892	2932	WScript.exe	31
PID 2932 wrote to memory of 2892	2932	WScript.exe	31
PID 2932 wrote to memory of 2892	2932	WScript.exe	31
PID 2932 wrote to memory of 2892	2932	WScript.exe	31
PID 2892 wrote to memory of 2596	2892	cmd.exe	33
PID 2892 wrote to memory of 2596	2892	cmd.exe	33
PID 2892 wrote to memory of 2596	2892	cmd.exe	33
PID 2892 wrote to memory of 2596	2892	cmd.exe	33
PID 2596 wrote to memory of 1668	2596	DllCommonsvc.exe	71
PID 2596 wrote to memory of 1668	2596	DllCommonsvc.exe	71
PID 2596 wrote to memory of 1668	2596	DllCommonsvc.exe	71
PID 2596 wrote to memory of 2440	2596	DllCommonsvc.exe	72
PID 2596 wrote to memory of 2440	2596	DllCommonsvc.exe	72
PID 2596 wrote to memory of 2440	2596	DllCommonsvc.exe	72
PID 2596 wrote to memory of 1672	2596	DllCommonsvc.exe	73
PID 2596 wrote to memory of 1672	2596	DllCommonsvc.exe	73
PID 2596 wrote to memory of 1672	2596	DllCommonsvc.exe	73
PID 2596 wrote to memory of 272	2596	DllCommonsvc.exe	74
PID 2596 wrote to memory of 272	2596	DllCommonsvc.exe	74
PID 2596 wrote to memory of 272	2596	DllCommonsvc.exe	74
PID 2596 wrote to memory of 1912	2596	DllCommonsvc.exe	76
PID 2596 wrote to memory of 1912	2596	DllCommonsvc.exe	76
PID 2596 wrote to memory of 1912	2596	DllCommonsvc.exe	76
PID 2596 wrote to memory of 3056	2596	DllCommonsvc.exe	78
PID 2596 wrote to memory of 3056	2596	DllCommonsvc.exe	78
PID 2596 wrote to memory of 3056	2596	DllCommonsvc.exe	78
PID 2596 wrote to memory of 2496	2596	DllCommonsvc.exe	79
PID 2596 wrote to memory of 2496	2596	DllCommonsvc.exe	79
PID 2596 wrote to memory of 2496	2596	DllCommonsvc.exe	79
PID 2596 wrote to memory of 684	2596	DllCommonsvc.exe	81
PID 2596 wrote to memory of 684	2596	DllCommonsvc.exe	81
PID 2596 wrote to memory of 684	2596	DllCommonsvc.exe	81
PID 2596 wrote to memory of 824	2596	DllCommonsvc.exe	83
PID 2596 wrote to memory of 824	2596	DllCommonsvc.exe	83
PID 2596 wrote to memory of 824	2596	DllCommonsvc.exe	83
PID 2596 wrote to memory of 1996	2596	DllCommonsvc.exe	84
PID 2596 wrote to memory of 1996	2596	DllCommonsvc.exe	84
PID 2596 wrote to memory of 1996	2596	DllCommonsvc.exe	84
PID 2596 wrote to memory of 2140	2596	DllCommonsvc.exe	85
PID 2596 wrote to memory of 2140	2596	DllCommonsvc.exe	85
PID 2596 wrote to memory of 2140	2596	DllCommonsvc.exe	85
PID 2596 wrote to memory of 1728	2596	DllCommonsvc.exe	86
PID 2596 wrote to memory of 1728	2596	DllCommonsvc.exe	86
PID 2596 wrote to memory of 1728	2596	DllCommonsvc.exe	86
PID 2596 wrote to memory of 3048	2596	DllCommonsvc.exe	87
PID 2596 wrote to memory of 3048	2596	DllCommonsvc.exe	87
PID 2596 wrote to memory of 3048	2596	DllCommonsvc.exe	87
PID 2596 wrote to memory of 912	2596	DllCommonsvc.exe	96
PID 2596 wrote to memory of 912	2596	DllCommonsvc.exe	96
PID 2596 wrote to memory of 912	2596	DllCommonsvc.exe	96
PID 2596 wrote to memory of 912	2596	DllCommonsvc.exe	96
PID 2596 wrote to memory of 912	2596	DllCommonsvc.exe	96
PID 912 wrote to memory of 964	912	sppsvc.exe	98
PID 912 wrote to memory of 964	912	sppsvc.exe	98
PID 912 wrote to memory of 964	912	sppsvc.exe	98
PID 964 wrote to memory of 640	964	cmd.exe	100
PID 964 wrote to memory of 640	964	cmd.exe	100
PID 964 wrote to memory of 640	964	cmd.exe	100
PID 964 wrote to memory of 2212	964	cmd.exe	101
PID 964 wrote to memory of 2212	964	cmd.exe	101

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe
"C:\Users\Admin\AppData\Local\Temp\7564e427054537f671838b319b67a0e41d788ad9735ac2c2b04d58a56a3f4742.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2704
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2932
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2892
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2596
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1668
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\sppsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:272
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1912
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\7-Zip\Lang\audiodg.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2496
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:684
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\IME\imekr8\help\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows NT\TableTextService\smss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2140
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\dllhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1728
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
    - - C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:912
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:640
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat"
        8⤵
        
        PID:652
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1936
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat"
        10⤵
        
        PID:1292
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:568
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat"
        12⤵
        
        PID:1644
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1652
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2780
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat"
        14⤵
        
        PID:1964
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:868
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1432
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat"
        16⤵
        
        PID:2268
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:1648
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1672
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat"
        18⤵
        
        PID:2992
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:852
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat"
        20⤵
        
        PID:272
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2084
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat"
        22⤵
        
        PID:1588
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2364
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2392
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat"
        24⤵
        
        PID:2912
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2764
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:308
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat"
        26⤵
        
        PID:1564
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:3068
        
        C:\providercommon\sppsvc.exe
        
        "C:\providercommon\sppsvc.exe"
        27⤵
        Executes dropped EXE
        Suspicious behavior: CmdExeWriteProcessMemorySpam
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1852

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2568

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:856

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2200

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\providercommon\sppsvc.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1904

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2040

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 8 /tr "'C:\providercommon\sppsvc.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2168

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 14 /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2364

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorer" /sc ONLOGON /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2208

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "explorere" /sc MINUTE /mo 11 /tr "'C:\Windows\Microsoft.NET\Framework\1036\explorer.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:352

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1456

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 13 /tr "'C:\Program Files (x86)\Windows Portable Devices\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2116

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2064

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2380

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 6 /tr "'C:\Program Files\7-Zip\Lang\audiodg.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1276

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2096

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2556

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0019-0409-0000-0000000FF1CE}-C\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1760

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2252

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1004

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 12 /tr "'C:\Program Files (x86)\Windows Mail\ja-JP\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:264

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 5 /tr "'C:\Windows\IME\imekr8\help\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2212

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Windows\IME\imekr8\help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2220

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Windows\IME\imekr8\help\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2132

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 10 /tr "'C:\Program Files\Windows NT\TableTextService\smss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2188

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smss" /sc ONLOGON /tr "'C:\Program Files\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "smsss" /sc MINUTE /mo 9 /tr "'C:\Program Files\Windows NT\TableTextService\smss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3068

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1540

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininit" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:980

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "wininitw" /sc MINUTE /mo 12 /tr "'C:\MSOCache\All Users\{90140000-001A-0409-0000-0000000FF1CE}-C\wininit.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2436

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 14 /tr "'C:\Users\Default User\dllhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1576

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhost" /sc ONLOGON /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1176

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dllhostd" /sc MINUTE /mo 12 /tr "'C:\Users\Default User\dllhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2472

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1988

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwm" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "dwmd" /sc MINUTE /mo 9 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\dwm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c6d6319aa4ea5b71c6907b7edebd8dde

SHA1
cc21d4c46e3e7304c1efe2ef573914077f09f9e6

SHA256
6eabc2c009d2da240df87b3077306a7a1cd56d4af312efecb64331e1f07b8bc4

SHA512
d942560193ef2583905ac8dc3ad2b66939f24815e54287a68884e8d6688ee2d14e592fc5fb4cd5071d71bd55199bd8b608b23ccdc5123a83234954cf2e32d3b7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f3debc6a336ea217cead15850c96f082

SHA1
1127e32cc43db83105119ff0c09caeab3858bdba

SHA256
5b17005de9402f4f27abdf3951b8ce09c4fe138edc4578a2239ac3b28993bf8e

SHA512
9f9ad7e61c831ed5549957be8bd0be90382c5e38d54b6e11e502b4fb8fdd19b4aa64dffb2276b3c28ecb6d3a749dec38f384b4689c1dc8c02ebe69154a0828b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29c511f64f9ac868058b6d2981969cf7

SHA1
04fa3cd7aa48194f16a76fef95574de6ce408da6

SHA256
12fc7114424c91daa7fed3aba24b9acf232d1a461410fb538918b5a6c779d2dd

SHA512
d822f41ef8b44a40d9c0f51ecb8de9abd7b510d927eafae6d66bb287ea69289a3c4dd44e97c51b49651c8e97d54b0e7da0de701d2bac1eddc508b1149562b893

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e3d3e8a731dda1468a8b9489e96ea7b

SHA1
0181e4d40c3bfbf50051f65426af37f73c62ca3f

SHA256
2675e453d7e40533f07c559e17efcc90a6299f5d88d578884ee5d0b5a118fbd8

SHA512
92193a9dd698d57a61a6e18122629c73dbe42c0d5756ff8a114ce1250181d1773323b28b285c0ee346cf284e0d5fddbac305da91b267b3189edbb3bb10c245a1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c9c42ffbdc930c3921dab90dfa490b6a

SHA1
c98d4875aa64bc989a5a1720d5bcf8bb2f52c281

SHA256
528b36e2a98ac3d9a97299e15549750b9498607b857508296966b5674274710c

SHA512
fc8791d397950f90783a4e82992549b2da9edb7cdfc648a96d2dcb8e0972a8a4c708633a139ee439b5a4b98bcbe68ed8c8295132b20f361c9ef692754287ab8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ff8fd3c9800b502e386b2be02827080f

SHA1
2f73a59213eaa20854aa6a4fb50b2f42b3ddf912

SHA256
c7f95dd8860b6388030a11df9daf5054f7879b79406a63984f11d47b0dfdb065

SHA512
109ec41a9716309181604b3e8990054167048c44cfdfd79b08eae5ed2f332f327d0684e0aa591f451618c5424d91c7799934ad9661f0e08392018f1fb9e4b24d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e397aaf2f56b9eb5759be2d2b0697c5b

SHA1
6656b0edb8f5026be67f56ff5963e1cd784c5635

SHA256
9d2ce0044c5e48482004e01ff580f371fea8593b55cd483cfc460c42bc6d49b6

SHA512
9416d2097b395989474a624f031e8c60300090845a20b15efdb0dff947bc169fd933ba24a7e49ee0d3f0e360df1d9862c5b780acb9c4996f2732d35339536742

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e011845abcbc00ee00c4328ffd335cfa

SHA1
a2bc83bf2c43adffb9d7dfc979e16608275df313

SHA256
78b3bc933b135cdbaccedabd529dd0a570511277a5fb7dc8d788dabe3a8c57da

SHA512
685231b9b370eaa3b46c2148598d38792da99c1b25ab5ea33439d4a95e44c142ea3bd1640b6ebd06f54212504adcf4d5860835489737e504f2b09d4e6b303e48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
049f2c9ab56fb07ccc476ef791fd5cdc

SHA1
ba80190c0ffafdc96f6c2bc906815fda33dab535

SHA256
fcdbad0cd83d3d381973fb60a21f7d8cad25009f6b0f8ae09af458592b968b5e

SHA512
6d9ed14061b4922d0d61168fe8164c1659eb4892dfda00284e6e9b8c930178ef6ecddb0e8010e611b41c60cc7f35271bc92094931176d22d8204de3bb4a00525

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
687c4fe5612eae44dc833d3f4eea4ecd

SHA1
db8cdd1fa13bf1367da69a704ce1a5abbc5ad839

SHA256
571815e7b32d12ba516b24d05b8512ffae2f1b357027fd3c2fbfcc43aa7f1aa0

SHA512
644866d0a9b28c66c52a827a3dcd7ee68e00a0c807c2a49432c56cb96a712aa72b5f8a2355d7f990c543bfa8651475d2345252cf47bac37bd57ac4c6579dfb78

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab6E30.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\ESzt3JT3T8.bat

Filesize
193B

MD5
ed55ee8a71e567c6feb14db946bb67eb

SHA1
1c450fc6111e4630cfc9463e76a63c7a9132308e

SHA256
6f7decbcb3e6115378cba474d077c99ef836495c13815469d7a160ec72daabd7

SHA512
dfc6539bdf0ad882c25f521eeae501acd024f7570e4595625a6948a8bdd9031b2d4e2342ecaea0199b21de651dab13ccc97576c1b42234902319cc2a6cbf7a6d

Download Submit
C:\Users\Admin\AppData\Local\Temp\T7KIMELUbd.bat

Filesize
193B

MD5
378e60cb522cedaf0bce5fa17c90dcc0

SHA1
430363c21b7444d6aa1ff8c0606ecfd00c4339dd

SHA256
96a2e11df2b7492ae09b37029b2dfb46a8151046fd58adcbaadf282c09866277

SHA512
72fa14c0c045f45e55c52e0ec9645f6b8023989946a07449887296a2d07b86ac79c43e7f821f5126476a7059e508a5b16dc91c71e5167991384a3c3b26b664b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\TA6UjH3MJQ.bat

Filesize
193B

MD5
535c5f57d87123f2b153c139d5f065c3

SHA1
e5a04ec000b4bc6609b92f7337782692710eccb4

SHA256
b97261c7675cacee65ab8692b319f143a59a906f797876f01896fc090d1bc9bd

SHA512
f981d8c4221cbe90e9e436ceb5213fdd2f66abd6e3fbe347a0bc512f2e05529f9be306a6b153a9d8dca6e9d754641d8868f6ac4697ca0d33ed2b603020027352

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar6E52.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WRY5ahHPmz.bat

Filesize
193B

MD5
fff8e15ea01bf1e6ece5beaa31886360

SHA1
f54d2bfd02c24b653cb1f4afe2cb16f73b542e99

SHA256
fcb7239282bcda5bf2aea91a445ab8c3b2f83f07374e6f2cadfd8ed5899c1b47

SHA512
735d40e0de0d92e88f14195afcb3a58b5c55040c1873592ac85b9616dd4599345d9a027e2bbef664000d578a7f2bfaf8c9267b0007a4a7a17e56f9e85a1a1708

Download Submit
C:\Users\Admin\AppData\Local\Temp\YNa8GmLI5m.bat

Filesize
193B

MD5
8d097ee59a9a7a50859e655055218e6b

SHA1
561b06d7af900250e830c8136bccc150e601191d

SHA256
9021d3b03c84822d13adf935721c1f4316d9660b9a0396b4bba2cd23e2bad940

SHA512
efbf6d5ec55d7cbda1dd06f301018d398b2dcdeebb506af5d95c21ffd489d1e551273ac741330ab21a9134e524983fec96f9dd9a19ce4b5e73e1fed409bb1f10

Download Submit
C:\Users\Admin\AppData\Local\Temp\cRRFCwJQFV.bat

Filesize
193B

MD5
df377ffe35c879112a3a308ac1501a20

SHA1
fc41f1b16c448d18c2a3253874cd2845bddf0666

SHA256
efa13ce955653e138d0ee6251d566164f9d5baa4c7270651c3967e0d8fb4b0fa

SHA512
c17fbabe496158e146baf8be2d88c067f93c39d5b83c89301d6c746ab7fb86da275d274a524198413e08c17d02be56d28dad7e433ba8d4fb8fc1e48270311d5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\mNrvcGFykN.bat

Filesize
193B

MD5
ee78f0e486b6cf90ed59a769a87cab5a

SHA1
17d3c4bbfbbf0fdc194a8891792d5af24175a514

SHA256
f0d8651fa8f7f6ce9bb8949135f1dbeab41ef028167f97774112c6708198de75

SHA512
daf3322d87e9e3948b4311f3075e01e0f013631f85f523443dc796c82bab1bb386e03e5c1833ce6630ecc738857a0d5f51e12990449ee4b0c48044df0ae7fea7

Download Submit
C:\Users\Admin\AppData\Local\Temp\syea0WjfTx.bat

Filesize
193B

MD5
a479199f51514c43113bd5f9aad3d741

SHA1
164079d93e372c8f9705694b509a97f476bba09c

SHA256
2756a2fa7e25cedb75043a8008bcd17967bdc1d58984826a2c5c9dfa67b858b0

SHA512
9b3ef27b0d462996c2cb846f399fce79c0ce55b9d06c7c6633b58bae59cd893e9ed49e951f804bbb0290daf6e642bde6f87f3be62585fac05c82d359c4a771a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tlxpltA24S.bat

Filesize
193B

MD5
3c9dfd348fba285622e9b0ede04cb2c9

SHA1
d5fde95a218663681f35e4dbc15de85d95b0f1f7

SHA256
04a73f5d609bd3c2caa6bfaf5a153b19e9c11ad30ceb0bd3f7053a41ccb1d0b3

SHA512
b555adde55c3c0a1090c6d769abcd07e2014dd3df7907d8d2c6f845554e1f10f305832972de66082fd93732af54b509bb103fbf0d36f61563355ad56537bc76b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wKGJ2NUoAL.bat

Filesize
193B

MD5
740daec2c6ac4ac5d6b17ca62fd44a25

SHA1
7a457a30614249e2204bc26c84e5b054f495bf60

SHA256
b4961ef2b8e15988368646999877027bf2b14bae8f64f9318611da5e746ca44f

SHA512
0d9c7b32a804bca42c1600ea143b298b3acb8f63e4301dfd81ae919889abb49868bd7a4d9106a5ce8bd706bfdc26689aa511d1d8c2b36a81c1478538aabf266c

Download Submit
C:\Users\Admin\AppData\Local\Temp\xkGYwzkQoc.bat

Filesize
193B

MD5
34e46e264fa248a6015ab25081987610

SHA1
dcdb86de371ab1ae3bc6f4c70fc0bf0b81368643

SHA256
80411b4f38b1ab24932778f8b4ed3b3c40e391589e6b2fd1aab02b975ae8bee8

SHA512
e61940bb8552107b73968dabb9dd15e08ff93228a6bba0b7610da4a0ec433fc8ae3fcefb253b700b22dff91fcefe1463a0cca4dd8572ab0977067535188d72c6

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
651b60291d9af49218be00e7425bc0bf

SHA1
ec943264515cd6706977dfd590739a817b7a4355

SHA256
7ad02de92f4a151555f670d89abad9d49a0f7f4e02c4b806094aa14e6df0d60c

SHA512
5cef06b7425ed5511d218dfedf27fd04651dea8029f038e136bde108774b511cafc6eb80c54ca1222ca2649e8685bb0a39e7830f43b7033bf5685fe0112ab74d

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/308-702-0x0000000000150000-0x0000000000260000-memory.dmp

Filesize
1.1MB

Download
memory/912-60-0x0000000000CA0000-0x0000000000DB0000-memory.dmp

Filesize
1.1MB

Download
memory/912-94-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/1668-57-0x000000001B790000-0x000000001BA72000-memory.dmp

Filesize
2.9MB

Download
memory/1668-59-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1852-762-0x0000000000090000-0x00000000001A0000-memory.dmp

Filesize
1.1MB

Download
memory/2548-583-0x0000000000340000-0x0000000000352000-memory.dmp

Filesize
72KB

Download
memory/2596-16-0x00000000005F0000-0x00000000005FC000-memory.dmp

Filesize
48KB

Download
memory/2596-13-0x0000000000120000-0x0000000000230000-memory.dmp

Filesize
1.1MB

Download
memory/2596-14-0x00000000003E0000-0x00000000003F2000-memory.dmp

Filesize
72KB

Download
memory/2596-15-0x0000000000600000-0x000000000060C000-memory.dmp

Filesize
48KB

Download
memory/2596-17-0x0000000000620000-0x000000000062C000-memory.dmp

Filesize
48KB

Download
memory/2780-346-0x0000000001010000-0x0000000001120000-memory.dmp

Filesize
1.1MB

Download
memory/2812-227-0x0000000000360000-0x0000000000372000-memory.dmp

Filesize
72KB

Download