dcrat | a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5

Analysis

max time kernel
147s
max time network
148s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
21-12-2024 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5.exe
Size

1.3MB
MD5

5090b2f1992be6819d679f3ad8a6de59
SHA1

7290032f89036d1ccc47b7ffa3b7bb334ce0cd5b
SHA256

a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5
SHA512

b7d052eb0ccb32632df27ee8133d3038876b9d1044be046fc0ac314d0b4cd9e0bef28f77d22b47cf61842efc495422a65bc9c5c76bdd24e65088f2f52c4deefe
SSDEEP

24576:U2G/nvxW3Ww0t6TnzGmVBDh4+aknuRRZJND0gFJ4rD/IjC:UbA30GnzV/q+DnsXg

Score

10^/10

dcrat discovery execution infostealer rat

Malware Config

Signatures

DcRat
DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.
rat infostealer dcrat
Dcrat family
dcrat

Process spawned unexpected child process 33 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1788	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2780	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2612	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2676	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1484	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2896	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	632	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3008	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1056	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1248	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2680	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2960	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2972	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	336	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2600	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2868	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2148	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2388	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1784	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	828	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	408	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1016	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	820	2844	schtasks.exe	34
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1792	2844	schtasks.exe	34

DCRat payload 11 IoCs

Detects payload of DCRat, commonly dropped by NSIS installers.

rat

resource	yara_rule
behavioral1/files/0x0008000000016c3a-12.dat	dcrat
behavioral1/memory/2804-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp	dcrat
behavioral1/memory/1988-46-0x0000000000A70000-0x0000000000B80000-memory.dmp	dcrat
behavioral1/memory/1956-166-0x0000000000FF0000-0x0000000001100000-memory.dmp	dcrat
behavioral1/memory/2484-226-0x00000000013B0000-0x00000000014C0000-memory.dmp	dcrat
behavioral1/memory/2428-286-0x0000000000010000-0x0000000000120000-memory.dmp	dcrat
behavioral1/memory/2148-346-0x0000000000800000-0x0000000000910000-memory.dmp	dcrat
behavioral1/memory/1712-407-0x00000000010C0000-0x00000000011D0000-memory.dmp	dcrat
behavioral1/memory/2420-585-0x0000000000100000-0x0000000000210000-memory.dmp	dcrat
behavioral1/memory/3004-645-0x00000000001C0000-0x00000000002D0000-memory.dmp	dcrat
behavioral1/memory/1344-706-0x0000000000310000-0x0000000000420000-memory.dmp	dcrat

Command and Scripting Interpreter: PowerShell 1 TTPs 12 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
108	powershell.exe
2428	powershell.exe
2132	powershell.exe
788	powershell.exe
2472	powershell.exe
352	powershell.exe
1440	powershell.exe
1652	powershell.exe
2184	powershell.exe
2592	powershell.exe
792	powershell.exe
1464	powershell.exe

Executes dropped EXE 12 IoCs

pid	Process
2804	DllCommonsvc.exe
1988	System.exe
1956	System.exe
2484	System.exe
2428	System.exe
2148	System.exe
1712	System.exe
2968	System.exe
2000	System.exe
2420	System.exe
3004	System.exe
1344	System.exe

Loads dropped DLL 2 IoCs

pid	Process
2280	cmd.exe
2280	cmd.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 12 IoCs

Web Service

T1102

flow	ioc
4	raw.githubusercontent.com
12	raw.githubusercontent.com
23	raw.githubusercontent.com
27	raw.githubusercontent.com
34	raw.githubusercontent.com
41	raw.githubusercontent.com
5	raw.githubusercontent.com
9	raw.githubusercontent.com
16	raw.githubusercontent.com
20	raw.githubusercontent.com
31	raw.githubusercontent.com
38	raw.githubusercontent.com

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\Windows Mail\en-US\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Windows Media Player\Icons\explorer.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\System.exe	DllCommonsvc.exe
File created	C:\Program Files (x86)\Microsoft.NET\27d1bcfc3c54e0	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\csrss.exe	DllCommonsvc.exe
File created	C:\Program Files\Java\jre7\bin\886983d96e3d3e	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\System.exe	DllCommonsvc.exe
File opened for modification	C:\Program Files\Windows Mail\en-US\lsm.exe	DllCommonsvc.exe
File created	C:\Program Files\Windows Mail\en-US\101b941d020240	DllCommonsvc.exe
File created	C:\Program Files\Windows Photo Viewer\ja-JP\27d1bcfc3c54e0	DllCommonsvc.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Tasks\services.exe	DllCommonsvc.exe
File created	C:\Windows\Tasks\c5b4cb5e9653cc	DllCommonsvc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WScript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2612	schtasks.exe
2680	schtasks.exe
2960	schtasks.exe
2564	schtasks.exe
828	schtasks.exe
1960	schtasks.exe
1056	schtasks.exe
2580	schtasks.exe
820	schtasks.exe
1396	schtasks.exe
1248	schtasks.exe
2972	schtasks.exe
336	schtasks.exe
1016	schtasks.exe
2896	schtasks.exe
632	schtasks.exe
2328	schtasks.exe
408	schtasks.exe
1484	schtasks.exe
2868	schtasks.exe
2288	schtasks.exe
1792	schtasks.exe
2780	schtasks.exe
2388	schtasks.exe
1784	schtasks.exe
1788	schtasks.exe
2600	schtasks.exe
1344	schtasks.exe
2676	schtasks.exe
3008	schtasks.exe
3016	schtasks.exe
2148	schtasks.exe
2056	schtasks.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
2804	DllCommonsvc.exe
1440	powershell.exe
2428	powershell.exe
108	powershell.exe
352	powershell.exe
1652	powershell.exe
2184	powershell.exe
2132	powershell.exe
2472	powershell.exe
788	powershell.exe
1988	System.exe
1464	powershell.exe
792	powershell.exe
2592	powershell.exe
1956	System.exe
2484	System.exe
2428	System.exe
2148	System.exe
1712	System.exe
2968	System.exe
2000	System.exe
2420	System.exe
3004	System.exe
1344	System.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeDebugPrivilege	2804	DllCommonsvc.exe
Token: SeDebugPrivilege	1988	System.exe
Token: SeDebugPrivilege	1440	powershell.exe
Token: SeDebugPrivilege	2428	powershell.exe
Token: SeDebugPrivilege	108	powershell.exe
Token: SeDebugPrivilege	352	powershell.exe
Token: SeDebugPrivilege	1652	powershell.exe
Token: SeDebugPrivilege	2184	powershell.exe
Token: SeDebugPrivilege	2132	powershell.exe
Token: SeDebugPrivilege	2472	powershell.exe
Token: SeDebugPrivilege	788	powershell.exe
Token: SeDebugPrivilege	1464	powershell.exe
Token: SeDebugPrivilege	792	powershell.exe
Token: SeDebugPrivilege	2592	powershell.exe
Token: SeDebugPrivilege	1956	System.exe
Token: SeDebugPrivilege	2484	System.exe
Token: SeDebugPrivilege	2428	System.exe
Token: SeDebugPrivilege	2148	System.exe
Token: SeDebugPrivilege	1712	System.exe
Token: SeDebugPrivilege	2968	System.exe
Token: SeDebugPrivilege	2000	System.exe
Token: SeDebugPrivilege	2420	System.exe
Token: SeDebugPrivilege	3004	System.exe
Token: SeDebugPrivilege	1344	System.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2696 wrote to memory of 1716	2696	JaffaCakes118_a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5.exe	30
PID 2696 wrote to memory of 1716	2696	JaffaCakes118_a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5.exe	30
PID 2696 wrote to memory of 1716	2696	JaffaCakes118_a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5.exe	30
PID 2696 wrote to memory of 1716	2696	JaffaCakes118_a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5.exe	30
PID 1716 wrote to memory of 2280	1716	WScript.exe	31
PID 1716 wrote to memory of 2280	1716	WScript.exe	31
PID 1716 wrote to memory of 2280	1716	WScript.exe	31
PID 1716 wrote to memory of 2280	1716	WScript.exe	31
PID 2280 wrote to memory of 2804	2280	cmd.exe	33
PID 2280 wrote to memory of 2804	2280	cmd.exe	33
PID 2280 wrote to memory of 2804	2280	cmd.exe	33
PID 2280 wrote to memory of 2804	2280	cmd.exe	33
PID 2804 wrote to memory of 352	2804	DllCommonsvc.exe	68
PID 2804 wrote to memory of 352	2804	DllCommonsvc.exe	68
PID 2804 wrote to memory of 352	2804	DllCommonsvc.exe	68
PID 2804 wrote to memory of 108	2804	DllCommonsvc.exe	69
PID 2804 wrote to memory of 108	2804	DllCommonsvc.exe	69
PID 2804 wrote to memory of 108	2804	DllCommonsvc.exe	69
PID 2804 wrote to memory of 1440	2804	DllCommonsvc.exe	70
PID 2804 wrote to memory of 1440	2804	DllCommonsvc.exe	70
PID 2804 wrote to memory of 1440	2804	DllCommonsvc.exe	70
PID 2804 wrote to memory of 2428	2804	DllCommonsvc.exe	71
PID 2804 wrote to memory of 2428	2804	DllCommonsvc.exe	71
PID 2804 wrote to memory of 2428	2804	DllCommonsvc.exe	71
PID 2804 wrote to memory of 1652	2804	DllCommonsvc.exe	72
PID 2804 wrote to memory of 1652	2804	DllCommonsvc.exe	72
PID 2804 wrote to memory of 1652	2804	DllCommonsvc.exe	72
PID 2804 wrote to memory of 2184	2804	DllCommonsvc.exe	73
PID 2804 wrote to memory of 2184	2804	DllCommonsvc.exe	73
PID 2804 wrote to memory of 2184	2804	DllCommonsvc.exe	73
PID 2804 wrote to memory of 2592	2804	DllCommonsvc.exe	74
PID 2804 wrote to memory of 2592	2804	DllCommonsvc.exe	74
PID 2804 wrote to memory of 2592	2804	DllCommonsvc.exe	74
PID 2804 wrote to memory of 1464	2804	DllCommonsvc.exe	75
PID 2804 wrote to memory of 1464	2804	DllCommonsvc.exe	75
PID 2804 wrote to memory of 1464	2804	DllCommonsvc.exe	75
PID 2804 wrote to memory of 788	2804	DllCommonsvc.exe	76
PID 2804 wrote to memory of 788	2804	DllCommonsvc.exe	76
PID 2804 wrote to memory of 788	2804	DllCommonsvc.exe	76
PID 2804 wrote to memory of 2132	2804	DllCommonsvc.exe	77
PID 2804 wrote to memory of 2132	2804	DllCommonsvc.exe	77
PID 2804 wrote to memory of 2132	2804	DllCommonsvc.exe	77
PID 2804 wrote to memory of 792	2804	DllCommonsvc.exe	78
PID 2804 wrote to memory of 792	2804	DllCommonsvc.exe	78
PID 2804 wrote to memory of 792	2804	DllCommonsvc.exe	78
PID 2804 wrote to memory of 2472	2804	DllCommonsvc.exe	79
PID 2804 wrote to memory of 2472	2804	DllCommonsvc.exe	79
PID 2804 wrote to memory of 2472	2804	DllCommonsvc.exe	79
PID 2804 wrote to memory of 1988	2804	DllCommonsvc.exe	89
PID 2804 wrote to memory of 1988	2804	DllCommonsvc.exe	89
PID 2804 wrote to memory of 1988	2804	DllCommonsvc.exe	89
PID 1988 wrote to memory of 2148	1988	System.exe	93
PID 1988 wrote to memory of 2148	1988	System.exe	93
PID 1988 wrote to memory of 2148	1988	System.exe	93
PID 2148 wrote to memory of 2944	2148	cmd.exe	95
PID 2148 wrote to memory of 2944	2148	cmd.exe	95
PID 2148 wrote to memory of 2944	2148	cmd.exe	95
PID 2148 wrote to memory of 1956	2148	cmd.exe	97
PID 2148 wrote to memory of 1956	2148	cmd.exe	97
PID 2148 wrote to memory of 1956	2148	cmd.exe	97
PID 1956 wrote to memory of 1536	1956	System.exe	98
PID 1956 wrote to memory of 1536	1956	System.exe	98
PID 1956 wrote to memory of 1536	1956	System.exe	98
PID 1536 wrote to memory of 1200	1536	cmd.exe	100

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_a21ff2a105e6eea60b94479c044af6b7fcd94f47a12c1496359cfffbbb3b6ae5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2696
- C:\Windows\SysWOW64\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1716
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\providercommon\1zu9dW.bat" "
    3⤵
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\providercommon\DllCommonsvc.exe
      "C:\providercommon\DllCommonsvc.exe"
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      Drops file in Windows directory
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:2804
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:352
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Mail\en-US\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:108
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1440
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\Tasks\services.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Default User\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1652
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Microsoft.NET\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2184
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2592
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Java\jre7\bin\csrss.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1464
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2132
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\lsm.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:792
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\taskhost.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2472
    - - C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1988
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:2148
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        7⤵
        
        PID:2944
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        7⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:1956
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1536
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        9⤵
        
        PID:1200
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2484
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat"
        10⤵
        
        PID:2600
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        11⤵
        
        PID:3060
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        11⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2428
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat"
        12⤵
        
        PID:348
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        13⤵
        
        PID:1508
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        13⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat"
        14⤵
        
        PID:2620
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        15⤵
        
        PID:2348
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        15⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat"
        16⤵
        
        PID:1244
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        17⤵
        
        PID:532
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat"
        18⤵
        
        PID:1040
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        19⤵
        
        PID:1744
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        19⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat"
        20⤵
        
        PID:1952
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        21⤵
        
        PID:2232
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2420
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat"
        22⤵
        
        PID:2080
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        23⤵
        
        PID:2168
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        23⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat"
        24⤵
        
        PID:2764
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        25⤵
        
        PID:2736
        
        C:\Program Files\Windows Photo Viewer\ja-JP\System.exe
        
        "C:\Program Files\Windows Photo Viewer\ja-JP\System.exe"
        25⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1344
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat"
        26⤵
        
        PID:1176
        
        C:\Windows\system32\w32tm.exe
        
        w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
        27⤵
        
        PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1788

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2780

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Mail\en-US\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2612

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2676

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1484

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0115-0409-0000-0000000FF1CE}-C\1033\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2896

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 14 /tr "'C:\Windows\Tasks\services.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "services" /sc ONLOGON /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:632

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "servicess" /sc MINUTE /mo 6 /tr "'C:\Windows\Tasks\services.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1396

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 9 /tr "'C:\Users\Default User\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3008

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:3016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 10 /tr "'C:\Users\Default User\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1248

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2680

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 9 /tr "'C:\Program Files (x86)\Microsoft.NET\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2960

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 6 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2972

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVC" /sc ONLOGON /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:336

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "OSPPSVCO" /sc MINUTE /mo 7 /tr "'C:\Recovery\20e7eb62-69f6-11ef-be0c-62cb582c238c\OSPPSVC.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2600

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2868

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1344

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\Program Files\Java\jre7\bin\csrss.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2148

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2056

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "System" /sc ONLOGON /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2388

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "SystemS" /sc MINUTE /mo 13 /tr "'C:\Program Files\Windows Photo Viewer\ja-JP\System.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2564

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 5 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1784

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsv" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:828

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "spoolsvs" /sc MINUTE /mo 14 /tr "'C:\MSOCache\All Users\{90140000-0117-0409-0000-0000000FF1CE}-C\Access.en-us\spoolsv.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2328

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 12 /tr "'C:\providercommon\lsm.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2580

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsm" /sc ONLOGON /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:408

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "lsml" /sc MINUTE /mo 14 /tr "'C:\providercommon\lsm.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:2288

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 12 /tr "'C:\providercommon\taskhost.exe'" /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1016

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhost" /sc ONLOGON /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:820

C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "taskhostt" /sc MINUTE /mo 7 /tr "'C:\providercommon\taskhost.exe'" /rl HIGHEST /f
1⤵
- Process spawned unexpected child process
- Scheduled Task/Job: Scheduled Task
PID:1792

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1b3b145e94760e2d82603e3f9d1e995a

SHA1
fe96214a2495b165e3b258639c7cc6340740e46b

SHA256
6ac97d48ebe1ecdf1ed67a1f26329d196e4901ed590ceb907880277d6bfdbc85

SHA512
85f494553cb7552b195423796c726fe5ad5058700d5aa3dd57c936e14b447784f36772b5f854675e8d4475a80043bff9e107225ec64c87d7538c063eb1f12079

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec26631e044d930ae750cc7c301ed221

SHA1
1a64b8be00ba0be3c0440783330d47f343865322

SHA256
6fdf65f308c6c9159324315b7ed37cbc84fef38cc00897f89f21e70dde0be6e1

SHA512
294958de8af41cffcd7a6e9cfbabe0bd547ba6ea862e56fb2df23211e88ec2bb5c693febbb8b501f8f565d8d1ed3ec35a6554587f63fdab2b61fd0c559d9204d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b5515ab8b07deda36ba60cec039670d8

SHA1
b5bb4f2aa5328276176a7b7c878ce400502e1de9

SHA256
72a8259b7429aa646a1887db1e7762f6ced1dcf9554609a1a280d52b49c5b599

SHA512
780da7a0b6c8fe662728f86c6fce20e711117395066246abc542028768ee3a75fc5ee5c33140d2fa4be6927fd7adba4458602533cc560ff48416378dbedaba6c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aecbee89823ca958ccd40e48996d1670

SHA1
b8711d89fa3d49457b7cc694f5caf51f02b9f970

SHA256
df0043d25d8ceccccdab7a39b2264bd059fbacc69c19dde0c690d384853529a8

SHA512
dfd767d20c14326768871205643cc383c8ebb6095e82af976538703d5d3e848fd2de42b1ae2b3d2b5f791f941d6341819ffc908431b7608a0f63b1f3c3ea267e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
76de14470e00e75e60326541acbad034

SHA1
1c347607b54ae8a25ff2ba7209814d3c2df14144

SHA256
29f440459a58c8aef5835d9859450e06fe40975b05203df3a61e422d7d63425e

SHA512
775111570dabc277945392b00941612a0570b5376d898a44001f14061e03ae61672bb5a1c90b3683c3dab17fedb552bb773f8000d84417a6d59af6bef351c458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
da584310181a78a90ef4caa9dbe3be49

SHA1
b3b6b102b9c835acf002b934e661f3e25b82bb3b

SHA256
ccca8b934520b31977696aefff5ca9189274bcddcb1bebb893136486c0bc2483

SHA512
6de9bd06cbc0f07da0e5c99541e60d33cea6a30301f23d6bda623634eb33ab8dc356bc81867167467856540a3afcb0616b947af77efa4dfd2e30eef12e2ca551

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e97101061ca7972e13efd4fc30796a8c

SHA1
2dbcb706b83c222cc9e478db650977a8e8c1ec92

SHA256
cdcfbcaab762f884bf34666d59a1acb0a0903c12d2333a71eaeec7c1a3c1000c

SHA512
854429da7b86b6df9ae51afa1f8d0a4f33541ad5ceb0d91d1dfd6100edac504d6f055def1a6171de38d7a13730fa06d37e9e704b44fdddb33fd0dce0070beb7d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3b434e3c428f6e2976e09bb50171d6d4

SHA1
94c96de72040c7dc91c74497c2f8c0695926f8b8

SHA256
a1ca96d9147a11ba4ae3eeee0c2b0b218b19b134dba4dbc7e707775d10ecfba7

SHA512
343e57f62ac28a9dfb9d0e3631c21246ebd4a9a9691d2899b656bbfe927e3390fda82020f8bbee089326814d9e382cf528abdcd282933968c7c538b6a3e7d3ae

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
d967875b01f795f9cb2fe07a7638f26d

SHA1
b8f7eb264a93c017108e94e353b6d0d90913ac87

SHA256
24b573cb1870d1672914eda630fe66f312f49d200dbfdf4ada3a6357d7691c13

SHA512
05b6f28bf020e92ce991a5a19c4f6032c5a38c3ed423ca0da310db0ae790011c9bf6b7c69003ca308e62586b814297bd7a32acbf89864c858f757efeed9b2312

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
4f609c8d60ddcbc254bdc1a6426c452a

SHA1
b0e150a24fe337d78fe80aa6e0e4d04364df54c7

SHA256
787556d905db75b0e342bbe8d4198d92d7ad94fad0c26d305c6d33d5100d79a3

SHA512
36712160708639cac13c5674e5df046fe72a8000e9ad5d57493a83af9e6c587083a7af76065509a596df733573147b47d23cbefc652591d12b409009c52875ed

Download Submit
C:\Users\Admin\AppData\Local\Temp\4stVUxPy0P.bat

Filesize
219B

MD5
df85c06a149f3bf3b7f3c8d11ac3a154

SHA1
dac8a11868aed7bd3da404ce892723ac497b6ab5

SHA256
8d4c4f46b16d0f814b69b974fbf983b3b6566fbfc0a055280a8233710795ad32

SHA512
c4da7fb7097246b3306cf047446193c5b39f291619ecb7ea3d66d3cd6af2a35cb349b000d9d260928742bf1651b80499941384f8b747956fad3d4f76e9bee40d

Download Submit
C:\Users\Admin\AppData\Local\Temp\76lQa6YaxV.bat

Filesize
219B

MD5
0d1cbdfc18f3dbab57b1111326996b4b

SHA1
4110cd4f38060f5edb16739a0b55ceb0630c9c18

SHA256
a58097fd55f6dd8b266d42ba2ac81c1e86b3c5050c19436359c31aae4426fbcc

SHA512
d574f35e3e89073d840d6d99c41848e1857ac1d39f4b01ae457f56159ddb287509a58552c146d7d8a15884d421edc2b6e412957bd72315cbf14900c5d48972a2

Download Submit
C:\Users\Admin\AppData\Local\Temp\9IAAZSZGIv.bat

Filesize
219B

MD5
0d81ca23bad8c980e6b972f2e0718ddb

SHA1
29171f42de9c747cc045eb425cbd8387cc910875

SHA256
629f33d00570f23a867931ae51848d39340e8004861c4976c88e700ac9d2604d

SHA512
501011e157708bc0c269a81e6664d6837d5e6ce8572d11f6d53096d026409a99a0b3b40109d5e71bf816f8ae58d4f857c57480d51bd8b7c0622e9ccb50103635

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC554.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RFyBjogktz.bat

Filesize
219B

MD5
5bef38fa75de6e2850d151124b58b032

SHA1
d6054242e72a221573033c6fc0c644e0e6f92da2

SHA256
15246c008640ea347ca489f73346713089c950fbe9790de00623e92912f7d258

SHA512
1a240ca5903030bc1b2ad717696b9e7a67c96a1a2b45681ba36cdd24863ee72802ffffb2207e2fbc9c6694c2dd36b3f8202c727c8d9d033141f62478051a5fac

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC586.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\YKuCD7w8Ue.bat

Filesize
219B

MD5
00b3858be118b47e0d227ab4b4f31f82

SHA1
da69e6099f31b1a0136df76413b8de42fe214777

SHA256
fbb7efde53196b1f5a4cc6d7126e7256c622e88488af481b8bb529abfc7418bc

SHA512
adb4c7be11d98d5bb66e1f5237cfc12a4b491bfdc7522b85ad61fcc7ca241644437abc7f91136633787df83dab2a3f43eeb5ee0ebf40a49194a587da4d6ba78f

Download Submit
C:\Users\Admin\AppData\Local\Temp\ZZzsG8LzQB.bat

Filesize
219B

MD5
a5af1bb6d106dc613f740df9a5640850

SHA1
dc51b95e4d155215944b12c388b08af5e8bbb034

SHA256
7e1660c048a4e3fc0e485aa153dd1f538ea8279d18492f22f53f20d8b1ccf913

SHA512
ddf4af7c84681df3f6d77c75d3dfb5424b39878e8a9976d47fd8aaa349778b81cc257819e516c10a38e09fa2883843b807689572582f7be894ab2770b5f1ab75

Download Submit
C:\Users\Admin\AppData\Local\Temp\c0TJHXkWh8.bat

Filesize
219B

MD5
f9839db2981a46d364219c76030ff5dd

SHA1
4d9ce41c5f7a24cb2fd81927c7f84ef6853dfa0e

SHA256
9e7ea4efdc9bd9d5a5baa9b1047b5785a0875b8d7b139d5d050d55340d444b73

SHA512
da390ffc6d5ba55e188e1827fe991ce78c512f0424b82a4beb6afcca0d828ad4149da3c67efee3bfd59fc56aaee353c7aea1ad5e43c8f613a1d635eece78559b

Download Submit
C:\Users\Admin\AppData\Local\Temp\d8IMWcflW5.bat

Filesize
219B

MD5
ac44ded960b6d97142e53b8dc3483175

SHA1
af4c171a5cab1224857cd06c0a0406f23aa0f495

SHA256
69698e64045c85c4e08e6555004337078b6dfa1c6e703a0c729b4f02e7ac76cc

SHA512
06da99811187cc775bd52f761dd64fb24e6c031952eef73ab51a5690528425d35250409e11e1b11058c8ee60ff462435680fda34475f5de228044003ce7b0e89

Download Submit
C:\Users\Admin\AppData\Local\Temp\f4KPDhjeqr.bat

Filesize
219B

MD5
b716a82a41b3794bd9f9fcb6ca34ee66

SHA1
ef760dda2f5c381cdc7a34f99fe68d9262332841

SHA256
5f15339e96e895c02f8618e3460d6bce9337ce617586445c7d59ebe439b2f3bb

SHA512
4f714e4ca434fb1e79593e8136f0569208a2e3e07a5bcb46eff2d22ae25dfc8db932e9e160a4c5dadbdb690ea80de3a47bf9009636f11eb17e25ad7281baf985

Download Submit
C:\Users\Admin\AppData\Local\Temp\goxiuQmrpE.bat

Filesize
219B

MD5
ff1caca7aa548ead26e4763419f59d28

SHA1
12604b64a3214565164057d36889a608ea368161

SHA256
3b1a81c9184ae0c39e6ef74d9f2782c66c30d7f5bd6da56229c8a534ded315c6

SHA512
3beeda13bbccc7f79fecf2f56f04a4596d0cd78137217f636243c08478460336daccff979944e19a33ce3e226511cc72afb67066e54bf9df76178d55990cb2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\uOEGMIRuqZ.bat

Filesize
219B

MD5
296491cf3b89c9cc2a36221c6cfa8a56

SHA1
72764d76f55993fb7b8a93543e591b4ae3360d66

SHA256
a52fa943fe4e34a36f704ccd746a5c2104ead26998089f227ef773b0c72a9ad4

SHA512
e92e655e210ad89de4bd724b0e43ede699f764e6c9007ef821a7b6b2e3dc6de2b28e9ad21a1ee4ca301c0c47fb3d38fb6f0ee218a88dbd7119f59ffc05e1e89c

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\KWWX5ADC5P2NGDX688IU.temp

Filesize
7KB

MD5
af282fdc2fb2289ee6ec108211cdf885

SHA1
253e0cecd1a9182e4c0e593b8f8b07bba70b8034

SHA256
532350b5e8718e493a46cffa5a4a7d71093a78b496a29608b11a3d748f464b10

SHA512
3256fd960487d9c400876057bfe641137348e169a60573a288ff1db6dc6df38d0aa85fe5cebca667481f549c0a828af3349fa70b74ca73dd1f0ba174102c9b3f

Download Submit
C:\providercommon\1zu9dW.bat

Filesize
36B

MD5
6783c3ee07c7d151ceac57f1f9c8bed7

SHA1
17468f98f95bf504cc1f83c49e49a78526b3ea03

SHA256
8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322

SHA512
c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8

Download Submit
C:\providercommon\DllCommonsvc.exe

Filesize
1.0MB

MD5
bd31e94b4143c4ce49c17d3af46bcad0

SHA1
f8c51ff3ff909531d9469d4ba1bbabae101853ff

SHA256
b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63

SHA512
f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394

Download Submit
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe

Filesize
197B

MD5
8088241160261560a02c84025d107592

SHA1
083121f7027557570994c9fc211df61730455bb5

SHA256
2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1

SHA512
20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478

Download Submit
memory/1344-706-0x0000000000310000-0x0000000000420000-memory.dmp

Filesize
1.1MB

Download
memory/1440-72-0x0000000002860000-0x0000000002868000-memory.dmp

Filesize
32KB

Download
memory/1712-407-0x00000000010C0000-0x00000000011D0000-memory.dmp

Filesize
1.1MB

Download
memory/1956-166-0x0000000000FF0000-0x0000000001100000-memory.dmp

Filesize
1.1MB

Download
memory/1988-46-0x0000000000A70000-0x0000000000B80000-memory.dmp

Filesize
1.1MB

Download
memory/2148-347-0x0000000000350000-0x0000000000362000-memory.dmp

Filesize
72KB

Download
memory/2148-346-0x0000000000800000-0x0000000000910000-memory.dmp

Filesize
1.1MB

Download
memory/2420-585-0x0000000000100000-0x0000000000210000-memory.dmp

Filesize
1.1MB

Download
memory/2428-286-0x0000000000010000-0x0000000000120000-memory.dmp

Filesize
1.1MB

Download
memory/2428-56-0x000000001B5B0000-0x000000001B892000-memory.dmp

Filesize
2.9MB

Download
memory/2484-226-0x00000000013B0000-0x00000000014C0000-memory.dmp

Filesize
1.1MB

Download
memory/2804-13-0x0000000000DB0000-0x0000000000EC0000-memory.dmp

Filesize
1.1MB

Download
memory/2804-17-0x00000000002F0000-0x00000000002FC000-memory.dmp

Filesize
48KB

Download
memory/2804-14-0x00000000002C0000-0x00000000002D2000-memory.dmp

Filesize
72KB

Download
memory/2804-15-0x00000000002E0000-0x00000000002EC000-memory.dmp

Filesize
48KB

Download
memory/2804-16-0x00000000002D0000-0x00000000002DC000-memory.dmp

Filesize
48KB

Download
memory/3004-645-0x00000000001C0000-0x00000000002D0000-memory.dmp

Filesize
1.1MB

Download
memory/3004-646-0x00000000005E0000-0x00000000005F2000-memory.dmp

Filesize
72KB

Download